Sample Analysis

View static and dynamic analysis of file samples to identify malware, investigate trends, and create reports.
Cortex XSOAR
Sample Analysis
tools enable you to conduct in depth investigations and analyses of file samples. File samples are run and analyzed using Palo Alto Networks’ WildFire cloud-based threat analysis service, and you can view dynamic analysis of observed behavior, static analysis of the file contents, and related sessions and submissions.
For example, you have an incident with an extracted file indicator. The
Unit 42 Intel
tab shows the file’s behavior. You scroll through the sample's behavior and see a suspicious behavior: Powershell.exe wrote to a file in the Administrator's User folder, named 443.exe. You want to find other samples with the same behavior, and to determine if they are related to a known adversary or malware - so you add that specific behavior to your search. When you run the search, you see that this behavior is associated with Emotet, a known banking trojan (malware). You have identified your original file sample as part of a larger threat campaign and you can now take steps to remediate.
The
Unit 42 Intel
tab for a file sample includes:
  • WildFire Dynamic Analysis - Observed Behavior
    A high level overview of the behavior observed when the file was run in the WildFire sandbox. Examples might include potentially malicious behaviors such as connecting to a potentially vulnerable port or creating an executable file in the Windows folder, as well as behaviors frequently performed by legitimate software, such as scheduling a task in Windows Task Scheduler.
  • WildFire Dynamic Analysis - Sections
    Dynamic analysis provides a granular view of file activity, process activity, registry activity, connection activity, etc. Files run in a custom built, evasion resistant virtual environment in which previously unknown submissions are detonated to determine real-world effects and behavior. Behavior can be observed in one or more operating system environments.
  • WildFire Static Analysis
    The WildFire Static analysis detects known threats by analyzing the characteristics of a sample prior to execution in the sandbox. Static analysis can provide instant identification of malware variants and includes dynamic unpacking to analyze threats attempting to evade detection using packer tools.
  • Related Sessions & Submissions
    Shows any related sessions and submissions where the file was seen. Related sessions and submissions data is available if you have one of the following products: Palo Alto Networks Firewall, WildFire, Cortex XDR, Prisma SaaS, or Prisma Access.
In addition to viewing the file activities, properties, and behaviors within the Cortex XSOAR Threat Intel page, you can also download a PDF with a full report.

Sample Analysis Search

You can use Unit 42 Intel data to build complex searches for file samples with similar characteristics. For example, in
WildFire Dynamic Analysis - Sections
, you can add
Parent Process
,
Action
, or
Parameters
or all characteristics of the file activity to a search. In
WildFire Static Analysis
, you can add
Behavior
,
Description
, or both characteristics to a search.
WildFire Dynamic Analysis - Sections
shows not only the observed behavior of the file sample, but also how many times the behavior was observed in other Unit 42 samples - malicious samples, suspicious samples, and unknown samples. For example, you see that the parent process
sample.exe
wrote to file
data1.tmp
. The same behavior occurred in 75 samples that had a verdict of malicious. To investigate further you can build a new search that contains this specific behavior and view the relevant samples. To add an entire row to a new Sample Analysis search, hover the cursor over the last column on the right, in the row that you want to add.
A drill-down button appears when you hover over the empty column. Click on the button to see the two options:
  • Add to Sample Analysis Search
    Adds selected information from the row to a Sample Analysis search. After choosing
    Add to Sample Analysis search
    , a pop up appears at the bottom of the screen:
    Your selected terms were added to Sample Analysis Search. Go to Sample Analysis tab to apply the added terms.
    . If you click on the link, you go to the
    Sample Analysis
    tab where you can edit or run your search for samples that exhibited the same behavior. You can also
    Add to Saved Queries
    . If you do not click the link, the popup will disappear and you can continue to add additional items to the search. To run the search without clicking on the popup link, go to the
    Threat Intel
    page and click on the
    Sample Analysis
    tab.
    Instead of adding the entire row, you can also add one or more items in the row to a search. For example, in
    Wildfire Dynamic Analysis - Sections - File Activity
    , you can add the parent process and the action, without including the parameters, by clicking the drill-down search button to the right of each option you want to add.
  • Create New Sample Analysis Search
    Clears any search characteristics you have already added and starts a new Sample Analysis search with the selected characteristic(s). After choosing this option, a pop up appears at the bottom of the screen:
    Your selected terms were added to Sample Analysis Search. Go to Sample Analysis tab to apply the added terms.
    . If you click on the link, you go to the
    Sample Analysis
    tab where you can edit or run your search for samples that exhibited the same behavior. You can also
    Add to Saved Queries
    . If you do not click the link, the popup will disappear and you can continue to add additional items to the search. To run the search without clicking on the popup link, go to the
    Threat Intel
    page and click on the
    Sample Analysis
    tab.
The Sample Analysis search page includes a drop-down for
Sample Type
. Options include
All Samples
,
Public Samples
, and
My Samples
. The
My Samples
option is only available for customers with a Palo Alto Networks Firewall, WildFire, Cortex XDR, Prisma SaaS, or Prisma Access.
My Samples
data is not available for multi-tenant deployments.
Known limitation: When searching on the
Sample Analysis
page for relationships
-relationships""
, some results may appear without their specific relationships listed, due to internal relationship permissions.

Recommended For You