What You'll Learn
- Navigate and interpret reports from major sandbox platforms: Any.Run, Hybrid Analysis, VirusTotal, Joe Sandbox, and CAPE
- Read an Any.Run report including process tree, network activity, file activity, IOC extraction, and MITRE ATT&CK mapping
- Read a Hybrid Analysis report including behavior indicators, AV detection consensus, and YARA rule matches
- Read a VirusTotal report including detection ratio, behavior tab, relations tab, and community comments
- Extract actionable IOCs from sandbox reports for blocking and detection
- Build a complete malware analysis report combining executive summary, static findings, dynamic findings, IOC table, ATT&CK mapping, and detection recommendations
- Connect malware analysis findings to detection engineering by writing YARA and Sigma rules from analysis output
- Apply the end-to-end malware analysis workflow: static → dynamic → sandbox → report
You have learned to analyze malware statically (strings, hashes, PE structure), dynamically (process, file, network, registry monitoring), and to dissect malicious documents. But most SOC teams do not run every sample through a manual analysis workflow. They submit samples to automated sandboxes and read the reports. This lesson teaches you to read those reports like a senior analyst — extracting what matters, ignoring what does not, and turning automated output into actionable intelligence.
Major Sandbox Platforms
| Platform | Type | Strengths | Limitations |
|---|---|---|---|
| Any.Run | Interactive cloud sandbox | Real-time interaction, process tree visualization, network capture | Free tier limited to Windows 7, public submissions |
| Hybrid Analysis | Automated cloud sandbox (CrowdStrike Falcon) | Deep behavioral analysis, YARA matching, AV consensus | Less interactive than Any.Run |
| VirusTotal | Multi-engine AV scanner + sandbox | 70+ AV engines, community intelligence, relationship mapping | Sandbox behavior data less detailed than dedicated platforms |
| Joe Sandbox | Enterprise automated sandbox | Comprehensive reports, evasion detection, multi-OS | Paid platform, complex reports |
| CAPE | Open-source automated sandbox (Cuckoo fork) | Self-hosted, customizable, payload extraction | Requires infrastructure to run |
Public vs. private submissions. Free tiers on Any.Run and Hybrid Analysis make your submission public — anyone can see the sample and your analysis. If you are analyzing malware from an active incident at your organization, use a private submission (paid tier) or a self-hosted sandbox like CAPE. Submitting sensitive samples publicly alerts the attacker that their malware has been detected.
Reading an Any.Run Report
Any.Run provides the most visual, interactive sandbox experience. A typical report contains these sections:
Process Tree
The process tree is the first thing to examine. It shows every process that executed, parent-child relationships, and which processes were flagged as malicious:
invoice_march_2026.exe [MALICIOUS]
├─ cmd.exe /c copy payload.dat %TEMP%\svchost.exe
│ └─ %TEMP%\svchost.exe [MALICIOUS]
│ ├─ powershell.exe -enc JABjAGwA... [SUSPICIOUS]
│ └─ schtasks.exe /create /sc minute /tn "Update" ... [SUSPICIOUS]
└─ cmd.exe /c del /f invoice_march_2026.exe [self-deletion]
What to extract from the process tree:
| Element | What It Tells You |
|---|---|
| Root process | The initial sample execution |
| Child processes | Dropped payloads, command interpreters, system tools |
| Command-line arguments | Encoded commands, file paths, scheduled tasks |
| Process tags (MALICIOUS/SUSPICIOUS) | Any.Run's verdict based on behavioral rules |
| Process injection indicators | Hollowed or injected processes (marked differently) |
Network Activity
Any.Run captures all DNS queries, HTTP requests, and TCP/UDP connections:
DNS Requests:
update-service.xyz → 192.0.2.1 [MALICIOUS]
cdn-static.xyz → 192.0.2.2 [SUSPICIOUS]
HTTP Requests:
GET http://update-service.xyz/gate.php?id=DESKTOP-ABC123
Response: 200 OK, 2 bytes
POST http://update-service.xyz/submit.php
Request body: 8192 bytes (encrypted)
Connections:
192.0.2.1:80 (TCP) — 15 connections over 5 minutes
192.0.2.2:443 (TCP) — 1 connection, 245KB downloaded
File Activity
Shows every file created, modified, or deleted during execution:
Created:
C:\Users\admin\AppData\Local\Temp\svchost.exe (PE32, 89KB)
C:\Users\admin\AppData\Roaming\update.dat (encrypted config, 4KB)
