OrionMalware

This Integration is part of the OrionMalware Pack.

Supported versions

Supported Cortex XSOAR versions: 8.0.0 and later.

This is the Orion Malware integration. Analyzes hash and files with static and dynamic analysis This integration was integrated and tested with version 5.3.0 of OrionMalware.

Use Cases

0. Detonate File with OrionMalware - static and dynamic analysis Search hash and retrieve indicators from OrionMalware

Configure OrionMalware in Cortex

Parameter	Description	Required
Server URL		True
API Key		True
Use system proxy settings		False
Trust any certificate (not secure)		False
Source Reliability	Reliability of the source providing intelligence data	False

Commands

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

hash-scan

---

Check hash value against Orion Malware database

Base Command

hash-scan

Input

Argument Name	Description	Required
file_hash	hash field, supports md5, sha1, sha256.	Required

Context Output

Path	Type	Description
Orion.File.antivirus.antivirus_name	string	antivirus_name analysis
Orion.File.antivirus.threat_name	string	threat detected by antivirus
Orion.File.end_analysis	date	end_analysis
Orion.File.first_submission	date	first_submission
Orion.File.identification.filename	string	filename of the file corresponding to the hash
Orion.File.identification.md5	string	md5 hash of the file
Orion.File.identification.sha1	string	sha1 hash of the file
Orion.File.identification.sha256	string	sha256 hash of the file
Orion.File.identification.size	number	Byte size
Orion.File.identification.type	string	type of file
Orion.File.last_updated	date	last_updated
Orion.File.matched_mitre_attacks.description	string	mitre description
Orion.File.matched_mitre_attacks.id	string	mitre ttp
Orion.File.matched_mitre_attacks.kill_chain_phases	unknown	mitre tactics
Orion.File.matched_mitre_attacks.name	string	technique name
Orion.File.networks.address	string	network address detected
Orion.File.payloads	unknown	payloads
Orion.File.risk.dynamic.descriptions.files	unknown	dynmaic file analysis
Orion.File.risk.dynamic.descriptions.network	unknown	network dynamic analysis
Orion.File.risk.dynamic.descriptions.persistence	unknown	persistence dynamic analysis
Orion.File.risk.dynamic.descriptions.processes	unknown	processes dynamic analysis
Orion.File.risk.dynamic.descriptions.system	unknown	system dynamic analysis
Orion.File.risk.dynamic.scores	unknown	dynamic risk scoring
Orion.File.risk.level	string	dynamic risk
Orion.File.risk.scanner.descriptions.system	unknown	system static analysis
Orion.File.risk.scanner.descriptions.processes	unknown	processes static analysis
Orion.File.risk.scanner.descriptions.persistence	unknown	persistence static analysis
Orion.File.risk.scanner.descriptions.files	unknown	files static analysis
Orion.File.risk.scanner.descriptions.network	unknown	network static analysis
Orion.File.risk.scanner.scores	unknown	static risk scoring
Orion.File.rules	unknown	rules
Orion.File.start_analysis	date	start analysis date
File.MD5	string	Bad MD5 hash
File.SHA1	string	bad SHA1 has h
File.SHA256	string	bad SHA256 has h
File.Orion.EngineDetections	string	Number of engines that flagged the file as malicious
File.Orion.EngineVendors	string	engines
File.Orion.EngineDetectionNames	string	threat name
IP.Address	string	IP Linked to hash
Orion.IP.Address	string	IP Linked to hash
File.Relationships.EntityA	string	Source of relationship
File.Relationships.EntityB	string	Destination of relationship
File.Relationships.EntityAType	string	Source type of relationship
File.Relationships.EntityBType	string	Destination type of relationship
File.Relationships.Relationship	string	Kind of relation
Orion.File.report_url	string	report url

Command example

!hash-scan file_hash="765DB004261F6CF2E5E42248D6831044"

Context Example

{

"DBotScore": {

"Indicator": "765db004261f6cf2e5e42248d6831044",

"Reliability": "C - Fairly reliable",

"Score": 3,

"Type": "file",

"Vendor": "OrionMalware"

},

"File": {

"Hashes": [

{

"type": "MD5",

"value": "765db004261f6cf2e5e42248d6831044"

},

{

"type": "SHA1",

"value": "b63c68b194bd7142e6503dce3324ee29d5fa3173"

},

{

"type": "SHA256",

"value": "35b817d542dd8ac9f51336b908331f0a9192c666cf7c95f5063d7eec3400301b"

}

],

"MD5": "765db004261f6cf2e5e42248d6831044",

"Malicious": {

"Description": "test",

"Vendor": "OrionMalware"

