Overview
overview
8Static
static
PowerISO/423Down.url
windows7-x64
6PowerISO/423Down.url
windows10-2004-x64
6PowerISO/A...mu.exe
windows7-x64
PowerISO/A...mu.exe
windows10-2004-x64
PowerISO/A...64.exe
windows7-x64
PowerISO/A...64.exe
windows10-2004-x64
PowerISO/A...64.dll
windows7-x64
3PowerISO/A...64.dll
windows10-2004-x64
3PowerISO/A...ll.dll
windows7-x64
3PowerISO/A...ll.dll
windows10-2004-x64
3PowerISO/A...SH.dll
windows7-x64
8PowerISO/A...SH.dll
windows10-2004-x64
8PowerISO/A...64.dll
windows7-x64
8PowerISO/A...64.dll
windows10-2004-x64
8PowerISO/A...VM.exe
windows7-x64
1PowerISO/A...VM.exe
windows10-2004-x64
1PowerISO/A...SO.exe
windows7-x64
8PowerISO/A...SO.exe
windows10-2004-x64
8PowerISO/A...64.dll
windows7-x64
3PowerISO/A...64.dll
windows10-2004-x64
3PowerISO/A...on.exe
windows7-x64
1PowerISO/A...on.exe
windows10-2004-x64
1PowerISO/A...nc.dll
windows7-x64
3PowerISO/A...nc.dll
windows10-2004-x64
3PowerISO/A...AC.dll
windows7-x64
3PowerISO/A...AC.dll
windows10-2004-x64
3PowerISO/A...is.dll
windows7-x64
3PowerISO/A...is.dll
windows10-2004-x64
3PowerISO/A...so.exe
windows7-x64
1PowerISO/A...so.exe
windows10-2004-x64
1PowerISO/A...64.exe
windows7-x64
1PowerISO/A...64.exe
windows10-2004-x64
1Analysis
-
max time kernel
147s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2022 02:29
Static task
static1
Behavioral task
behavioral1
Sample
PowerISO/423Down.url
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
PowerISO/423Down.url
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
PowerISO/App/DefaultData/settings/scdemu.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
PowerISO/App/DefaultData/settings/scdemu.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
PowerISO/App/DefaultData/settings/scdemu64.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
PowerISO/App/DefaultData/settings/scdemu64.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
PowerISO/App/PowerISO64/7z-x64.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral8
Sample
PowerISO/App/PowerISO64/7z-x64.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
PowerISO/App/PowerISO64/MACDll.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
PowerISO/App/PowerISO64/MACDll.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
PowerISO/App/PowerISO64/PWRISOSH.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral12
Sample
PowerISO/App/PowerISO64/PWRISOSH.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
PowerISO/App/PowerISO64/PWRISOSH64.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral14
Sample
PowerISO/App/PowerISO64/PWRISOSH64.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
PowerISO/App/PowerISO64/PWRISOVM.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral16
Sample
PowerISO/App/PowerISO64/PWRISOVM.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
PowerISO/App/PowerISO64/PowerISO.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral18
Sample
PowerISO/App/PowerISO64/PowerISO.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
PowerISO/App/PowerISO64/UnRAR64.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
PowerISO/App/PowerISO64/UnRAR64.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
PowerISO/App/PowerISO64/devcon.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral22
Sample
PowerISO/App/PowerISO64/devcon.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
PowerISO/App/PowerISO64/lame_enc.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral24
Sample
PowerISO/App/PowerISO64/lame_enc.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
PowerISO/App/PowerISO64/libFLAC.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral26
Sample
PowerISO/App/PowerISO64/libFLAC.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
PowerISO/App/PowerISO64/libvorbis.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral28
Sample
PowerISO/App/PowerISO64/libvorbis.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
PowerISO/App/PowerISO64/piso.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral30
Sample
PowerISO/App/PowerISO64/piso.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
PowerISO/App/PowerISO64/setup64.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral32
Sample
PowerISO/App/PowerISO64/setup64.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
PowerISO/App/PowerISO64/PowerISO.exe
-
Size
5.6MB
-
MD5
e5467c287a8069d4578e3c347651e0d6
-
SHA1
511c851fa0a33c8962a830009039480bdfa6b4cb
-
SHA256
08e57791b9710e03a5ff6288eb00ee56a60162893f7450c57e5f49a4a755006e
-
SHA512
24db02bbf5134e63aa4c9254e2d7d306f7d19ee4841c5eff37ddbfb7b9068f24296abc9318827d89c46494fbe51337d049841bc68137e1524ede79a9571d6020
-
SSDEEP
98304:pQcUZEk7c36et3o4h/lbNqh8PYlfeRI4i/hYdPqReHb5Hi9gB:pQDZR7ot3o4h9bNY8PDtdP2e7f
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PowerISO\\App\\PowerISO64\\PWRISOSH.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation PowerISO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8658416-7CCB-4c1d-A021-AFF0A2EB8004} PowerISO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\ = "PowerISO" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO\ = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PowerISO\\App\\PowerISO64\\PWRISOSH.DLL" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PowerISO regsvr32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3296 PowerISO.exe 3296 PowerISO.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3296 wrote to memory of 4288 3296 PowerISO.exe 83 PID 3296 wrote to memory of 4288 3296 PowerISO.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\PowerISO\App\PowerISO64\PowerISO.exe"C:\Users\Admin\AppData\Local\Temp\PowerISO\App\PowerISO64\PowerISO.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\PowerISO\App\PowerISO64\PWRISOSH.DLL"2⤵
- Registers COM server for autorun
- Modifies registry class
PID:4288
-