Modified:
C:\Windows\System32\drivers\etc\hosts (added entries)
Deleted:
C:\Users\admin\Downloads\invoice_march_2026.exe (self-deletion)
IOC Extraction
Any.Run automatically extracts IOCs and tags them:
| IOC Type | Value | Tags |
|---|---|---|
| SHA256 | a1b2c3d4e5f6... | trojan, dropper |
| Domain | update-service.xyz | c2, malicious |
| Domain | cdn-static.xyz | payload-delivery |
| IP | 192.0.2.1 | c2 |
| URL | /gate.php?id= | c2-beacon |
| File | %TEMP%\svchost.exe | dropped-payload |
MITRE ATT&CK Mapping
Any.Run maps observed behaviors to ATT&CK techniques automatically:
| Tactic | Technique | Evidence |
|---|---|---|
| Execution | T1059.001 — PowerShell | powershell.exe with encoded command |
| Persistence | T1053.005 — Scheduled Task | schtasks.exe /create observed |
| Defense Evasion | T1070.004 — File Deletion | Self-deleted original sample |
| Defense Evasion | T1036.005 — Match Legitimate Name | Payload named svchost.exe |
| C2 | T1071.001 — Web Protocols | HTTP beacon to update-service.xyz |
| Exfiltration | T1041 — Exfil Over C2 Channel | POST request with 8KB encrypted data |
Reading a Hybrid Analysis Report
Hybrid Analysis (powered by CrowdStrike Falcon Sandbox) focuses on automated behavioral analysis with AV consensus:
Behavior Indicators
Hybrid Analysis assigns a threat score (0-100) based on observed behaviors. Each indicator adds points:
Threat Score: 92/100 [MALICIOUS]
Indicators:
[+25] Creates executable in user temp directory
[+20] Contacts external host via HTTP
[+15] Modifies Run registry key for persistence
[+15] Deletes original sample (anti-forensics)
[+10] Uses encoded PowerShell commands
[ +7] Creates scheduled task
AV Detection Consensus
Hybrid Analysis scans the sample with multiple AV engines and reports the consensus:
AV Detection: 42/68 engines detected as malicious
Detection Names:
CrowdStrike: Trojan.GenericKD.12345678
Microsoft: Trojan:Win32/AgentTesla!ml
Kaspersky: HEUR:Trojan.Win32.Generic
ESET: Win32/Spy.Agent.PNQ
AV detection names reveal malware family. When multiple AV engines agree on a family name (like "AgentTesla" above), you have a strong indicator of the malware type. Search for that family name in threat intelligence databases to find detailed reports on capabilities, C2 infrastructure, and related campaigns.
YARA Rule Matches
Hybrid Analysis runs YARA rules against submitted samples. Matches provide instant classification:
YARA Matches:
[rule] Cobalt_Strike_Beacon — detects Cobalt Strike beacon configuration
[rule] INDICATOR_SUSPICIOUS_EXE_UPX — UPX packed executable
[rule] INDICATOR_SUSPICIOUS_GENInfoStealer — generic infostealer patterns
Reading a VirusTotal Report
VirusTotal is the broadest analysis platform — 70+ AV engines plus sandboxing, relationship mapping, and community intelligence.
Detection Ratio
The headline number: how many AV engines flag the file as malicious.
Detection: 48/72 security vendors flagged this file as malicious
First Submission: 2026-02-20 14:32:00 UTC
Last Analysis: 2026-02-23 09:15:00 UTC
A low detection ratio does not mean the file is safe. Zero-day malware, custom tooling, or freshly packed samples may show 0/72 detections on first submission. Conversely, a high ratio on a file you extracted from an incident confirms your findings. Use detection ratio as one data point, not the final verdict.
Behavior Tab
VirusTotal's sandbox runs the sample and reports behavioral observations:
| Category | Observations |
|---|---|
| Processes Created | cmd.exe, powershell.exe, schtasks.exe |
| Files Written | %TEMP%\svchost.exe, %APPDATA%\update.dat |
| Registry Keys Set | HKCU...\Run\WindowsUpdate |
| DNS Resolutions | update-service.xyz, cdn-static.xyz |
| HTTP Requests | GET /gate.php, POST /submit.php |
| Mutexes Created | Global\UpdateServiceMutex |
Relations Tab
The Relations tab maps connections between files, domains, IPs, and URLs — this is where you find the broader campaign:
Communicating Files → update-service.xyz:
a1b2c3d4... (invoice_march_2026.exe) — this sample
e5f6a7b8... (resume_updated.exe) — related sample!
c9d0e1f2... (shipping_notice.exe) — related sample!
Subdomains of update-service.xyz:
api.update-service.xyz
cdn.update-service.xyz
mail.update-service.xyz
Community Comments
Experienced analysts often leave comments identifying the malware family, related campaigns, or decryption keys:
@malware_researcher: "This is AgentTesla v3 with SMTP exfil.
