Get a File behaviour report from a sandbox.
External Documentation
To learn more, visit the VirusTotal documentation.
Parameter | Description |
---|---|
Analysed File’s SHA256 | The analysed file’s SHA256 identifier. |
Sandbox Name | The name of the required sandbox. |
{
"data": {
"id": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08_Zenbox",
"type": "file_behaviour",
"links": {
"self": "https://mock-api.example.com/v3/file_behaviours/mock-behaviour-id-1"
},
"attributes": {
"behash": "25d02ca094be83575d9f51298b3448ba",
"last_modification_date": 1712589429,
"analysis_date": 1712589367,
"processes_tree": [
{
"process_id": "7456",
"name": "C:\\Windows\\System32\\wscript.exe C:\\Windows\\System32\\WScript.exe "
}
],
"has_evtx": true,
"memory_dumps": [
{
"file_name": "00000001.00000003.1028472294.0000018726DDD000.00000004.00000020.00020000.00000000.sdmp",
"process": "C:\\Windows\\System32\\wscript.exe",
"size": "77824",
"base_address": "1679984283648",
"stage": "MEM_STAGE_FREE"
}
],
"mitre_attack_techniques": [
{
"id": "T1064",
"severity": "IMPACT_SEVERITY_INFO",
"signature_description": "Found WSH timer for Javascript or VBS script (likely evasive script)",
"refs": [
{
"ref": "#signature_matches",
"value": "839"
}
]
},
{
"id": "T1082",
"severity": "IMPACT_SEVERITY_INFO",
"signature_description": "Queries the cryptographic machine GUID",
"refs": [
{
"ref": "#signature_matches",
"value": "285"
}
]
},
{
"id": "T1082",
"severity": "IMPACT_SEVERITY_INFO",
"signature_description": "Reads software policies",
"refs": [
{
"ref": "#signature_matches",
"value": "509"
}
]
}
],
"processes_terminated": [
"C:\\Windows\\System32\\wscript.exe"
],
"dns_lookups": [
{
"hostname": "mock.example.com",
"resolved_ips": [
"192.0.2.71",
"192.0.2.73",
"192.0.2.68",
"192.0.2.2",
"192.0.2.67",
"192.0.2.23",
"192.0.2.4",
"192.0.2.74"
]
}
],
"tags": [
"IDLE",
"LONG_SLEEPS"
],
"files_opened": [
"C:\\Users\\user\\Desktop\\sample.js",
"C:\\Users\\user\\Desktop\\sample.js\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\SYSTEM32\\USERENV.dll",
"C:\\Windows\\SYSTEM32\\WLDP.DLL",
"C:\\Windows\\SYSTEM32\\amsi.dll"
],
"registry_keys_opened": [
"HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSaferCodeIdentifiers0UrlZones",
"HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyOIDEncodingType 0CryptSIPDllGetSignedDataMsg{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}",
"HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyOIDEncodingType 0CryptSIPDllPutSignedDataMsg{000C10F1-0000-0000-C000-000000000046}"
],
"verdict_confidence": 100,
"processes_created": [
"C:\\Windows\\System32\\wscript.exe C:\\Windows\\System32\\WScript.exe \"C:\\Users\\user\\Desktop\\sample.js",
"\n]",
"verdicts",
":",
[
"CLEAN"
],
"has_memdump",
": true",
"signature_matches",
":",
[
{
"id": "507",
"description": "Uses an in-process (OLE) Automation server",
"match_data": [
"HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}InprocServer32"
],
"severity": "IMPACT_SEVERITY_INFO"
}
],
"sandbox_name",
":",
"Zenbox",
"has_html_report",
": true",
"has_pcap",
": true"
]
}
}
}
Get File Behaviour Report from Sandbox with Virustotal and Send Results Via Email
Preview this Workflow on desktop
Was this page helpful?