Overview

overview

10

Static

static

pow-setup-7.bin.exe

windows7_x64

7

pow-setup-7.bin.exe

windows10_x64

10

Analysis

  • max time kernel
    32s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-11-2020 17:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pow-setup-7.bin.exe

  • Size

    2.5MB

  • MD5

    b18ce3f7679f0078c58c3b8df4a589c1

  • SHA1

    e418d17d6dd411778ed6529559f75d851c5266cd

  • SHA256

    0c8ff856f752ba8ff7ae5039a893e854cdb57aaa788a8016c5bef9a85a30e13a

  • SHA512

    f0b044264e5cf928e833f1caf0daa9234aa5aad4888564c059c6216abc374e3e35d4430491a4539b1e3ad8c27998acaa9a61f7520fc0f077de1932e18b6d69d7

Score
10/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Modifies service 2 TTPs 13 IoCs
    persistence
  • Drops file in Program Files directory 27 IoCs
  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 156 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pow-setup-7.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\pow-setup-7.bin.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Maps connected drives based on registry
    • Writes to the Master Boot Record (MBR)
    • Modifies service
    • Drops file in Program Files directory
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files (x86)\Powzip\smshellext.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\Powzip\smshellext.dll"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:3164

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Powzip\smshellext.dll
    MD5

    e74c188e8abe0147d6335d764a514e1a

    SHA1

    f33733a1ae54812eaf15d15ed44683de930cb4a1

    SHA256

    773203ae2e14c11a59603b9942798c7ce9480949a697188a43adf4127b01e47e

    SHA512

    e5ea49e64c73f16c49aace8ce1d9953188ee91a11d65650ae3b29da933a71c2b7fce792af59f672948b9114ad220aaf9a22531fcb7c9197a3ecd2588068cb3cb

    Download Submit
  • \Program Files (x86)\Powzip\smshellext.dll
    MD5

    e74c188e8abe0147d6335d764a514e1a

    SHA1

    f33733a1ae54812eaf15d15ed44683de930cb4a1

    SHA256

    773203ae2e14c11a59603b9942798c7ce9480949a697188a43adf4127b01e47e

    SHA512

    e5ea49e64c73f16c49aace8ce1d9953188ee91a11d65650ae3b29da933a71c2b7fce792af59f672948b9114ad220aaf9a22531fcb7c9197a3ecd2588068cb3cb

    Download Submit
  • \Program Files (x86)\Powzip\smshellext.dll
    MD5

    e74c188e8abe0147d6335d764a514e1a

    SHA1

    f33733a1ae54812eaf15d15ed44683de930cb4a1

    SHA256

    773203ae2e14c11a59603b9942798c7ce9480949a697188a43adf4127b01e47e

    SHA512

    e5ea49e64c73f16c49aace8ce1d9953188ee91a11d65650ae3b29da933a71c2b7fce792af59f672948b9114ad220aaf9a22531fcb7c9197a3ecd2588068cb3cb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsx34C2.tmp\Powzip.dll
    MD5

    ed4f0e6ac49f7ac5254a95ea7ae33dca

    SHA1

    0b1fcad48143a7f187bc233b6177e4687bb3f26b

    SHA256

    38a43b7b1bd09e05a27736653ab99f67fd3fb970a8ba59c1f3b7fcac96ff2ba3

    SHA512

    fbe4812d59ec8fb2f325633ab6d2a0a7b87d486112be5efca8b1ea012b98e480b4c196cb1fa0c172cf82f3563c1403631a91d87e0257e75f9cb4fcc16b877df5

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsx34C2.tmp\System.dll
    MD5

    bf712f32249029466fa86756f5546950

    SHA1

    75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

    SHA256

    7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

    SHA512

    13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

    Download Submit
  • memory/2572-2-0x0000000000000000-mapping.dmp
    Download
  • memory/3164-5-0x0000000000000000-mapping.dmp
    Download