Malware analysis Dark DDoser 5.6.7z Malicious activity

Add for printing

File name:	Dark DDoser 5.6.7z
Full analysis:	https://app.any.run/tasks/a2dbeb60-1832-4304-a233-a9ec16d9c697
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Malware Trends Tracker >>>
Analysis date:	August 03, 2024, 11:28:34
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	covid19 adware evasion upx crypto-regex
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	CADB6745ACD942FC5CA18CE47C3812E5
SHA1:	515900157F142014F16378A636CF2221B4737BA0
SHA256:	9211048FAC48E4099BB134C58E838F00F014CE9C5F217CE20800430E4DDE09E3
SSDEEP:	98304:eFdd0jgHubd5iZg5ky1+Wm/4+F+xVTfLvSFrRQ8GjTNurf7H5RrBLG5Na5Zv/P6r:Fr0Rci6bkngI3WVG0hUS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Adds path to the Windows Defender exclusion list
  - Launcher.exe (PID: 2476)
- Changes the autorun value in the registry
  - Launcher.exe (PID: 2476)
- Drops the executable file immediately after the start
  - Launcher.exe (PID: 2476)
- Create files in the Startup directory
  - Launcher.exe (PID: 2476)
SUSPICIOUS
- Reads the date of Windows installation
  - DaRKDDoSeR.exe (PID: 1372)
  - Launcher.exe (PID: 2476)
  - Windows Services.exe (PID: 4576)
- Reads security settings of Internet Explorer
  - Launcher.exe (PID: 2476)
  - DaRKDDoSeR.exe (PID: 1372)
  - ddos.exe (PID: 4060)
  - Windows Services.exe (PID: 4576)
- Starts POWERSHELL.EXE for commands execution
  - Launcher.exe (PID: 2476)
- Script adds exclusion path to Windows Defender
  - Launcher.exe (PID: 2476)
- The process creates files with name similar to system file names
  - Launcher.exe (PID: 2476)
- Executable content was dropped or overwritten
  - Launcher.exe (PID: 2476)
- Executes application which crashes
  - ddos.exe (PID: 4060)
- Access to an unwanted program domain was detected
  - ddos.exe (PID: 4060)
- There is functionality for taking screenshot (YARA)
  - ddos.exe (PID: 4060)
- Found regular expressions for crypto-addresses (YARA)
  - Runtime Explorer.exe (PID: 5904)
- Checks for external IP
  - svchost.exe (PID: 2256)
INFO
- Drops a (possible) Coronavirus decoy
  - WinRAR.exe (PID: 5760)
- Process checks computer location settings
  - DaRKDDoSeR.exe (PID: 1372)
  - Launcher.exe (PID: 2476)
  - Windows Services.exe (PID: 4576)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 5760)
- Manual execution by a user
  - DaRKDDoSeR.exe (PID: 1372)
- Reads the computer name
  - DaRKDDoSeR.exe (PID: 1372)
  - Launcher.exe (PID: 2476)
  - ddos.exe (PID: 4060)
  - Windows Services.exe (PID: 4576)
  - Secure System Shell.exe (PID: 904)
  - Runtime Explorer.exe (PID: 5904)
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 5760)
- Checks supported languages
  - DaRKDDoSeR.exe (PID: 1372)
  - ddos.exe (PID: 4060)
  - Windows Services.exe (PID: 4576)
  - Secure System Shell.exe (PID: 904)
  - Runtime Explorer.exe (PID: 5904)
  - Launcher.exe (PID: 2476)
- Reads the machine GUID from the registry
  - DaRKDDoSeR.exe (PID: 1372)
  - Launcher.exe (PID: 2476)
  - Windows Services.exe (PID: 4576)
  - Secure System Shell.exe (PID: 904)
- Checks proxy server information
  - ddos.exe (PID: 4060)
- Creates files or folders in the user directory
  - Launcher.exe (PID: 2476)
  - WerFault.exe (PID: 6960)
- Create files in a temporary directory
  - Runtime Explorer.exe (PID: 5904)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 5920)
- Reads Environment values
  - Runtime Explorer.exe (PID: 5904)
- UPX packer has been detected
  - ddos.exe (PID: 4060)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 5920)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

