View static and dynamic analysis of file samples to identify malware, investigate trends, and create reports.
Sample Analysistools enable you to conduct in depth investigations and analyses of file samples. File samples are run and analyzed using Palo Alto Networks’ WildFire cloud-based threat analysis service, and you can view dynamic analysis of observed behavior, static analysis of the file contents, and related sessions and submissions.
For example, you have an incident with an extracted file indicator. The
Unit 42 Inteltab shows the file’s behavior. You scroll through the sample's behavior and see a suspicious behavior: Powershell.exe wrote to a file in the Administrator's User folder, named 443.exe. You want to find other samples with the same behavior, and to determine if they are related to a known adversary or malware - so you add that specific behavior to your search. When you run the search, you see that this behavior is associated with Emotet, a known banking trojan (malware). You have identified your original file sample as part of a larger threat campaign and you can now take steps to remediate.
Unit 42 Inteltab for a file sample includes:
- WildFire Dynamic Analysis - Observed BehaviorA high level overview of the behavior observed when the file was run in the WildFire sandbox. Examples might include potentially malicious behaviors such as connecting to a potentially vulnerable port or creating an executable file in the Windows folder, as well as behaviors frequently performed by legitimate software, such as scheduling a task in Windows Task Scheduler.
- WildFire Dynamic Analysis - SectionsDynamic analysis provides a granular view of file activity, process activity, registry activity, connection activity, etc. Files run in a custom built, evasion resistant virtual environment in which previously unknown submissions are detonated to determine real-world effects and behavior. Behavior can be observed in one or more operating system environments.
- WildFire Static AnalysisThe WildFire Static analysis detects known threats by analyzing the characteristics of a sample prior to execution in the sandbox. Static analysis can provide instant identification of malware variants and includes dynamic unpacking to analyze threats attempting to evade detection using packer tools.
- Related Sessions & SubmissionsShows any related sessions and submissions where the file was seen. Related sessions and submissions data is available if you have one of the following products: Palo Alto Networks Firewall, WildFire, Cortex XDR, Prisma SaaS, or Prisma Access.
In addition to viewing the file activities, properties, and behaviors within the Cortex XSOAR Threat Intel page, you can also download a PDF with a full report.
Sample Analysis Search
You can use Unit 42 Intel data to build complex searches for file samples with similar characteristics. For example, in
WildFire Dynamic Analysis - Sections, you can add
Parametersor all characteristics of the file activity to a search. In
WildFire Static Analysis, you can add
Description, or both characteristics to a search.
WildFire Dynamic Analysis - Sectionsshows not only the observed behavior of the file sample, but also how many times the behavior was observed in other Unit 42 samples - malicious samples, suspicious samples, and unknown samples. For example, you see that the parent process
sample.exewrote to file
data1.tmp. The same behavior occurred in 75 samples that had a verdict of malicious. To investigate further you can build a new search that contains this specific behavior and view the relevant samples. To add an entire row to a new Sample Analysis search, hover the cursor over the last column on the right, in the row that you want to add. A drill-down button appears when you hover over the empty column. Click on the button to see the two options:
- Add to Sample Analysis SearchAdds selected information from the row to a Sample Analysis search. After choosingAdd to Sample Analysis search, a pop up appears at the bottom of the screen:Your selected terms were added to Sample Analysis Search. Go to Sample Analysis tab to apply the added terms.. If you click on the link, you go to theSample Analysistab where you can edit or run your search for samples that exhibited the same behavior. You can alsoAdd to Saved Queries. If you do not click the link, the popup will disappear and you can continue to add additional items to the search. To run the search without clicking on the popup link, go to theThreat Intelpage and click on theSample Analysistab.Instead of adding the entire row, you can also add one or more items in the row to a search. For example, inWildfire Dynamic Analysis - Sections - File Activity, you can add the parent process and the action, without including the parameters, by clicking the drill-down search button to the right of each option you want to add.
- Create New Sample Analysis SearchClears any search characteristics you have already added and starts a new Sample Analysis search with the selected characteristic(s). After choosing this option, a pop up appears at the bottom of the screen:Your selected terms were added to Sample Analysis Search. Go to Sample Analysis tab to apply the added terms.. If you click on the link, you go to theSample Analysistab where you can edit or run your search for samples that exhibited the same behavior. You can alsoAdd to Saved Queries. If you do not click the link, the popup will disappear and you can continue to add additional items to the search. To run the search without clicking on the popup link, go to theThreat Intelpage and click on theSample Analysistab.
The Sample Analysis search page includes a drop-down for
Sample Type. Options include
Public Samples, and
My Samples. The
My Samplesoption is only available for customers with a Palo Alto Networks Firewall, WildFire, Cortex XDR, Prisma SaaS, or Prisma Access.
My Samplesdata is not available for multi-tenant deployments.
Known limitation: When searching on the
Sample Analysispage for relationships
-relationships"", some results may appear without their specific relationships listed, due to internal relationship permissions.
Recommended For You
Recommended videos not found.