},

"Name": "cerber_ransomware.exe",

"Orion": {

"EngineDetectionNames": [

"Trojan/Win32.Cerber.R198077",

"Win32:Filecoder-AC [Trj]",

"HEUR/AGEN.1335485",

"virus Trojan.GenericKDZ.38616",

"a variant of Win32/Kryptik.BBZ trojan"

],

"EngineDetections": 5,

"EngineVendors": [

"Ahnlab",

"Avast",

"Avira",

"Bitdefender",

"Eset"

]

},

"SHA1": "b63c68b194bd7142e6503dce3324ee29d5fa3173",

"SHA256": "35b817d542dd8ac9f51336b908331f0a9192c666cf7c95f5063d7eec3400301b",

"Size": 273065,

"Type": "PE32 executable (GUI) Intel 80386, for MS Windows"

},

"Orion": {

"File": {

"antivirus": [

{

"antivirus_name": "Ahnlab",

"threat_name": "Trojan/Win32.Cerber.R198077"

},

{

"antivirus_name": "Avast",

"threat_name": "Win32:Filecoder-AC [Trj]"

},

{

"antivirus_name": "Avira",

"threat_name": "HEUR/AGEN.1335485"

},

{

"antivirus_name": "Bitdefender",

"threat_name": "virus Trojan.GenericKDZ.38616"

},

{

"antivirus_name": "Eset",

"threat_name": "a variant of Win32/Kryptik.BBZ trojan"

}

],

"end_analysis": "2025-11-21T14:59:16.810000Z",

"first_submission": "2025-11-21T14:56:13.544000Z",

"identification": {

"filename": "cerber_ransomware.exe",

"filenames": [

"cerber_ransomware.exe"

],

"md5": "765db004261f6cf2e5e42248d6831044",

"sha1": "b63c68b194bd7142e6503dce3324ee29d5fa3173",

"sha256": "35b817d542dd8ac9f51336b908331f0a9192c666cf7c95f5063d7eec3400301b",

"size": 273065,

"type": "PE32 executable (GUI) Intel 80386, for MS Windows"

},

"last_updated": "2025-11-21T14:59:16.810000Z",

"matched_mitre_attacks": [

{

"description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or <code>net view</code> using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: <code>C:\\Windows\\System32\\Drivers\\etc\\hosts</code> or <code>/etc/hosts</code>) in order to discover the hostname to IP address mappings of remote systems. \n\nSpecific to macOS, the <code>bonjour</code> protocol exists to discover additional Mac-based systems within the same broadcast domain.\n\nWithin IaaS (Infrastructure as a Service) environments, remote systems include instances and virtual machines in various states, including the running or stopped state. Cloud providers have created methods to serve information about remote systems, such as APIs and CLIs. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API and a <code>describe-instances</code> command within the AWS CLI that can return information about all instances within an account.(Citation: Amazon Describe Instances API)(Citation: Amazon Describe Instances CLI) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project, and Azure's CLI <code>az vm list</code> lists details of virtual machines.(Citation: Google Compute Instances)(Citation: Azure VM List)",

"id": "T1018",

"kill_chain_phases": [

"discovery"

],

"name": "Remote System Discovery"

},

{

"description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.",

"id": "T1046",

"kill_chain_phases": [

"discovery"

],

"name": "Network Service Scanning"

},

{

"description": "Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)",

"id": "T1047",

"kill_chain_phases": [

"execution"

],

"name": "Windows Management Instrumentation"

},

{

"description": "Adversaries may abuse the Windows command shell for execution. The Windows command shell (<code>cmd.exe</code>) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. \n\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may leverage <code>cmd.exe</code> to execute various commands and payloads. Common uses include <code>cmd.exe /c</code> to execute a single command, or abusing <code>cmd.exe</code> interactively with input and output forwarded over a command and control channel.",

"id": "T1059.003",

"kill_chain_phases": [

"execution"

],

"name": "Windows Command Shell"

},

{

"description": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)",

"id": "T1070.004",

"kill_chain_phases": [

"defense-evasion"

],

"name": "File Deletion"

},

{

"description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.",

"id": "T1112",

"kill_chain_phases": [

"defense-evasion"

],

"name": "Modify Registry"

},

{

"description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files.",

"id": "T1119",

"kill_chain_phases": [

"collection"

],

"name": "Automated Collection"

},

{

"description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018)",

"id": "T1485",

"kill_chain_phases": [

"impact"

],

"name": "Data Destruction"

},

{

"description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)\n\nTo maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)",

"id": "T1486",

"kill_chain_phases": [

"impact"

