Evaluate File in Sandbox

BC.

When suspicious files are detected on users' workstations, security analysts can use a sandbox environment to safely execute and analyze the file's behavior. This process is known as dynamic analysis, which allows the security team to understand the file's intent, capabilities, and potential harm.

Here are the two actions that should be taken by a security analyst to evaluate the file in a sandbox:

1. Inspect file hash: The first step in analyzing the file is to check its hash value, which is a unique identifier of the file. Hash values are generated by applying mathematical algorithms to the file's contents, and any changes made to the file will result in a different hash value. By checking the file hash against known malicious file hashes, security analysts can determine if the file is a known threat. Tools such as VirusTotal and Hybrid Analysis provide online file scanning services that leverage large databases of file hashes to identify threats.

2. Inspect PE header: The Portable Executable (PE) header contains information about the file's format, including the file type, entry point, and import and export functions. Examining the PE header can reveal information about the file's origin and purpose. For example, the header may indicate if the file is a legitimate application, a driver, or a malware. The PE header can also provide details on the file's dependencies, such as DLLs and system calls, which can help analysts understand the file's behavior. Tools such as PEStudio and CFF Explorer can assist in examining the PE header of the file.

While inspecting registry entries and processes can also provide insights into the file's behavior, these actions are more suitable for static analysis, which involves examining the file's code and metadata without executing it. In a sandbox environment, dynamic analysis is preferred as it allows for the actual execution of the file to observe its behavior and potential harm.