Overview
overview
8Static
static
3PowerISO8-x64.exe
windows7-x64
8PowerISO8-x64.exe
windows10-2004-x64
8$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$R0.exe
windows7-x64
1$R0.exe
windows10-2004-x64
1$TEMP/$0.dll
windows7-x64
3$TEMP/$0.dll
windows10-2004-x64
3devcon.exe
windows7-x64
1devcon.exe
windows10-2004-x64
1setup64.exe
windows7-x64
1setup64.exe
windows10-2004-x64
1Analysis
-
max time kernel
101s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 11:24
Static task
static1
Behavioral task
behavioral1
Sample
PowerISO8-x64.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PowerISO8-x64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$R0.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$R0.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$TEMP/$0.dll
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
$TEMP/$0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
devcon.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
devcon.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
setup64.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
setup64.exe
Resource
win10v2004-20240802-en
General
-
Target
PowerISO8-x64.exe
-
Size
5.0MB
-
MD5
42308fcb5833ca389ba781e280cbb8e8
-
SHA1
f16d1681010efae2a73f98a92d0b3d19d64e7d83
-
SHA256
cac86780dd560b81feab752a38f05a186477de300d25eeaa7526e7812aec5cd3
-
SHA512
42efbb1f658faa226d9c64f30ed4439287dc20841c58944012553d0a304bdf0dca6163eec05099b601e47b0b761c76acd41f157ce7f4c5e5ee47518cf7002b92
-
SSDEEP
98304:CIg29chmuO1d2ZKY6wp9+YbZCK2ycBQQBVC4RJzDiZwd:lg29ccuOT2L6wpJfkQ2V3J3Gwd
Malware Config
Signatures
-
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
pid Process 5028 PowerISO8-x64.exe 5028 PowerISO8-x64.exe 5028 PowerISO8-x64.exe 5028 PowerISO8-x64.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV PowerISO8-x64.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV PowerISO8-x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PowerISO8-x64.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 5028 PowerISO8-x64.exe 5028 PowerISO8-x64.exe 5028 PowerISO8-x64.exe 5028 PowerISO8-x64.exe 5028 PowerISO8-x64.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5028 PowerISO8-x64.exe Token: SeShutdownPrivilege 5028 PowerISO8-x64.exe Token: SeCreatePagefilePrivilege 5028 PowerISO8-x64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PowerISO8-x64.exe"C:\Users\Admin\AppData\Local\Temp\PowerISO8-x64.exe"1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
Filesize
29KB
MD52bdf5a9d2007c879b665b9c631a9cebb
SHA10937ebd3024adbf14e6c313434de078975fe2e14
SHA256dd8c9f10e6115c70a774dd017b2d300108d7ab082d8475d6e3ad53a0dd45124c
SHA512ee30588bd9c1f6c9c550cd50c3997ea4b14482af7c9fc0ad7ac918680e32e7984f3fb0ca2699f9a27d2e35868c282e1c0af3772609044770d67a753737c27bfc