Overview

overview

10

Static

static

pow-setup-7.bin.exe

windows7_x64

7

pow-setup-7.bin.exe

windows10_x64

10

Analysis

  • max time kernel
    53s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    04-11-2020 17:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pow-setup-7.bin.exe

  • Size

    2.5MB

  • MD5

    b18ce3f7679f0078c58c3b8df4a589c1

  • SHA1

    e418d17d6dd411778ed6529559f75d851c5266cd

  • SHA256

    0c8ff856f752ba8ff7ae5039a893e854cdb57aaa788a8016c5bef9a85a30e13a

  • SHA512

    f0b044264e5cf928e833f1caf0daa9234aa5aad4888564c059c6216abc374e3e35d4430491a4539b1e3ad8c27998acaa9a61f7520fc0f077de1932e18b6d69d7

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pow-setup-7.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\pow-setup-7.bin.exe"
    1⤵
    • Loads dropped DLL
    • Maps connected drives based on registry
    • Writes to the Master Boot Record (MBR)
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:1804

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsc311F.tmp\Powzip.dll
    MD5

    ed4f0e6ac49f7ac5254a95ea7ae33dca

    SHA1

    0b1fcad48143a7f187bc233b6177e4687bb3f26b

    SHA256

    38a43b7b1bd09e05a27736653ab99f67fd3fb970a8ba59c1f3b7fcac96ff2ba3

    SHA512

    fbe4812d59ec8fb2f325633ab6d2a0a7b87d486112be5efca8b1ea012b98e480b4c196cb1fa0c172cf82f3563c1403631a91d87e0257e75f9cb4fcc16b877df5

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsc311F.tmp\System.dll
    MD5

    bf712f32249029466fa86756f5546950

    SHA1

    75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

    SHA256

    7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

    SHA512

    13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

    Download Submit