Incident Response: Free Online Resources for Quick Wins

I wanted to share some free online resources for anyone looking to do some quick and dirty “spot checks” on suspicious files or URLs without having to setup a full blown sandbox environment and getting into malware analysis.

The first resource is a super powerful online sandbox called Any.run (https://any.run/)

Creating a free account is straightforward. Once you’re in, you have access to an environment to upload any suspicious files or to check a suspicious URL. NOTE: Do not upload anything that could potentially be confidential as this online tool will share the data.

Upon login, we get to this home page above. On the top left corner, there’s a “new task” button. Let’s use it!

We have a few things here when trying to detonate this. First we selected a 32bit Windows 7 VM (64bit requires the paid version). Second, we grabbed a malicious url from URLhaus. Let’s see what it does 🙂

Here’s the tool setting up the virtualized environment and detonating the potential payload.

…and the end result! Pretty awesome! You can see the suspicious link was “clicked” and the payload executed in an online sandbox environment hosted by any.run. There’s several http connections here and something definitely seems “phishy”! This could have been a user on your network!

IOCs can be generated and sent to your SIEM as well!

Any the icing on the cake definitely has to be the MITRE ATT&CK MATRIX mapping! Nice!

The second online resource I like is Hybrid Analysis (https://www.hybrid-analysis.com/).

Hybrid Analysis is a great way to check a suspicious file or url with a similar concept to any.run.

Let’s upload a file and see how it does! NOTE: Do not upload anything that could potentially be confidential as this online tool will share the data.

In the image above, I uploaded a random pcap file I had lying around. The analysis checked it against virustotal and metadefender and it looks like it’s “clean”. Let’s try a malicious file now 🙂