{"id":10532,"date":"2024-12-18T11:09:10","date_gmt":"2024-12-18T11:09:10","guid":{"rendered":"\/cybersecurity-blog\/?p=10532"},"modified":"2024-12-18T11:18:43","modified_gmt":"2024-12-18T11:18:43","slug":"sandbox-use-cases-for-dfir","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/","title":{"rendered":"How DFIR Analysts Use ANY.RUN Sandbox"},"content":{"rendered":"\n<p>Recently, DFIR consultant &amp; content creator\/educator <a href=\"https:\/\/www.youtube.com\/@MyDFIR\/videos\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Steven from the YouTube channel MyDFIR<\/a><strong> <\/strong>released a <a href=\"https:\/\/www.youtube.com\/watch?v=6csFShaEHrk\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">new video<\/a> showing how DFIR professionals can leverage the <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=dfir_use_cases&amp;utm_term=181224&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN Sandbox<\/a> to efficiently analyze malware and extract actionable intelligence.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The video provides a step-by-step guide on investigating real-world threats, including how to quickly identify and analyze <a href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-collect-iocs-in-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\">Indicators of Compromise<\/a> (IOCs) and uncover key behavioral insights.&nbsp;<\/p>\n\n\n\n<p>If you\u2019re looking to improve your investigation workflows and see practical examples of malware analysis in action, we highly recommend watching the video to follow along with the expert\u2019s process.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s our overview of the key highlights covered in the video.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN Sandbox&nbsp;<\/h2>\n\n\n\n<p>The <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=dfir_use_cases&amp;utm_term=181224&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN Sandbox<\/a> is an <a href=\"https:\/\/any.run\/cybersecurity-blog\/interactive-malware-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\">interactive<\/a> malware analysis platform that enables security professionals to analyze malicious files in a live, user-driven environment. It allows DFIR professionals to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Uncover the behaviors and tactics of malware.&nbsp;<\/li>\n\n\n\n<li>Quickly gather critical Indicators of Compromise (IOCs).&nbsp;<\/li>\n\n\n\n<li>Explore malware configurations and identify threats in real time.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>By providing detailed insights through features like process trees, network monitoring, and integrated <a href=\"https:\/\/any.run\/cybersecurity-blog\/mitre-ttps-in-ti-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">ATT&amp;CK mapping<\/a>, ANY.RUN helps analysts stay ahead of emerging threats and streamline investigations.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze malware and phishing threats <br>in ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for free&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=dfir_use_cases&#038;utm_term=181224&#038;utm_content=linktoregistration#register\" rel=\"noopener\" target=\"_blank\">\nSign up now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Use Case 1: Investigating Formbook Infostealer&nbsp;<\/h2>\n\n\n\n<p>Formbook is a widespread infostealer that targets credentials, cookies, and other sensitive data. Here\u2019s how DFIR professionals can use <a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=dfir_use_cases&amp;utm_term=181224&amp;utm_content=linktoregistration#register\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> to analyze it.\u00a0<\/p>\n\n\n\n<p>Imagine you have received the following alert: malware detected and quarantined.&nbsp;<\/p>\n\n\n\n<p>The alert also provides details such as:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hostname: SALESPC-01&nbsp;<\/li>\n\n\n\n<li>User: Bobby&nbsp;&nbsp;<\/li>\n\n\n\n<li>Filename: suchost.exe&nbsp;&nbsp;<\/li>\n\n\n\n<li>Current Directory: C:\\Users\\Bobby\\Downloads&nbsp;<\/li>\n\n\n\n<li>SHA256: 472a703381c8fe89f83b0fe4d7960b0942c5694054ba94dd85c249c4c702e0cd&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Use this information to initiate your investigation.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Check Previous Analyses&nbsp;<\/h3>\n\n\n\n<p>The first thing you should do is check if ANY.RUN analyzed this file previously. Navigate to ANY.RUN\u2019s <a href=\"https:\/\/app.any.run\/submissions\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=dfir_use_cases&amp;utm_term=181224&amp;utm_content=linktoreports\" target=\"_blank\" rel=\"noreferrer noopener\"><em>Reports <\/em>section<\/a>, located on the left-hand side.\u00a0\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"580\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-10-1024x580.png\" alt=\"\" class=\"wp-image-10541\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-10-1024x580.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-10-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-10-768x435.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-10-1536x870.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-10-2048x1160.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-10-370x210.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-10-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-10-740x419.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Reports section inside ANY.RUN<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Search for the hash of the flagged file. If the file has already been analyzed, review the existing reports. Otherwise, upload the file to initiate a fresh analysis.&nbsp;<\/p>\n\n\n\n<p>In our case, there are 2 analysis sessions found from October 2024. Let\u2019s choose the first report and look closer at what\u2019s inside. &nbsp;<\/p>\n\n\n\n<p>After clicking on the existing entry, you\u2019ll be redirected to the ANY.RUN sandbox presented with a lot of useful information.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"603\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-1-1024x603.png\" alt=\"\" class=\"wp-image-10542\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-1-1024x603.