Overview

overview

8

Static

static

7

Power_Tool64.exe

windows7-x64

8

Power_Tool64.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    69s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2023, 17:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Power_Tool64.exe

  • Size

    6.3MB

  • MD5

    30fa72291682cb10a25ddacfc1982905

  • SHA1

    0e7f9ace355dbc6e192aa40d5c83085a23aab273

  • SHA256

    346662c767688feac8fdf191523aa706303fd5dcbee4ef51ad153b9b9dbc7f37

  • SHA512

    975bc12e27dc4c0e3e7012d0a609f04b90341c6c459c8f6f209f187b940071b18667223ce396b09d100db2473c66f78fab26a0075a571bc090aa746d9411decc

  • SSDEEP

    98304:aLXDJ4KAHYJMuPNk61rs8v4ElgbM//YvxZ5HwF8w+ffwle7d1XVI94NGeB:YXD6KksRPeUpNQlI86eh5K90

Score
8/10
discoverypersistencevmprotect

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 3 IoCs
    persistence
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Power_Tool64.exe
    "C:\Users\Admin\AppData\Local\Temp\Power_Tool64.exe"
    1⤵
    • Sets service image path in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1560

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1560-55-0x00000000000A0000-0x00000000000A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1560-54-0x00000000000A0000-0x00000000000A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1560-56-0x00000000000A0000-0x00000000000A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1560-57-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1560-58-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1560-59-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1560-61-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1560-62-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1560-64-0x0000000000110000-0x0000000000111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1560-65-0x0000000000110000-0x0000000000111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1560-67-0x0000000000120000-0x0000000000121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1560-68-0x0000000000120000-0x0000000000121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1560-70-0x0000000000130000-0x0000000000131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1560-71-0x0000000000130000-0x0000000000131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1560-72-0x0000000000A50000-0x000000000192A000-memory.dmp

    Filesize

    14.9MB

    Download