VMRay Feature Brief – Automated IOC Generation

VMRay Feature Brief – Automated IOC Generation

Sandbox-generated IOCs are an under-utilized source of threat intelligence, due to the difficulty of extracting actionable and trusted IOCs in an efficient manner. VMRay Analyzer unlocks this potential by automating this process for security teams.

Addressed Challenges

Analysis Artifacts

A malware sandbox analyzing a threat collects pieces of forensics data which have been observed during the analysis runtime. This collected data, often referred to as “analysis artifacts”, typically includes files, URLs, IPs, processes, and registry entries which were used, created, or modified as part of the malware execution. While analysis artifacts may be used by security analysts to get a better understanding of what happened malware during detonation, they usually cannot be used to characterize it. These artifacts are too generic and may also be observed when executing benign samples. For example, a malicious process accessing trivial Windows registry entries, or reading DLLs which belong to an execution environment such as .NET can generate artifacts identical to a benign process.

Indicators of Compromise (IOCs)

To characterize threats, security teams collect, aggregate, and monitor for IOCs. An IOC is essentially a piece of forensics data related to a given threat, that can identify the presence of this threat in a system or a network.

Distinguishing Artifacts from IOCs

In the context of a malware sandbox, IOCs are a subset of artifacts. In other words, while artifacts are all the observed forensics pieces of data, not every artifact can be considered an IOC. Detecting the presence of the DLL file in the above example doesn’t mean this threat is present in your environment. This fact makes it difficult for organizations to use a malware sandbox for effectively generating IOCs, since exporting them into 3rd party systems, such as a TIP, may pollute their repositories. Misclassifying an artifact as an IOC can lead to false alerts, and potentially a direct negative impact on the production network. Unfortunately, this is why malware analysts still use mostly manual, time-consuming methods to extract IOCs that are reliable and actionable.

VMRay Analyzer Feature Overview

Extracting Analysis Artifacts

When samples are analyzed using the VMRay Platform, analysis artifacts are extracted. Artifact types that are included in VMRay analysis reports are: Files, Filenames, URLs, Domains, IPs, Registries, Mutexes, Processes, Emails and Email Addresses. Artifacts are extracted from analyses as follows:

  • Environment artifacts: artifacts such as files, processes, registry entries and mutexes which were used, created, or modified as part of the analysis runtime • Network artifacts: URLs, domains and IPs extracted from network API calls as well as the PCAP
  • Downloaded files: files that were downloaded during the analysis runtime
  • Embedded links: URL links in documents and emails statically extracted
  • Embedded artifacts: embedded files and network artifacts, statically extracted from the sample as well as other file artifacts such as scripts, macros and process command lines

IOCs Flagging and Scoring

VMRay Analyzer automates the process of extracting IOCs from analysis artifacts by flagging relevant artifacts as IOCs. The key innovation is the use of VMRay Threat Identifier (VTI) rules to flag artifacts which are associated with an unusual behavior. For example, a URL used by a dropper to download the payload will be flagged as an IOC. This means that IOCs are now defined as a subset of artifacts, by adding to each artifact an “IOC” flag. To make this even more powerful, VTIs are now also used to better determine the maliciousness of an IOC. In the following image, the Analysis Report IOCs tab presents an IOC with a malicious severity, together with the list of related VTIs which were used to determine its severity.

VMRay Analyzer Report – IOCs tab

Contextualizing and Exporting IOCs

Complementing IOCs flagging and scoring, other capabilities include:

  • Exporting IOCs: supported formats are JSON, CSV and STIX 2.0, offering multiple ways to export IOCs to other security systems.
  • Contextualizing: artifacts and IOCs are enriched with attributes extracted during the dynamic and static analysis, including geographic location, user agent, parent process, classifications, threat names, and others.
  • The IOCs tab: an interactive tab provides detailed information on indicators, artifacts, and related VTIs. It allows team members to easily filter, navigate, explore and finally export IOCs.

Combined, these capabilities allow analysts to use IOCs generated by VMRay Analyzer with confidence, including as part of automated detection and protection workflows.


World's Best Trust Us For A Reason

Tyler Fornes, Principal Security Solutions Architect
Expel, Global Leader in MDR
Read More
We had to wait hours or even days for L2 or L3 teams to investigate such an attack but with VMRay I can have that done in less than 15 minutes.
Vice President, Cyber Security Labs
Global Top 3 Cyber Security IR Services Provider
Read More
VMRay is our deep sandbox analysis solution that has helped us reduce the workload of our manual analyses by 90%, from 1000s to 100s per day.
Team Lead, Cyber Security
A Leading Global Tech Company
Read More
Manual analysis of a huge number of submissions was time-consuming. With VMRay, we are able to handle this with ease in an automated way. This creates enormous value for us.
Robert / Senior Expert, Cyber Defense
Major Telecom Company
Read More
VMRay provided the fully automated detection capabilities that were crucial to speed up our incident response process and shorten investigation.
Lead Security Analyst
Gartner Peer insights
Read More
VMRay has enabled me to decrease the manual analysis frequency and time significantly and increase positive identification of malware samples.
Threat Intelligence Team
A Global Top 10 Technology Brand
Read More
VMRay’s data quality and rich API allowed us to automate our reverse engineering and data extraction tasks in a way no other vendor was able to provide.
Threat Research Team
Carbon Black
Read More
What our team loves about VMRay is the ability to quickly triage a lot of malicious samples by providing a wide variety of targets, configurations & applications out of the box.

Explore valuable Cybersecurity Resources

Cybersecurity Blog

Check our latest insights on malware, phishing, sandboxing, AI in cybersecurity, and much more.

VMRay Academy

Browse the courses about alert handling, deep threat analysis and response, threat intelligence generation and more.

Malware Analysis Reports

See real-world examples of VMRay’s best-in-class malware analysis and detection platform.