9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144

Analysis

max time kernel
3s
max time network
29s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe
Size

2.1MB
MD5

d73d71dc32505c87955f992091210f1a
SHA1

88d5e3fb2462b053b1161c8197168f2dafb63317
SHA256

9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144
SHA512

231d27c1028c62920d67ae48d76b40e2591490b984cb69d706b1ec118cc6a7e367277f1704a84853bbe16ae9a42e1ce2ecd125f0a5e2019e207bcfe1defbe920
SSDEEP

49152:lbZWaaPLan9GY7Pjp8oNivM0iTnDJJZk425V/zaBM3Sbawwtlx:lH8Lan9hp8oNivMba4aBN3SbAx

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Powermonster.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe

Executes dropped EXE 1 IoCs

pid	Process
1028	Powermonster.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Wine	Powermonster.exe

Loads dropped DLL 1 IoCs

pid	Process
1028	Powermonster.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1028	Powermonster.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1028	Powermonster.exe
1028	Powermonster.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 1028	4416	9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe	83
PID 4416 wrote to memory of 1028	4416	9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe	83
PID 4416 wrote to memory of 1028	4416	9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe	83

C:\Users\Admin\AppData\Local\Temp\9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe
"C:\Users\Admin\AppData\Local\Temp\9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Users\Public\Documents\Powermonster.exe
  "C:\Users\Public\Documents\Powermonster.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\Powermonster.exe

Filesize
2.5MB

MD5
842af33f5702fa99efd8f7b235f28fcc

SHA1
b841b71a4e39432f3a940ad841e74ea1686da6c9

SHA256
82ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209

SHA512
ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82

Download Submit
C:\Users\Public\Documents\Powermonster.exe

Filesize
2.5MB

MD5
842af33f5702fa99efd8f7b235f28fcc

SHA1
b841b71a4e39432f3a940ad841e74ea1686da6c9

SHA256
82ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209

SHA512
ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82

Download Submit
C:\Users\Public\Documents\libcurl.dll

Filesize
922KB

MD5
22019e31ea6f7134c94358e9eb8516fe

SHA1
51673f72f119b1fc391fcb8b0780c0077aac1e13

SHA256
291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7

SHA512
20d226aec3cc06aa2d62b555d144896fc6f7d575968f02997f96875640ba51801b9fd29925dd1e3ec092870a7696c5d14c1c0303f35607aa979f40a28ccc33d4

Download Submit
C:\Users\Public\Documents\libcurl.dll

Filesize
922KB

MD5
22019e31ea6f7134c94358e9eb8516fe

SHA1
51673f72f119b1fc391fcb8b0780c0077aac1e13

SHA256
291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7

SHA512
20d226aec3cc06aa2d62b555d144896fc6f7d575968f02997f96875640ba51801b9fd29925dd1e3ec092870a7696c5d14c1c0303f35607aa979f40a28ccc33d4

Download Submit
memory/1028-15-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1028-16-0x0000000002CE0000-0x0000000002D7D000-memory.dmp

Filesize
628KB

Download