Malware Analysis Report

2025-08-10 22:43

Sample ID 250127-zns2zsvnax
Target PowerVerse.exe
SHA256 eda36519020d4c8bd126a8186aefc15afb84b08a709aee69a95c2753641ca646
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

eda36519020d4c8bd126a8186aefc15afb84b08a709aee69a95c2753641ca646

Threat Level: Likely benign

The file PowerVerse.exe was found to be: Likely benign.

Malicious Activity Summary


Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2025-01-27 20:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 20:52

Reported

2025-01-27 20:53

Platform

win10v2004-20241007-en

Max time kernel

73s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PowerVerse.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PowerVerse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PowerVerse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PowerVerse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PowerVerse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PowerVerse.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PowerVerse.exe

"C:\Users\Admin\AppData\Local\Temp\PowerVerse.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\PowerVerse.exe

"C:\Users\Admin\AppData\Local\Temp\PowerVerse.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
N/A 239.255.255.250:3702 udp
US 8.8.8.8:53 c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
N/A 239.255.255.250:3702 udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp

Files

memory/3084-0-0x00007FFD0BD53000-0x00007FFD0BD55000-memory.dmp

memory/3084-1-0x0000000000380000-0x000000000038E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xzhofylh.orn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3084-11-0x000000001B0F0000-0x000000001B112000-memory.dmp

memory/3084-12-0x00007FFD0BD50000-0x00007FFD0C811000-memory.dmp

memory/3084-13-0x00007FFD0BD53000-0x00007FFD0BD55000-memory.dmp

memory/3084-14-0x00007FFD0BD50000-0x00007FFD0C811000-memory.dmp

memory/3084-16-0x00007FFD0BD50000-0x00007FFD0C811000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerVerse.exe.log

MD5 5c397610518696e193bf8c89174e5740
SHA1 1ca5d4600d1fd944b312be37d6844aa749212109
SHA256 e5fcf8ac446cebe079a3464909224e66687bcf75a0511abb45924faebaf7c668
SHA512 e793a4e4e7084304649d75cadaa49c5a63b0e1948bc4ffab869304db60573a445bab751b7ac6ac49c7919bffc7ba8b8fec2309757ca72776ef07c71cfa1f7eae

memory/2184-18-0x00007FFD08993000-0x00007FFD08995000-memory.dmp

memory/2184-28-0x00007FFD08993000-0x00007FFD08995000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 20:52

Reported

2025-01-27 20:54

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PowerVerse.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 976 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\PowerVerse.exe C:\Windows\system32\WerFault.exe
PID 976 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\PowerVerse.exe C:\Windows\system32\WerFault.exe
PID 976 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\PowerVerse.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PowerVerse.exe

"C:\Users\Admin\AppData\Local\Temp\PowerVerse.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 976 -s 532

Network

N/A

Files

memory/976-0-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp

memory/976-1-0x0000000000330000-0x000000000033E000-memory.dmp