],

"name": "Data Encrypted for Impact"

},

{

"description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors. \n\nSpecific checks may will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include generic system properties such as uptime and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)",

"id": "T1497.001",

"kill_chain_phases": [

"defense-evasion",

"discovery"

],

"name": "System Checks"

},

{

"description": "Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.",

"id": "T1507",

"kill_chain_phases": [

"collection"

],

"name": "Network Information Discovery"

},

{

"description": "Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.",

"id": "T1562.001",

"kill_chain_phases": [

"defense-evasion"

],

"name": "Disable or Modify Tools"

},

{

"description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\n\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. ",

"id": "T1562.004",

"kill_chain_phases": [

"defense-evasion"

],

"name": "Disable or Modify System Firewall"

}

],

"networks": [

{

"address": "<honeypot-ip>"

},

{

"address": "<honeypot-dns>"

},

{

"address": "<honeypot-dns>"

},

{

"address": "<honeypot-ip>"

},

{

"address": "api.blockcypher.com"

},

{

"address": "btc.blockr.io"

},

{

"address": "<honeypot-dns>"

},

{

"address": "<host-gateway>"

},

{

"address": "<honeypot-dns>"

},

{

"address": "<host-gateway>"

},

{

"address": "<host-ip>"

},

{

"address": "<honeypot-dns>"

},

{

"address": "<host-gateway>"

},

{

"address": "<honeypot-dns>"

},

{

"address": "<host-gateway>"

},

{

"address": "<honeypot-dns>"

},

{

"address": "<honeypot-dns>"

},

{

"address": "bitaps.com"

},

{

"address": "chain.so"

}

],

"payloads": null,

"report_url": "https://orion.cyberrange.cloud/report/file/69207d8df82206b2dc0b1237",

"risk": {

"dynamic": {

"descriptions": {

"files": [

"Attempts to access Bitcoin/ALTCoin wallets (Possible Stealer behaviour)",

"Read local Internet browser settings",

"User's personal files were encrypted during the analysis (Possible Ransomware behaviour)",

"Use PendingFileRenameOperations Registry to Automatically Delete a File On Reboot",

"Deletes itself (Potential anti-forensic behavior)",

"Drops ransom message during analysis (Possible Ransomware behaviour)",

"User's personal files were renamed during the analysis (Possible Ransomware behaviour)"

],

"network": [

"Suspicious network IP scanning",

"Performs DNS Request",

"Get servers information",

"Uses domain names associated with bitcoin or crypto-money",

"Network communications on non usual port"

],

"persistence": [

"May change file associations for some file extension"

],

"processes": [

"Executes previously created file(s)",

"Creates processes",

"Executes commands through cmd.exe",

"Uses ping.exe to check the status of other devices and networks",

"Kills process(es) during the analysis"

],

"system": [

"Modifies firewall configuration (netsh.exe)",

"Uses CPUID instruction to detect Virtual Machine usage",

"Enumerate security software through WMI",

"Modifies network config via netsh.exe",

"Replaces Desktop Wallpaper (possible ransomware behaviour)",

"WMI activities"

]

},

"scores": [

[

"files",

100

],

[

"processes",

90

],

[

"network",

90

],

[

"persistence",

60

],

[

"system",

90

]

]

},

"level": "Severe",

"scanner": {

"descriptions": {

"files": [

"Decrypts and check of the data",

"Performs encryption on the data"

],

"network": null,

"persistence": null,

"processes": [

"File may be packed (very low or high sections entropies)",

"Loads the specified module into the address space of the calling process"

],

"system": null

},

"scores": [

[

"files",

4

],

[

"processes",

14

],

[

"network",

0

],

[

"persistence",

0

],

[

"system",

0

]

]

}

},

"rules": null,

"start_analysis": "2025-11-21T14:56:13.773000Z",

"tasks_tree": {

"filename": "cerber_ransomware.exe",

"payloads": null,

"report_id": "69207d8df82206b2dc0b1237",

"risk": "Severe",

"warnings": null

},

"threat_analysis": [

{

"engine_name": "Ahnlab",

"engine_type": "antivirus",

"threat_name": "Trojan/Win32.Cerber.R198077"

},

{

"engine_name": "Avast",

"engine_type": "antivirus",

"threat_name": "Win32:Filecoder-AC [Trj]"

},

{

"engine_name": "Avira",

"engine_type": "antivirus",

"threat_name": "HEUR/AGEN.1335485"

},

{

"engine_name": "Bitdefender",

"engine_type": "antivirus",

"threat_name": "virus Trojan.GenericKDZ.38616"