136

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

904

"C:\Windows\IMF\Secure System Shell.exe"

C:\Windows\IMF\Secure System Shell.exe

—

Windows Services.exe

User:

admin

Integrity Level:

HIGH

Description:

Secure System Shell

Version:

1.0.0.0

Modules

Images
c:\windows\imf\secure system shell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

1372

"C:\Users\admin\Desktop\DaRKDDoSeR.exe"

C:\Users\admin\Desktop\DaRKDDoSeR.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Launcher

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\darkddoser.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

2256

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2476

"C:\Users\admin\Desktop\plugin\Launcher.exe"

C:\Users\admin\Desktop\plugin\Launcher.exe

DaRKDDoSeR.exe

User:

admin

Integrity Level:

HIGH

Description:

Launcher

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\plugin\launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

4060

"C:\Users\admin\Desktop\plugin\ddos.exe"

C:\Users\admin\Desktop\plugin\ddos.exe

DaRKDDoSeR.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\users\admin\desktop\plugin\ddos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

4576

"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}

C:\Windows\IMF\Windows Services.exe

—

Launcher.exe

User:

admin

Integrity Level:

HIGH

Description:

Windows Services

Version:

1.0.0.0

Modules

Images
c:\windows\imf\windows services.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

5760

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Dark DDoser 5.6.7z"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

5904

"C:\Windows\IMF\Runtime Explorer.exe"

C:\Windows\IMF\Runtime Explorer.exe

Windows Services.exe

User:

admin

Company:

Microsoft Windows

Integrity Level:

HIGH

Version:

1.00

Modules

Images
c:\windows\imf\runtime explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

5920

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

Launcher.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6960

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4060 -s 1752

C:\Windows\SysWOW64\WerFault.exe

—

ddos.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

Add for printing

Total events

18 783

Read events

18 706

Write events

Delete events

Modification events


(PID) Process:	(5760) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(5760) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(5760) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(5760) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Dark DDoser 5.6.7z
(PID) Process:	(5760) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5760) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5760) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5760) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(1372) DaRKDDoSeR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1372) DaRKDDoSeR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

Add for printing

Executable files

Suspicious files

272

Text files

197

Unknown types

Dropped files

PID	Process	Filename		Type
5760	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5760.36322\Backgrounds\17.bmp		image
		MD5:9BB959376F1BAE76399C4C60C24CAF41	SHA256:5776303BDE22618D7A2BBB91D494A6B651A2518F680949B2A59EB77902D4D70A
5760	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5760.36322\Backgrounds\2.bmp		image
		MD5:786643E8CF256C39059B1AB5BF1411B1	SHA256:76DF94F9E199FA03A027FDE2581050DF9D76C60D1614C709550DF10D55A2F6E0
5760	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5760.36322\Backgrounds\1.bmp		image
		MD5:9AC03AA96F5EB5A6D7F044DC88D82AB6	SHA256:523A290DD6DD99736A274237CA990E44D51A63C36684495520310F0919187D47
5760	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5760.36322\Backgrounds\14.bmp		image
		MD5:8261739FAA68F5C8A3F6A45EE45276FA	SHA256:211AD3E4F8D270858E9C0C410633E1880C94128E7DA278CC22196733BBC471CB
5760	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5760.36322\Backgrounds\3.bmp		image
		MD5:4D8D2B52807027B43CA07D187D29BD61	SHA256:3090E3928FA23D296EA8322BB7EC152CFDDBF19009ECB6FDC1C9742C01E94F78
5760	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5760.36322\Backgrounds\12.bmp		image
		MD5:91594D96ADAA27F4A484EB75BD220C2C	SHA256:BE037F3B33BABAE652926EDEE9F5E9F2999237CEE419484627C30D26DFF5146B
5760	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5760.36322\Backgrounds\13.bmp		image
		MD5:B6DB286CA15CB80463FD1CD1629FE23A	SHA256:79137DE6A970BF6EE79516C70F86EAB315301BAB669DF3E2C793F316FBA5203A
5760	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5760.36322\Backgrounds\8.bmp		image
		MD5:1D12B09EC2FCE0B67F94E2AA49542117	SHA256:126FB51131AC34F2A1874FAB354B2EC639989828A36C08732B1FD29BF331D5AC
5760	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5760.36322\Backgrounds\11.bmp		image
		MD5:A8AE7C4A4A48ECA0A83F00D35BC6BC74	SHA256:D89EEA2415F3161BD8B1A3A4AD659E6496133D710A855886686790A26C261019
5760	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5760.36322\Backgrounds\Thumbs.db		binary
		MD5:1853AFD0B3710E3AD73D9970CB2419C7	SHA256:B431A5DEEA311BE1AE29CC381C9F311737EFD022475CF907289E820681941852

