Playbook - VirusTotal File

Press the “Reanalyse” button if the Last Analysis Date is not recent.

Number of detections: The number of detections is usually linked to the severity of the file. More detections usually mean the file is malicious with a higher confidence. Lower detections usually mean the file is less severe or there is a lower confidence in its nature. Be aware and don’t trust the files that are new in VT, the results can change quickly.
- Verify the “Popular threat label”: Every AV vendor names their detections differently, the most repeated label tends to be the most accurate, this helps identify the type of malware or the malware family.

Details Tab
- Creation Time/First Submission: This information is useful to understand how old the file is and when was first submitted to VT. Very old malware is likely not active. New malware poses a greater threat than older files.
- Names: Identifies other file names seen for the same hash. This information can be useful for identifying the type of software. We can Google this information for further leads.
- Signature info: Signature verification: Valid, Invalid, Not signed. Details about who developed and published the file, and metadata of the file (Product, Description, Original Name). Legitimate files will always have a valid signature.

Relations Tab:
- Contacted URLs/Domains/IP addresses: Lists the external domains and IPs the malware contacts. We can look them up in VT or Google this information for further leads.
- Execution Parents: Indicates the files that created the file being studied. This information can be useful for identifying the type of software. We can Google this information for further leads.

Community Tab: Most of the comments are automated by security vendors, but you can also find comments from the community that can give you further information about the file. You can also find links to external sandboxes and articles.

Behaviour Tab:
- Network Communication: HTTP requests, DNS Resolutions, IP Traffic. Very good indicators to verify in the Timeline or Advance Hunting.
- Files dropped: Lists the files dropped/created by the file on the system. We look for unusual or suspicious files and folders dropped. We can verify if those exist in the system with Live Response or Advance Hunting to confirm if the malware was executed. This information will also help us clean the machine. We can also Google this information for further leads and identify the type of malware. We will also pay special attention to files created under the StartUp folders, indicating persistence:
```
C:\users\<Username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
```
- Registry Keys Set: This information is important for identifying whether persistence was created on the machine. We pay special attention to keys created under:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Process and service actions: Lists the actions and processes created by the file. We look for unusual or suspicious commands, folders, or files. We also pay special attention to commands related to scheduled tasks and creation of services, indicating persistence.