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-1-300x177.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-1-768x452.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-1-1536x904.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-1-2048x1205.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-1-370x218.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-1-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagea-1-740x435.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Public submissions related to specific IOC&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Let\u2019s use <a href=\"https:\/\/app.any.run\/tasks\/488981a6-2681-4efc-ab96-00215d866a56\" target=\"_blank\" rel=\"noreferrer noopener\">this analysis<\/a> to see how the sandbox can help us.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Examine Initial Results&nbsp;<\/h3>\n\n\n\n<p>ANY.RUN provides an overview of the analysis, including malicious activity indicators, the operating system used for analysis (e.g., Windows 10 64-bit), and a suite of options, such as:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Get Sample:<\/strong> Download the file for deeper analysis.&nbsp;<\/li>\n\n\n\n<li><strong>IOC Tab:<\/strong> View all related IOCs.&nbsp;<\/li>\n\n\n\n<li><strong>MalConf:<\/strong> Explore indicators extracted from the malware\u2019s configuration.&nbsp;<\/li>\n\n\n\n<li><strong>Restart:<\/strong> Re-run the analysis if needed.&nbsp;<\/li>\n\n\n\n<li><strong>Text Report:<\/strong> Get a detailed overview of findings.&nbsp;<\/li>\n\n\n\n<li><strong>Graph:<\/strong> Visualize the process tree and events.&nbsp;<\/li>\n\n\n\n<li><strong>ATT&amp;CK Tab:<\/strong> Review associated tactics, techniques, and procedures (TTPs).&nbsp;<\/li>\n\n\n\n<li><strong>AI Summary:<\/strong> Summarize key findings.&nbsp;<\/li>\n\n\n\n<li><strong>Export Options:<\/strong> Save results in various formats like STIX or MISP JSON.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"349\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-3-1024x349.png\" alt=\"\" class=\"wp-image-10544\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-3-1024x349.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-3-300x102.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-3-768x262.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-3-370x126.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-3-270x92.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-3-740x252.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3-3.png 1138w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Malicious activity identified by ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Analyze the Process Tree&nbsp;<\/h3>\n\n\n\n<p>Study the parent-child relationship in the process tree to understand how the file behaves.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"611\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imageb-1-1024x611.png\" alt=\"\" class=\"wp-image-10547\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imageb-1-1024x611.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imageb-1-300x179.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imageb-1-768x458.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imageb-1-1536x916.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imageb-1-2048x1222.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imageb-1-370x221.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imageb-1-270x161.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imageb-1-740x442.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Process tree&nbsp;inside ANY.RUN<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>For example, <a href=\"https:\/\/any.run\/malware-trends\/formbook\" target=\"_blank\" rel=\"noreferrer noopener\">Formbook<\/a> may create a registry key to establish <a href=\"https:\/\/any.run\/cybersecurity-blog\/6-persistence-mechanisms-in-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">persistence<\/a>. By clicking on the process, you can view command-line details and trace the registry key creation and file execution paths.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"912\" height=\"488\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image5-3.png\" alt=\"\" class=\"wp-image-10548\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image5-3.png 912w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image5-3-300x161.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image5-3-768x411.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image5-3-370x198.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image5-3-270x144.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image5-3-740x396.png 740w\" sizes=\"(max-width: 912px) 100vw, 912px\" \/><figcaption class=\"wp-element-caption\"><em>Process of creating registry key displayed inside ANY.RUN sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Investigate Network Activity&nbsp;<\/h3>\n\n\n\n<p>Use the <a href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-analyze-malicious-network-traffic\/\" target=\"_blank\" rel=\"noreferrer noopener\">network-related<\/a> tabs to track events like HTTP requests and connections. ANY.RUN simplifies this by flagging requests with reputation icons:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Green checkmark:<\/strong> Known and safe.&nbsp;<\/li>\n\n\n\n<li><strong>Question mark:<\/strong> Unknown.&nbsp;<\/li>\n\n\n\n<li><strong>Fire icon:<\/strong> Malicious. Document any flagged IOCs, such as suspicious IP addresses or domains, and cross-check them within your environment.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"609\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagec-1024x609.png\" alt=\"\" class=\"wp-image-10551\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagec-1024x609.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagec-300x178.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagec-768x456.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagec-1536x913.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagec-2048x1217.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagec-370x220.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagec-270x160.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagec-740x440.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Reputation icons for faster malware analysis<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Leverage Threat Hunting Features&nbsp;<\/h3>\n\n\n\n<p>Utilize tabs like <a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/\" target=\"_blank\" rel=\"noreferrer noopener\"><em>MalConf<\/em><\/a> and <em>ATT&amp;CK <\/em>to uncover additional insights. For instance, <em>MalConf <\/em>may reveal hardcoded strings or configurations that can aid in threat hunting.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imaged-1024x683.png\" alt=\"\" class=\"wp-image-10553\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imaged-1024x683.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imaged-300x200.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imaged-768x512.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imaged-1536x1024.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imaged-370x247.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imaged-270x180.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imaged-740x493.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imaged.png 1938w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Malware configuration tab displayed in ANY.RUN sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The <em>ATT&amp;CK<\/em> tab provides a breakdown of associated TTPs, helping analysts understand how the malware evades detection or escalates privileges.&nbsp;<\/p>\n\n\n\n<p>In the current analysis session, these are the TTPs the sandbox identified:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"421\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagee-1024x421.png\" alt=\"\" class=\"wp-image-10555\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagee-1024x421.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagee-300x123.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagee-768x316.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagee-1536x631.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagee-2048x842.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagee-370x152.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagee-270x111.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagee-740x304.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TTPs related to Formbook analysis session<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">AI Summary&nbsp;<\/h3>\n\n\n\n<p>The <a href=\"https:\/\/any.run\/cybersecurity-blog\/private-ai-for-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">AI-powered summary<\/a> distills the technical findings into easy-to-understand insights. This is particularly beneficial for:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Quickly understanding the file\u2019s behavior without diving into the technical minutiae.&nbsp;<\/li>\n\n\n\n<li>Assisting junior analysts or teams new to malware analysis by providing clear explanations of what the file is doing.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"505\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagef-1024x505.png\" alt=\"\" class=\"wp-image-10558\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagef-1024x505.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagef-300x148.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagef-768x379.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagef-1536x758.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagef-2048x1010.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagef-370x182.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagef-270x133.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/imagef-740x365.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>AI summary of processes inside ANY.RUN sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>By leveraging these features, DFIR professionals can perform detailed, thorough, and efficient malware analysis, tailoring their investigations to the specific needs of their organization.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nSee a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Use Case 2: Analyzing Lumma Stealer with Advanced Features&nbsp;<\/h2>\n\n\n\n<p>The next use case focuses on analyzing a file using the&nbsp;ANY.RUN sandbox, specifically targeting a different infostealer called&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/lumma\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Luma Stealer<\/strong><\/a>. The latter is another malware aimed at exfiltrating data.&nbsp;<\/p>\n\n\n\n<p>For this demonstration, the&nbsp;free plan&nbsp;is used, but comparisons to the&nbsp;paid plan&nbsp;capabilities will also be highlighted.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Uploading a File to ANY.RUN&nbsp;<\/h3>\n\n\n\n<p>To analyze a file in ANY.RUN, start by selecting&nbsp;<em>Submit File<\/em> option from the available 3 options. &nbsp;<\/p>\n\n\n\n<p>When uploading a file, keep in mind that as a free user Analysis will be&nbsp;<strong>public<\/strong>, meaning anyone can view it. Avoid uploading sensitive data. Always consult with your team if unsure.&nbsp;<\/p>\n\n\n\n<p>The free plan, however, offers privacy options to restrict access to your analysis.&nbsp;<\/p>\n\n\n\n<p>After selecting the file, you\u2019ll see two key options:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Deep analysis:<\/strong>&nbsp;Ideal for file-based malware investigations.&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/any.run\/cybersecurity-blog\/safebrowsing\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Safebrowsing<\/strong><\/a><strong>:<\/strong>&nbsp;Suitable for URL-based fast analysis.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>For this case, we\u2019re performing&nbsp;Deep Analysis&nbsp;on the Luma Stealer sample. &nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/44effc7d-f814-476e-a874-fa277365969e\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=dfir_use_cases&amp;utm_term=181224&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Explore the entire analysis session<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"789\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-9-1024x789.png\" alt=\"\" class=\"wp-image-10536\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-9-1024x789.