Config extraction: SMTP server = mail.update-service.xyz:587
Panel: http://update-service.xyz/panel/login.php"
Extracting IOCs from Sandbox Reports
Consolidate IOCs from all sandbox sources into a single table. Remove duplicates, assign confidence levels, and add context:
| IOC Type | Value | Source | Confidence | Context |
|---|---|---|---|---|
| SHA256 | a1b2c3d4e5f6... | All platforms | High | Original sample |
| SHA256 | f7a8b9c0d1e2... | Any.Run | High | Dropped payload (svchost.exe) |
| Domain | update-service.xyz | All platforms | High | Primary C2 |
| Domain | cdn-static.xyz | Any.Run, VT | High | Payload delivery |
| IP | 192.0.2.1 | Any.Run | Medium | C2 IP (may rotate) |
| URL | /gate.php?id= | Any.Run | High | C2 beacon URI pattern |
| Registry | HKCU...\Run\WindowsUpdate | Hybrid Analysis, VT | High | Persistence mechanism |
| Mutex | Global\UpdateServiceMutex | VT | Medium | Execution mutex |
| User-Agent | Mozilla/5.0 (compatible; MSIE 10.0) | Any.Run | Medium | Outdated UA in beacon |
IOC confidence tiers matter for blocking decisions. High-confidence IOCs (file hashes, specific URLs, unique mutexes) can be blocked immediately with minimal false positive risk. Medium-confidence IOCs (IP addresses, User-Agent strings) require additional validation because they may be shared infrastructure or common values. Never block an IP or domain based on a single sandbox report without cross-referencing threat intelligence.
Building a Complete Malware Analysis Report
The analysis report is your deliverable. It must be clear enough for a junior analyst to understand and detailed enough for a detection engineer to write rules from.
Report Template
============================================================
MALWARE ANALYSIS REPORT
============================================================
Analyst: [Your Name]
Date: 2026-02-23
Classification: TROJAN / INFOSTEALER
Severity: HIGH
Sample: invoice_march_2026.exe
SHA256: a1b2c3d4e5f6...
File Size: 156,672 bytes
File Type: PE32 executable (GUI) Intel 80386
------------------------------------------------------------
1. EXECUTIVE SUMMARY
------------------------------------------------------------
The sample is a trojan dropper that delivers an AgentTesla
infostealer variant. Upon execution, it copies a payload to
%TEMP%, establishes persistence via Run key and scheduled task,
beacons to update-service.xyz every 30 seconds, and exfiltrates
clipboard data via HTTP POST. The original sample self-deletes
to hinder forensic recovery.
------------------------------------------------------------
2. STATIC ANALYSIS FINDINGS
------------------------------------------------------------
- Compiled: 2026-02-18 (likely timestomped)
- Packer: UPX 3.96 (identified by section names and entropy)
- Imports: URLDownloadToFile, ShellExecute, RegSetValueEx
- Strings: "gate.php", "update-service", base64 blob
- Sections: .text entropy 7.8 (packed), .rsrc entropy 3.2
------------------------------------------------------------
3. DYNAMIC ANALYSIS FINDINGS
------------------------------------------------------------
Process Chain:
invoice_march_2026.exe → cmd.exe → svchost.exe → powershell.exe
invoice_march_2026.exe → cmd.exe → del (self-delete)
File Activity:
CREATED %TEMP%\svchost.exe (payload, 89KB)
CREATED %APPDATA%\update.dat (encrypted config)
DELETED original sample
Network Activity:
DNS: update-service.xyz → 192.0.2.1
HTTP: GET /gate.php?id=DESKTOP-ABC123 (beacon, 30s)
HTTP: POST /submit.php (exfil, 8KB encrypted)
HTTPS: cdn-static.xyz:443 (second-stage download)
Registry:
HKCU\...\Run\WindowsUpdate = %TEMP%\svchost.exe
Scheduled task "Update" runs every minute
------------------------------------------------------------
4. IOC TABLE
------------------------------------------------------------
[See consolidated IOC table above]
------------------------------------------------------------
5. MITRE ATT&CK MAPPING
------------------------------------------------------------
T1059.001 - PowerShell (encoded command execution)
T1053.005 - Scheduled Task (persistence)
T1547.001 - Registry Run Keys (persistence)
T1036.005 - Match Legitimate Name (svchost.exe)
T1070.004 - File Deletion (self-delete)
T1071.001 - Web Protocols (HTTP C2)
T1041 - Exfiltration Over C2 Channel
------------------------------------------------------------
6. DETECTION RECOMMENDATIONS
------------------------------------------------------------
[YARA rule for static detection]
[Sigma rule for behavioral detection]
[Network IDS signatures for C2 traffic]
[IOC blocklist for firewall/proxy]
Connecting Analysis to Detection Engineering
The final step transforms your analysis into defensive rules. Every finding maps to a detection:
YARA Rule from Static Findings
rule AgentTesla_Invoice_Dropper {
meta:
description = "Detects AgentTesla dropper variant from Feb 2026 campaign"
author = "SOC Analyst"
date = "2026-02-23"
reference = "Internal Case #2026-0223"
strings:
$s1 = "gate.php" ascii
$s2 = "update-service" ascii
$s3 = "/submit.php" ascii
