Overview

overview

7

Static

static

3

PowerRun.exe

windows7-x64

4

PowerRun.exe

windows10-2004-x64

3

RemoveSecH...pp.ps1

windows7-x64

3

RemoveSecH...pp.ps1

windows10-2004-x64

7

Script_Run.bat

windows7-x64

1

Script_Run.bat

windows10-2004-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2024, 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PowerRun.exe

  • Size

    873KB

  • MD5

    fc1fb033d57f72089fb4762245a8b18d

  • SHA1

    7ec0f7ca5f0e0d20e5372bf69865d0a809e6cc8e

  • SHA256

    a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2

  • SHA512

    cff3833e592a5fe1f1fcb656c42e77fdd177c902f84cf396365cfa04edc9ec046de3473a943779d3815bc36bf48182101703b20b08ae580c2b3ba20508d231d0

  • SSDEEP

    24576:g2DW/xbWX2YIb3Qsu3/PNL3Q7HybtTpAA+c:g2EaXSQsW/PNjQLY9ARc

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PowerRun.exe
    "C:\Users\Admin\AppData\Local\Temp\PowerRun.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Users\Admin\AppData\Local\Temp\PowerRun.exe
      "C:\Users\Admin\AppData\Local\Temp\PowerRun.exe" /P:131628
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:484
      • C:\Users\Admin\AppData\Local\Temp\PowerRun.exe
        "C:\Users\Admin\AppData\Local\Temp\PowerRun.exe" /P:131628
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1920
        • C:\Users\Admin\AppData\Local\Temp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\PowerRun.exe" /TI/ /P:131628
          4⤵
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1728
  • C:\Windows\system32\makecab.exe
    "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241012151721.log C:\Windows\Logs\CBS\CbsPersist_20241012151721.cab
    1⤵
    • Drops file in Windows directory
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2v7r2m8q.tmp
    Filesize

    28KB

    MD5

    9e7bb9c31083cc3a0f561d12311c9d83

    SHA1

    9102b88339566d5f0490c25180632043c8bb1809

    SHA256

    2658178fd2cb498195032c531bf3bb037954e0614aaec4c4ac2637f08d949bc1

    SHA512

    1fb30279a1f951a98f609eb749deb6c77082c28a30e1fdd4f3224ddac8ddfad134e8f3c44f82c32501da8a93a978e6cf8dfe591039a0e6af0d4d2a1dc5445699

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4qqv4r8m.tmp
    Filesize

    28KB

    MD5

    1524a28cbc30e70c60bc6cf977f82229

    SHA1

    664f15cea146b654ec4a60c76071ff83c4dfa651

    SHA256

    8561191653adc4ee6cb03a5c1953bd993782689600adebcd8776754147668f9b

    SHA512

    7fbee3bc38aca8ef368c1ff07eb1f4fb3f178628f8b41430eb1006c63bd908f26a1d85a19f2d661b02d3842505c9c762c8056fb2f1619b92a3a6d1085f0b9c50

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\PowerRun.ini
    Filesize

    3KB

    MD5

    3c548fde7e314b4c03c43163f38dc00c

    SHA1

    52923ba3da93fa9c95b9b4c829c59f9b4ce77e54

    SHA256

    08fef8dce972ff68a5c997d05029efffea2d58ac06911e3834b4631b0bc1f30e

    SHA512

    50182a421b5c5f10a8ee789d9091d932f2d30dc65003dd0bbd58ab7b60d16645ab9e7f3ac35de2df1690cc397824f3d4ccafc21a020048d71f2a23ce4e353563

    Download Submit

  • C:\Windows\Temp\aut6651.tmp
    Filesize

    11KB

    MD5

    4a83df1d945c2f5801ed59650d7460eb

    SHA1

    31827890e1df99268c0f80dcb26774225e4c3a5d

    SHA256

    2d993be76dfcf35f89b656b4dbc553e078d824974b482e56c6f76eaea87731c8

    SHA512

    eacb88683e3c999a1cdc9d9e4a4030723164e358d7cd85f7cfc02b99f33be991c89af5602349b48b5388520968a43a2a45b4b6d2f468f2b888088cf95bd591d2

    Download Submit

  • C:\Windows\Temp\aut6652.tmp
    Filesize

    10KB

    MD5

    09ca17eb552722bd7004097f59b07518

    SHA1

    36cf9da188460542e58acb97fa0ef0bfd9a4e172

    SHA256

    365c32c3c09228158ab5aaabfcf93cdfcd858be0b2a00031d82ab03070f61a5b

    SHA512

    3dc6ed86df50f87b12635032fb30840e94bea699ac193a16099a2ce1a9bd5e39147f115fb938c177991dc0dcfd5abab075632a1d0b46e6009a86eea3a27156bf

    Download Submit

  • C:\Windows\Temp\aut6653.tmp
    Filesize

    5KB

    MD5

    96c0e61f3298cb745b021f67e7dd0d48

    SHA1

    a61adbe460c68a3087ff1ba75620dbb86af28e40

    SHA256

    3e56c22a81ab1168036a289c7ffe2889dd678c422568dff9ef91d6a0f9005333

    SHA512

    dbbfdd4ad2c80ff9df0b21dfd011420baba54a7114d0e0ff5371dda9c9389d90422a4311881ac2bdb5ba7c4334d210b61c6c0fc691ae503e32930109d9251f3e

    Download Submit