Overview

overview

4

Static

static

1

PowerRun_x64.exe

windows7-x64

4

PowerRun_x64.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    63s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-06-2023 17:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PowerRun_x64.exe

  • Size

    923KB

  • MD5

    efe5769e37ba37cf4607cb9918639932

  • SHA1

    f24ca204af2237a714e8b41d54043da7bbe5393b

  • SHA256

    5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

  • SHA512

    33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

  • SSDEEP

    24576:X2DW/xbMX2YIbxQsu3/PNLoQ+HyS2I4jRk:X2EgXoQsW/PNUQWnX4jRk

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PowerRun_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\PowerRun_x64.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Local\Temp\PowerRun_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\PowerRun_x64.exe" /P:393500
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1932
      • C:\Users\Admin\AppData\Local\Temp\PowerRun_x64.exe
        "C:\Users\Admin\AppData\Local\Temp\PowerRun_x64.exe" /P:393500
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1236
        • C:\Users\Admin\AppData\Local\Temp\PowerRun_x64.exe
          "C:\Users\Admin\AppData\Local\Temp\PowerRun_x64.exe" /TI/ /P:393500
          4⤵
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1528
  • C:\Windows\system32\makecab.exe
    "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230609174204.log C:\Windows\Logs\CBS\CbsPersist_20230609174204.cab
    1⤵
    • Drops file in Windows directory
    PID:1616

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\PowerRun.ini
    Filesize

    3KB

    MD5

    3220c026ff53e1862c0293eb2c4b0573

    SHA1

    521fc906d0ccf005f955767be763ed47fd165882

    SHA256

    8cc6393caf4ff16deffe7a5be97f101405bbb07917fab46f20105ae57dece6ad

    SHA512

    c757db73c1a2e23b1163d1d01935c68354c63dd0d7d5ad13c882a381569fa2adc5f5c12e41f28caa07451a2c64048b5f434a72ba1a41aa1ceead94808c44cd4d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\qbxwbtg
    Filesize

    81KB

    MD5

    940b1915cadee0e2b33d80799816f6c7

    SHA1

    2c10e4fec3e8c054055d1ed78757117575f273f2

    SHA256

    81e89e7266cfe5158e44f5578c8be61353e781daebdd47a33597e9ec503d379c

    SHA512

    cc3c574fd5392c1b54146b591e22b1c01c95e34a602c403ad96c49b7ee6ad31d1478a00cc1334286addc5cb94496372a172745e9ad20554023e1e22c7da1e1c5

    Download Submit

  • C:\Windows\Temp\aut230C.tmp
    Filesize

    25KB

    MD5

    436c1bb98deeccecb73fad945f1dd3dc

    SHA1

    774313ba911945589971bbc73498d81f060dabe6

    SHA256

    05eae1691149cc66e458d5e5b4430bd3b938b278b8bdb2c887a13c9871004c51

    SHA512

    66ea41b9b4a42f7c40d1ce5b6e82a6f03e8489648b912d96a81efa13d340d4d651078df7c1302c595ca83408e7208d1d79f02165dc27383952a9abe7f851c3e2

    Download Submit