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-9-300x231.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-9-768x592.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-9-370x285.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-9-270x208.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-9-740x570.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image-9.png 1257w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Configuration options for new analysis session<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Configuration Options&nbsp;<\/h3>\n\n\n\n<p>ANY.RUN allows you to customize execution and environment settings to simulate real-world scenarios. For instance, you can specify custom command-line arguments to trigger specific malware behaviors.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The free plan offers 60 seconds of analysis. &nbsp;<\/li>\n\n\n\n<li>With the paid plan, you can extend to 10+ minutes for deeper analysis.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>You can also choose where you want to execute the file, for instance, temp directory, desktop, downloads directory, AppData, and more.&nbsp;<\/p>\n\n\n\n<p>For the network traffic the following options are available:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/cybersecurity-blog\/mitm-proxy-fake-net\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>FakeNet<\/strong><\/a><strong>:<\/strong>&nbsp;Simulates network traffic.&nbsp;<\/li>\n\n\n\n<li><strong>TOR Routing:<\/strong>&nbsp;Routes traffic through Tor for anonymity.&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/any.run\/cybersecurity-blog\/residential-proxy-for-your-traffic\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Residential Proxy<\/strong><\/a>: Assigns a residential IP to your VM.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Then, choose the operating system, such as Windows 7 (32-bit), <a href=\"https:\/\/any.run\/cybersecurity-blog\/windows-10-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\">Windows 10<\/a> (64-bit), and Ubuntu 22.04. The paid plan also offers <a href=\"https:\/\/any.run\/cybersecurity-blog\/windows-11-malware-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\">Windows 11<\/a>.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Running the Analysis&nbsp;<\/h3>\n\n\n\n<p>Once configurations are set, click&nbsp;<strong><em>Run Analysis<\/em><\/strong>. If you decide to go with the <em>Public<\/em> mode, a warning will remind you that the analysis data will be publicly accessible. To make your analysis private, you will need to get a <a href=\"https:\/\/app.any.run\/plans\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=dfir_use_cases&amp;utm_term=181224&amp;utm_content=linktoplans\" target=\"_blank\" rel=\"noreferrer noopener\">Hunter or Enterprise<\/a> plan subscription.&nbsp;<\/p>\n\n\n\n<p>The sandbox begins dynamic analysis, executing the file and recording all processes, behaviors, and network activities.&nbsp;<\/p>\n\n\n\n<p>A timer (top-right) shows the remaining analysis duration. You can&nbsp;<strong>add time<\/strong> to capture extended malware behaviors.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Observing Results in Real Time&nbsp;<\/h3>\n\n\n\n<p>Once the analysis begins, you can interact with the sandbox environment. Have a look at the parent-child relationships of processes generated by the malware.&nbsp;<\/p>\n\n\n\n<p>On the right corner you can already see the sandbox identifies the processes as Lumma malware and possible phishing.&nbsp;<\/p>\n\n\n\n<p>Besides, we can note that the sandbox also detected a domain used for C2 connection:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"697\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image11-1024x697.png\" alt=\"\" class=\"wp-image-10562\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image11-1024x697.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image11-300x204.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image11-768x523.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image11-370x252.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image11-270x184.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image11-740x504.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image11.png 1354w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Suricata rule triggered by Lumma malware<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>With the paid plan you can also see how this particular <a href=\"https:\/\/any.run\/cybersecurity-blog\/detection-with-suricata-ids\/\" target=\"_blank\" rel=\"noreferrer noopener\">Suricata<\/a> rule was generated:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"729\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image12-1024x729.png\" alt=\"\" class=\"wp-image-10564\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image12-1024x729.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image12-300x214.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image12-768x547.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image12-370x263.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image12-270x192.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image12-740x527.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image12.png 1351w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Suricata rule details available for Hunter and Enterprise users<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Extracting IOCs and Key Artifacts&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"734\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/Screenshot-from-2024-12-18-13-11-07-1024x734.png\" alt=\"\" class=\"wp-image-10568\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/Screenshot-from-2024-12-18-13-11-07-1024x734.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/Screenshot-from-2024-12-18-13-11-07-300x215.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/Screenshot-from-2024-12-18-13-11-07-768x551.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/Screenshot-from-2024-12-18-13-11-07-370x265.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/Screenshot-from-2024-12-18-13-11-07-270x194.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/Screenshot-from-2024-12-18-13-11-07-740x531.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/Screenshot-from-2024-12-18-13-11-07.png 1358w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The sandbox lists malicious IOCs that can be used to detect the threat<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Once the analysis completes, go to the&nbsp;<em>IOC<\/em> tab&nbsp;to extract key indicators, including:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IP addresses&nbsp;<\/li>\n\n\n\n<li>Domains&nbsp;<\/li>\n\n\n\n<li>File hashes&nbsp;<\/li>\n\n\n\n<li>URLs&nbsp; &nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Why DFIR Professionals Rely on ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN\u2019s real-time, interactive capabilities make it a favorite among DFIR experts. Here\u2019s why:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Speed:<\/strong> Analyze malware behavior and extract IOCs faster than ever.&nbsp;<\/li>\n\n\n\n<li><strong>Ease of use:<\/strong> Its intuitive interface works for both seasoned analysts and newcomers.&nbsp;<\/li>\n\n\n\n<li><strong>Flexibility:<\/strong> From free plans to enterprise solutions, ANY.RUN fits teams of all sizes.&nbsp;<\/li>\n\n\n\n<li><strong>Threat intelligence integration:<\/strong> Enrich your investigations with additional context to ensure thorough results.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=psloramyra&amp;utm_term=271124&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">intera<\/a><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=dfir_use_cases&amp;utm_term=181224&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">c<\/a><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=psloramyra&amp;utm_term=271124&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">tive sandbox<\/a> simplifies malware analysis of threats that target both Windows and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> or files to learn more about the threats and respond to incidents faster.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>With ANY.RUN you can:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect malware in seconds<\/li>\n\n\n\n<li>Interact with samples in real time<\/li>\n\n\n\n<li>Save time and money on sandbox setup and maintenance<\/li>\n\n\n\n<li>Record and study all aspects of malware behavior<\/li>\n\n\n\n<li>Collaborate with your team&nbsp;<\/li>\n\n\n\n<li>Scale as you need<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=dfir_use_cases&amp;utm_term=181224&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Get 14-day free trial of ANY.RUN&#8217;s Interactive Sandbox \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently, DFIR consultant &amp; content creator\/educator Steven from the YouTube channel MyDFIR released a new video showing how DFIR professionals can leverage the ANY.RUN Sandbox to efficiently analyze malware and extract actionable intelligence.&nbsp;&nbsp; The video provides a step-by-step guide on investigating real-world threats, including how to quickly identify and analyze Indicators of Compromise (IOCs) and [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":10575,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-10532","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How DFIR Analysts Use ANY.RUN Sandbox - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Check out practical examples of how DFIR analysts use a malware sandbox in their work to analyze cyber threats.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"How DFIR Analysts Use ANY.RUN Sandbox\",\"datePublished\":\"2024-12-18T11:09:10+00:00\",\"dateModified\":\"2024-12-18T11:18:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/\"},\"wordCount\":1652,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/\",\"name\":\"How DFIR Analysts Use ANY.RUN Sandbox - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-12-18T11:09:10+00:00\",\"dateModified\":\"2024-12-18T11:18:43+00:00\",\"description\":\"Check out practical examples of how DFIR analysts use a malware sandbox in their work to analyze cyber threats.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How DFIR Analysts Use ANY.RUN Sandbox\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How DFIR Analysts Use ANY.RUN Sandbox - ANY.RUN&#039;s Cybersecurity Blog","description":"Check out practical examples of how DFIR analysts use a malware sandbox in their work to analyze cyber threats.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"How DFIR Analysts Use ANY.RUN Sandbox","datePublished":"2024-12-18T11:09:10+00:00","dateModified":"2024-12-18T11:18:43+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/"},"wordCount":1652,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/","url":"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/","name":"How DFIR Analysts Use ANY.RUN Sandbox - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-12-18T11:09:10+00:00","dateModified":"2024-12-18T11:18:43+00:00","description":"Check out practical examples of how DFIR analysts use a malware sandbox in their work to analyze cyber threats.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/sandbox-use-cases-for-dfir\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"How DFIR Analysts Use ANY.RUN Sandbox"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10532"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=10532"}],"version-history":[{"count":23,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10532\/revisions"}],"predecessor-version":[{"id":10580,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10532\/revisions\/10580"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/10575"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=10532"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=10532"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=10532"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}