Dynamic Malware Analysis with ProcDOT
ProcDOT is primarily used for visualization, leveraging ProcMon’s CSV files and Wireshark’s PCAP files to create a detailed representation of events that occur when a program is executed. This provides the user with valuable insights into system and network activity, helping them better understand what transpired during the program’s execution.
Here’s a sample of how ProcDOT is used:
Once the files are loaded (Procmon logs and PCAP file) we can then look for an interesting process to continue our analysis.
Here, we select one of the “powershell.exe” processes.
We can see that this PowerShell script was used to download a file from ‘raw.githubusecontent.com’. While identifying this network communication using tools like ProcMon and Wireshark might take some time, ProcDOT simplifies the process and quickly reveals the details for us.
