Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

Power_Tool64.exe

windows7-x64

8

Power_Tool64.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    110s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/06/2023, 17:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Power_Tool64.exe

  • Size

    6.3MB

  • MD5

    30fa72291682cb10a25ddacfc1982905

  • SHA1

    0e7f9ace355dbc6e192aa40d5c83085a23aab273

  • SHA256

    346662c767688feac8fdf191523aa706303fd5dcbee4ef51ad153b9b9dbc7f37

  • SHA512

    975bc12e27dc4c0e3e7012d0a609f04b90341c6c459c8f6f209f187b940071b18667223ce396b09d100db2473c66f78fab26a0075a571bc090aa746d9411decc

  • SSDEEP

    98304:aLXDJ4KAHYJMuPNk61rs8v4ElgbM//YvxZ5HwF8w+ffwle7d1XVI94NGeB:YXD6KksRPeUpNQlI86eh5K90

Score
8/10
discoverypersistencevmprotect

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 3 IoCs
    persistence
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Power_Tool64.exe
    "C:\Users\Admin\AppData\Local\Temp\Power_Tool64.exe"
    1⤵
    • Sets service image path in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:3004

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BeM9Vt.sys
    Filesize

    170KB

    MD5

    7e7e3f5532b6af24dcc252ac4b240311

    SHA1

    3ccf1f3ac636a5e21b39ede48ff49fa23e05413f

    SHA256

    8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f

    SHA512

    92858391b4dc4c3c87124020d47dc1aea6a2939b1dcaa2d55c6b3bca69ee76d9043aca8b24d13fbac49424424707876eea2aa893ab4a18fe78e6d3a95cd4a488

    Download Submit

  • memory/3004-133-0x0000000001550000-0x0000000001551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3004-134-0x0000000001560000-0x0000000001561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3004-135-0x0000000003120000-0x0000000003121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3004-136-0x0000000003130000-0x0000000003131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3004-137-0x0000000003140000-0x0000000003141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3004-138-0x0000000003160000-0x0000000003161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3004-139-0x00000000000C0000-0x0000000000F9A000-memory.dmp

    Filesize

    14.9MB

    Download