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	binary	471 b	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	binary	471 b	whitelisted
6628	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	US	binary	471 b	whitelisted
6664	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	US	binary	471 b	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	US	binary	314 b	whitelisted
4060	ddos.exe	GET	200	104.21.42.154:80	http://www.formyip.com/	unknown	html	2.95 Kb	malicious
4060	ddos.exe	GET	200	104.21.42.154:80	http://www.formyip.com/	unknown	html	2.95 Kb	malicious
4060	ddos.exe	GET	404	142.250.184.206:80	http://google.com/TOW/Beta/portal/?version&v=5	US	html	1.54 Kb	whitelisted
4060	ddos.exe	GET	404	142.250.184.206:80	http://google.com/TOW/Beta/portal/?info=TOW&info2=Foryouonly&v=5	US	html	1.54 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3208	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2536	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
5336	SearchApp.exe	92.123.104.16:443	www.bing.com	Akamai International B.V.	DE	unknown
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	40.126.32.133:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
—	—	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	92.123.104.53:443	th.bing.com	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.184.206	whitelisted
www.bing.com	92.123.104.16 92.123.104.13 92.123.104.14 92.123.104.6 92.123.104.12 92.123.104.65 92.123.104.4 92.123.104.10 92.123.104.5	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.32.133 20.190.160.20 40.126.32.136 20.190.160.17 20.190.160.14 40.126.32.138 40.126.32.76 20.190.160.22	whitelisted
th.bing.com	92.123.104.53 92.123.104.43 92.123.104.52 92.123.104.37 92.123.104.46 92.123.104.50 92.123.104.41 92.123.104.49 92.123.104.51	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
fd.api.iris.microsoft.com	20.223.36.55	whitelisted
arc.msn.com	20.74.47.205	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Device Retrieving External IP Address Detected	ET POLICY Observed IP Lookup Domain (formyip .com in DNS Lookup)
4060	ddos.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP User Agent (TEST) - Likely Webhancer Related Spyware
4060	ddos.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP User Agent (TEST) - Likely Webhancer Related Spyware
4060	ddos.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP User Agent (TEST) - Likely Webhancer Related Spyware
4060	ddos.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP User Agent (TEST) - Likely Webhancer Related Spyware

Add for printing

No debug info

General Info

Dark DDoser 5.6.7z

CADB6745ACD942FC5CA18CE47C3812E5

515900157F142014F16378A636CF2221B4737BA0

9211048FAC48E4099BB134C58E838F00F014CE9C5F217CE20800430E4DDE09E3

98304:eFdd0jgHubd5iZg5ky1+Wm/4+F+xVTfLvSFrRQ8GjTNurf7H5RrBLG5Na5Zv/P6r:Fr0Rci6bkngI3WVG0hUS

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Changes the autorun value in the registry

Drops the executable file immediately after the start

Create files in the Startup directory

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Executes application which crashes

Access to an unwanted program domain was detected

There is functionality for taking screenshot (YARA)

Found regular expressions for crypto-addresses (YARA)

Checks for external IP

INFO

Drops a (possible) Coronavirus decoy

Process checks computer location settings

Executable content was dropped or overwritten

Manual execution by a user

Reads the computer name

Drops the executable file immediately after the start

Checks supported languages

Reads the machine GUID from the registry

Checks proxy server information

Creates files or folders in the user directory

Create files in a temporary directory

Checks if a key exists in the options dictionary (POWERSHELL)

Reads Environment values

UPX packer has been detected

Script raised an exception (POWERSHELL)

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests