5726447d808719aaad889259c482641ae4583e8ac7e16de1688c00425f9935b9

Analysis

max time kernel
3s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2023 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5726447d808719aaad889259c482641ae4583e8ac7e16de1688c00425f9935b9.exe
Size

4.6MB
MD5

bf7e11ba2252db0e6be3c31b137b12dc
SHA1

2ff198c59fe7be2c807816fa243e9c874f85b388
SHA256

5726447d808719aaad889259c482641ae4583e8ac7e16de1688c00425f9935b9
SHA512

aa0493ba6ff5ebd4cfede6fa3fcb29cf00721b44acbd4eb5a65ef11a5e3930ea90aa8726790189f7866bbe4ed67ade81154a37a38063966f663d5d81050fc1ad
SSDEEP

49152:TbEp2+CVgtJO94vM0iTnDJJZk425V/zaBM3SbawwtlY6sKpETPub0J0lTuRjlH6H:TJnVivMba4aBN3SbAYbKpEq0WMRh

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Powermonster.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	5726447d808719aaad889259c482641ae4583e8ac7e16de1688c00425f9935b9.exe

Executes dropped EXE 1 IoCs

pid	Process
3484	Powermonster.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Wine	Powermonster.exe

Loads dropped DLL 1 IoCs

pid	Process
3484	Powermonster.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3484	Powermonster.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3484	Powermonster.exe
3484	Powermonster.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 3484	4388	5726447d808719aaad889259c482641ae4583e8ac7e16de1688c00425f9935b9.exe	86
PID 4388 wrote to memory of 3484	4388	5726447d808719aaad889259c482641ae4583e8ac7e16de1688c00425f9935b9.exe	86
PID 4388 wrote to memory of 3484	4388	5726447d808719aaad889259c482641ae4583e8ac7e16de1688c00425f9935b9.exe	86

C:\Users\Admin\AppData\Local\Temp\5726447d808719aaad889259c482641ae4583e8ac7e16de1688c00425f9935b9.exe
"C:\Users\Admin\AppData\Local\Temp\5726447d808719aaad889259c482641ae4583e8ac7e16de1688c00425f9935b9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Public\Pictures\Powermonster.exe
  "C:\Users\Public\Pictures\Powermonster.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Pictures\Powermonster.exe

Filesize
2.5MB

MD5
842af33f5702fa99efd8f7b235f28fcc

SHA1
b841b71a4e39432f3a940ad841e74ea1686da6c9

SHA256
82ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209

SHA512
ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82

Download Submit
C:\Users\Public\Pictures\Powermonster.exe

Filesize
2.5MB

MD5
842af33f5702fa99efd8f7b235f28fcc

SHA1
b841b71a4e39432f3a940ad841e74ea1686da6c9

SHA256
82ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209

SHA512
ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82

Download Submit
C:\Users\Public\Pictures\libcurl.dll

Filesize
921KB

MD5
a004a9f3f3c13edd2b8461037c517426

SHA1
fbabddc6146174aaae84178e7cba580dbb4e7725

SHA256
8022c162b5766dd747300ccfb8efbf7421be57ff32be214438de3b9e818704b6

SHA512
4bb014deea3cf6b20638415255d91cfa03fa944113352d7ebd67d75807d892839c61adbf956d4e47f5777b4b1a327262d6cd870109ad7c8770700735e8e0f598

Download Submit
C:\Users\Public\Pictures\libcurl.dll

Filesize
921KB

MD5
a004a9f3f3c13edd2b8461037c517426

SHA1
fbabddc6146174aaae84178e7cba580dbb4e7725

SHA256
8022c162b5766dd747300ccfb8efbf7421be57ff32be214438de3b9e818704b6

SHA512
4bb014deea3cf6b20638415255d91cfa03fa944113352d7ebd67d75807d892839c61adbf956d4e47f5777b4b1a327262d6cd870109ad7c8770700735e8e0f598

Download Submit
memory/3484-15-0x0000000010000000-0x000000001020A000-memory.dmp

Filesize
2.0MB

Download
memory/3484-16-0x0000000000E20000-0x0000000000EBD000-memory.dmp

Filesize
628KB

Download
memory/3484-17-0x0000000077034000-0x0000000077036000-memory.dmp

Filesize
8KB

Download