},

{

"engine_name": "Eset",

"engine_type": "antivirus",

"threat_name": "a variant of Win32/Kryptik.BBZ trojan"

}

],

"warning_codes": null

}

}

}

Human Readable Output

Metrics reported successfully.

file-scan

---

Detonate file in Orion Malware

Base Command

file-scan

Input

Argument Name	Description	Required
entryID	the file entry id to submit.	Required

Context Output

Path	Type	Description
Orion.File.antivirus.antivirus_name	string	antivirus_name analysis
Orion.File.antivirus.threat_name	string	threat detected by antivirus
Orion.File.end_analysis	date	end_analysis
Orion.File.first_submission	date	first_submission
Orion.File.identification.filename	string	filename of the file corresponding to the hash
Orion.File.identification.md5	string	md5 hash of the file
Orion.File.identification.sha1	string	sha1 hash of the file
Orion.File.identification.sha256	string	sha256 hash of the file
Orion.File.identification.size	number	Byte size
Orion.File.identification.type	string	type of file
Orion.File.last_updated	date	last_updated
Orion.File.matched_mitre_attacks.description	string	mitre description
Orion.File.matched_mitre_attacks.id	string	mitre ttp
Orion.File.matched_mitre_attacks.kill_chain_phases	unknown	mitre tactics
Orion.File.matched_mitre_attacks.name	string	technique name
Orion.File.networks.address	string	network address detected
Orion.File.payloads	unknown	payloads
Orion.File.risk.dynamic.descriptions.files	unknown	dynmaic file analysis
Orion.File.risk.dynamic.descriptions.network	unknown	network dynamic analysis
Orion.File.risk.dynamic.descriptions.persistence	unknown	persistence dynamic analysis
Orion.File.risk.dynamic.descriptions.processes	unknown	processes dynamic analysis
Orion.File.risk.dynamic.descriptions.system	unknown	system dynamic analysis
Orion.File.risk.dynamic.scores	unknown	dynamic risk scoring
Orion.File.risk.level	string	dynamic risk
Orion.File.risk.scanner.descriptions.system	unknown	system static analysis
Orion.File.risk.scanner.descriptions.processes	unknown	processes static analysis
Orion.File.risk.scanner.descriptions.persistence	unknown	persistence static analysis
Orion.File.risk.scanner.descriptions.files	unknown	files static analysis
Orion.File.risk.scanner.descriptions.network	unknown	network static analysis
Orion.File.risk.scanner.scores	unknown	static risk scoring
Orion.File.rules	unknown	rules
Orion.File.start_analysis	date	start analysis date
File.MD5	string	Bad MD5 hash
File.SHA1	string	bad SHA1 has h
File.SHA256	string	bad SHA256 has h
File.Orion.EngineDetections	string	Number of engines that flagged the file as malicious
File.Orion.EngineVendors	string	engines
File.Orion.EngineDetectionNames	string	threat name
IP.Address	string	IP Linked to hash
Orion.IP.Address	string	IP Linked to hash
File.Relationships.EntityA	string	Source of relationship
File.Relationships.EntityB	string	Destination of relationship
File.Relationships.EntityAType	string	Source type of relationship
File.Relationships.EntityBType	string	Destination type of relationship
File.Relationships.Relationship	string	Kind of relation
Orion.File.report_url	string	report url

Command example

!file-scan entryID="n6yXmHmQ8Pn2MAzpgocuRN@4103b4f7-d3a7-402d-8cb0-0d76f10e3ff4"

Context Example

{

"DBotScore": {

"Indicator": "4ee01367e881096807af2e600c072a85",

"Reliability": "C - Fairly reliable",

"Score": 1,

"Type": "file",

"Vendor": "OrionMalware"

},

"File": {

"Hashes": [

{

"type": "MD5",

"value": "4ee01367e881096807af2e600c072a85"

},

{

"type": "SHA1",

"value": "3da8c638fc62de3e6ecdb78ec7f6bdc5ab0607ae"

},

{

"type": "SHA256",

"value": "befb7ec888c2b29690fdc7114b5a8e9f9ee813b84edd1a8eb770185f113938d1"

}

],

"MD5": "4ee01367e881096807af2e600c072a85",

"Name": "OrionMalware.zip",

"Orion": {

"EngineDetectionNames": null,

"EngineDetections": 0,

"EngineVendors": null

},

"SHA1": "3da8c638fc62de3e6ecdb78ec7f6bdc5ab0607ae",

"SHA256": "befb7ec888c2b29690fdc7114b5a8e9f9ee813b84edd1a8eb770185f113938d1",

"Size": 20415,

"Type": "Zip archive data, at least v2.0 to extract, compression method=store"

