Analysis
-
max time kernel
53s -
max time network
51s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-11-2020 17:34
Static task
static1
Behavioral task
behavioral1
Sample
pow-setup-7.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
pow-setup-7.bin.exe
Resource
win10v20201028
General
-
Target
pow-setup-7.bin.exe
-
Size
2.5MB
-
MD5
b18ce3f7679f0078c58c3b8df4a589c1
-
SHA1
e418d17d6dd411778ed6529559f75d851c5266cd
-
SHA256
0c8ff856f752ba8ff7ae5039a893e854cdb57aaa788a8016c5bef9a85a30e13a
-
SHA512
f0b044264e5cf928e833f1caf0daa9234aa5aad4888564c059c6216abc374e3e35d4430491a4539b1e3ad8c27998acaa9a61f7520fc0f077de1932e18b6d69d7
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
pow-setup-7.bin.exepid process 1804 pow-setup-7.bin.exe 1804 pow-setup-7.bin.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
pow-setup-7.bin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum pow-setup-7.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 pow-setup-7.bin.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
pow-setup-7.bin.exedescription ioc process File opened for modification \??\PhysicalDrive0 pow-setup-7.bin.exe -
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
pow-setup-7.bin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pow-setup-7.bin.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pow-setup-7.bin.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
pow-setup-7.bin.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString pow-setup-7.bin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz pow-setup-7.bin.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 pow-setup-7.bin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
pow-setup-7.bin.exepid process 1804 pow-setup-7.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pow-setup-7.bin.exe"C:\Users\Admin\AppData\Local\Temp\pow-setup-7.bin.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsc311F.tmp\Powzip.dllMD5
ed4f0e6ac49f7ac5254a95ea7ae33dca
SHA10b1fcad48143a7f187bc233b6177e4687bb3f26b
SHA25638a43b7b1bd09e05a27736653ab99f67fd3fb970a8ba59c1f3b7fcac96ff2ba3
SHA512fbe4812d59ec8fb2f325633ab6d2a0a7b87d486112be5efca8b1ea012b98e480b4c196cb1fa0c172cf82f3563c1403631a91d87e0257e75f9cb4fcc16b877df5
-
\Users\Admin\AppData\Local\Temp\nsc311F.tmp\System.dllMD5
bf712f32249029466fa86756f5546950
SHA175ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA2567851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA51213f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4