$pdb = "\\Release\\invoice" ascii
condition:
uint16(0) == 0x5A4D and filesize < 500KB and 2 of ($s*)
}
Sigma Rule from Behavioral Findings
title: AgentTesla Persistence — Run Key with Temp Path
id: d4e5f6a7-4444-5555-6666-777788889999
status: test
description: Detects registry Run key creation pointing to temp directory
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\CurrentVersion\Run\'
Details|contains:
- '\Temp\\'
- '\AppData\Local\Temp\\'
condition: selection
level: high
tags:
- attack.persistence
- attack.t1547.001
Network IDS Signature
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"AgentTesla C2 Beacon - gate.php";
content:"GET"; http_method;
content:"/gate.php?id="; http_uri;
content:"MSIE 10.0"; http_user_agent;
sid:2026022301; rev:1;
)
The Complete Malware Analysis Workflow
Every analysis follows this progression, from least risk to most risk:
| Phase | Activities | Tools | Output |
|---|---|---|---|
| 1. Static | Hash, strings, PE headers, packer ID, import analysis | sha256sum, FLOSS, PEStudio, Detect It Easy | File classification, initial IOCs |
| 2. Document | Macro extraction, deobfuscation, embedded objects | oletools, pdfid, pdf-parser | VBA code, URLs, dropped filenames |
| 3. Dynamic | Process, file, network, registry monitoring | Procmon, FakeNet-NG, Wireshark, Autoruns | Behavioral profile, C2 patterns |
| 4. Sandbox | Automated analysis, AV consensus, ATT&CK mapping | Any.Run, Hybrid Analysis, VirusTotal | Confirmed behaviors, family ID |
| 5. Report | Consolidate findings, extract IOCs, write detections | Analyst expertise | Analysis report, YARA/Sigma rules |
You do not always need every phase. A known commodity (hash matches existing threat intel) may only need Phase 1 and Phase 4. A novel zero-day dropper warrants the full five-phase treatment. Experienced analysts calibrate their depth based on the sample's novelty and the incident's urgency.
Key Takeaways
- Sandbox platforms (Any.Run, Hybrid Analysis, VirusTotal, Joe Sandbox, CAPE) automate dynamic analysis — your job is to read the reports critically, not accept them blindly
- Any.Run excels at interactive process tree visualization and real-time network capture; Hybrid Analysis provides deep behavioral scoring and YARA matching; VirusTotal offers the broadest AV consensus and relationship mapping
- Public submissions are visible to everyone — including the attacker. Use private submissions or self-hosted sandboxes for active incident samples
- IOC extraction from sandbox reports requires deduplication, confidence scoring, and context — never block on a single data point without cross-referencing
- A complete analysis report has six sections: executive summary, static findings, dynamic findings, IOC table, ATT&CK mapping, and detection recommendations
- Every analysis finding maps to a detection: static strings become YARA rules, behavioral patterns become Sigma rules, network patterns become IDS signatures, and IOCs become blocklist entries
- The end-to-end workflow progresses from least risk to most: static → document analysis → dynamic → sandbox → report
- AV detection names often reveal malware family — search for consensus family names in threat intelligence databases for campaign context
What's Next
You have completed the malware analysis module. You can now dissect samples statically, trace their dynamic behavior, analyze malicious documents, read automated sandbox reports, and produce professional analysis reports with detection recommendations. In Module 12 — Detection Engineering with Sigma, you will take the detection rules you have been sketching throughout this module and learn to write, convert, deploy, and tune them systematically across your entire SIEM infrastructure.
Knowledge Check: Sandbox Reports & Complete Analysis
10 questions · 70% to pass
Why should you avoid submitting malware samples from an active incident to public sandbox platforms?
In an Any.Run report, what is the first section you should examine to understand the sample's execution flow?
In Lab 11.6, you analyze a sandbox report and find that multiple AV engines on Hybrid Analysis identify the sample as 'AgentTesla'. What should you do with this information?
On VirusTotal, a file shows a detection ratio of 2/72. What does this mean for your analysis?
Which VirusTotal tab reveals that other malware samples also communicate with the same C2 domain as your sample?
In Lab 11.6, you build a complete malware analysis report. What are the six standard sections in the report template?
When extracting IOCs from multiple sandbox reports, why is confidence scoring important before adding IOCs to a blocklist?
How does a Hybrid Analysis YARA rule match help your analysis compared to just having AV detection names?
In the complete malware analysis workflow, why does static analysis come before dynamic analysis?
The Detection Recommendations section of a malware analysis report should include rules for multiple defense layers. Which combination provides the most comprehensive coverage?
0/10 answered