How to Collect Indicators of Compromise in the ANY.RUN Sandbox

How to Collect Indicators of Compromise in the ANY.RUN Sandbox

Gathering Indicators of Compromise (IOCs) is key to identifying and responding to threats. IOCs are pieces of forensic data that point to potential malicious activity, helping you detect, investigate, and prevent cyberattacks.

With ANY.RUN, you can collect a wide variety of IOCs, giving you a complete picture of any threat. 

Let’s dive into the types of IOCs you can collect in ANY.RUN’s Interactive Sandbox and where to find them. 

File System Indicators 

Main Objects 

The Main Object is one of the most critical components when analyzing malware inside the ANY.RUN sandbox. This refers to the primary file that was loaded for analysis. 

Once you’ve initiated a sandbox analysis session, simply click on the file name located in the upper-right corner of the screen.  

File name displayed inside ANY.RUN sandbox 

This action will give you quick access to the Main Object IOCs, which include basic details such as file paths, hashes, and more.  

Main Objects IOCs inside ANY.RUN sandbox analysis

Analyze and collect IOCs of malware and phishing threats
in the ANY.RUN sandbox 



Start your first analysis


Dropped Executable Files 

All files dropped during the malware’s execution are shown in the bottom panel under Files. This area demonstrates exactly what files the malware generated or modified, helping you track its propagation across the system. 

Dropped executable files inside ANY.RUN

Network Indicators 

Domains (DNS Requests) 

Domains that the malware attempts to access can help you trace its communication with external servers, such as command-and-control (C2) infrastructure.  

You can find these IOCs under Network → DNS Requests in the bottom panel of the sandbox interface.  

By analyzing the DNS requests, you’ll get a clearer view of how the malware interacts with remote hosts, often revealing malicious infrastructure or other indicators that can assist in further threat investigation. 

DNS requests inside ANY.RUN sandbox

Connections 

The malware’s active connections can be observed under Network → Connections.  

This feature allows you to monitor the malware’s communication channels, tracking its interactions with command-and-control (C2) servers or other suspicious IP addresses.  

Analyzing these connections enables you to identify data exfiltration routes or pinpoint where the malware is sending information. 

Connections in ANY.RUN sandbox analysis 

HTTP/HTTPS Requests 

HTTP and HTTPS requests initiated by the malware are logged under NetworkHTTP Requests. This is crucial for identifying malicious websites or external servers the malware connects to. 

HTTP requests displayed in ANY.RUN

Malware Configurations

In the ANY.RUN sandbox, you can gather IOCs specifically associated with malware configurations by clicking the MalConf button located in the upper right corner of the screen.

MalConf button inside ANY.RUN sandbox 

The feature specifically pulls IOCs from to the malware’s configurations, such as URLs, file hashes, and domains, providing key insights that are crucial for further in-depth investigation and reporting.

Malware configurations inside ANY.RUN sandbox session

Integrate ANY.RUN sandbox in your organization 



Request a 14-day trial


Centralized IOC Window 

You can easily access all the important indicators in the IOC window. 

Simply hit the IOC button located in the top-right corner, and you’ll instantly gain access to the most critical IOCs collected throughout the analysis—whether they come from Static Analysis or Malware Configurations.  

IOC button in ANY.RUN sandbox session 

This window saves time and ensures that all critical data is conveniently organized in one place for easier review. 

IOCs window inside the ANY.RUN sandbox 

The IOC window is easy to navigate thanks to the simple dropdown menu.

Summary of IOCs with dropdown menu inside ANY.RUN’s sandbox 

You can quickly filter and organize IOCs. Plus, copying the selected indicators for your reports or further analysis is just a click away, making the whole process smooth and efficient. 

About ANY.RUN  

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

Detect malware in seconds

Interact with samples in real time

Save time and money on sandbox setup and maintenance

Record and study all aspects of malware behavior

Collaborate with your team 

Scale as you need

Request free trial →

The post How to Collect Indicators of Compromise <br>in the ANY.RUN Sandbox appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More