},

"Orion": {

"File": {

"antivirus": null,

"end_analysis": "2025-12-08T15:23:51.178000Z",

"first_submission": "2025-12-08T15:21:34.364000Z",

"identification": {

"filename": "OrionMalware.zip",

"filenames": [

"OrionMalware.zip"

],

"md5": "4ee01367e881096807af2e600c072a85",

"sha1": "3da8c638fc62de3e6ecdb78ec7f6bdc5ab0607ae",

"sha256": "befb7ec888c2b29690fdc7114b5a8e9f9ee813b84edd1a8eb770185f113938d1",

"size": 20415,

"type": "Zip archive data, at least v2.0 to extract, compression method=store"

},

"last_updated": "2025-12-08T15:23:51.178000Z",

"matched_mitre_attacks": null,

"networks": null,

"payloads": [

"6936ecff9b44441723da0e66",

"6936ecff9b44441723da0e68",

"6936ecff9b44441723da0e6a",

"6936ecff9b44441723da0e6c",

"6936ecff9b44441723da0e6e",

"6936ecff9b44441723da0e70",

"6936ecff9b44441723da0e72",

"6936ecff9b44441723da0e74",

"6936ecff9b44441723da0e76"

],

"report_url": "https://orion.cyberrange.cloud/report/file/6936ecfe4670537131537d9e",

"risk": {

"dynamic": {

"descriptions": {

"files": null,

"network": null,

"persistence": null,

"processes": null,

"system": null

},

"scores": [

[

"files",

0

],

[

"processes",

0

],

[

"network",

0

],

[

"persistence",

0

],

[

"system",

0

]

]

},

"level": "Low",

"scanner": {

"descriptions": {

"files": null,

"network": null,

"persistence": null,

"processes": null,

"system": null

},

"scores": [

[

"files",

0

],

[

"processes",

0

],

[

"network",

0

],

[

"persistence",

0

],

[

"system",

0

]

]

}

},

"rules": null,

"start_analysis": "2025-12-08T15:21:34.604000Z",

"tasks_tree": {

"filename": "OrionMalware.zip",

"payloads": [

{

"filename": "README.md",

"payloads": null,

"report_id": "6936ecff9b44441723da0e66",

"risk": "Low",

"warnings": [

102,

202,

250

]

},

{

"filename": "pack_metadata.json",

"payloads": null,

"report_id": "6936ecff9b44441723da0e68",

"risk": "Low",

"warnings": [

102,

202,

250

]

},

{

"filename": "metadata.json",

"payloads": null,

"report_id": "6936ecff9b44441723da0e6a",

"risk": "Low",

"warnings": [

202,

102,

250

]

},

{

"filename": "Playbooks/playbook-File_Enrichment_-_OrionMalware.yml",

"payloads": null,

"report_id": "6936ecff9b44441723da0e6c",

"risk": "Low",

"warnings": [

202,

102,

250

]

},

{

"filename": "Playbooks/playbook-Detonate_File_-_OrionMalware.yml",

"payloads": null,

"report_id": "6936ecff9b44441723da0e6e",

"risk": "Low",

"warnings": [

102,

202,

250

]

},

{

"filename": "IndicatorFields/incidentfield-indicatorfield-Orion_Engine_Detection_Names.json",

"payloads": null,

"report_id": "6936ecff9b44441723da0e70",

"risk": "Low",

"warnings": [

202,

102,

250

]

},

{

"filename": "IndicatorFields/incidentfield-indicatorfield-Orion_Engine_Detections.json",

"payloads": null,

"report_id": "6936ecff9b44441723da0e72",

"risk": "Low",

"warnings": [

202,

102,

250

]

},

{

"filename": "IndicatorFields/incidentfield-indicatorfield-Orion_Engine_Vendors.json",

"payloads": null,

"report_id": "6936ecff9b44441723da0e74",

"risk": "Low",

"warnings": [

202,

102,

250

]

},

{

"filename": "Integrations/integration-OrionMalware.yml",

"payloads": null,

"report_id": "6936ecff9b44441723da0e76",

"risk": "Low",

"warnings": [

102,

201,

250

]

}

],

"report_id": "6936ecfe4670537131537d9e",

"risk": "Low",

"warnings": [

202,

301,

250

]

},

"threat_analysis": null,

"warning_codes": [

{

"code": 202,

"data": {}

},

{

"code": 301,

"data": {}

},

{

"code": 250,

"data": {}

}

]

}

}

}

Human Readable Output

Metrics reported successfully.