Edit tour
Windows
Analysis Report
http://www.poweriso-mirror.com/PowerISO8.exe
Overview
General Information
| Sample URL: | http://www.poweriso-mirror.com/PowerISO8.exe |
| Analysis ID: | 1394742 |
| Infos: |   |
 | |
Detection
| Score: | 60 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sigma detected: Classes Autorun Keys Modification
Sigma detected: File Download From Browser Process Via Inline URL
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64_ra
chrome.exe (PID: 7092 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://w ww.poweris o-mirror.c om/PowerIS O8.exe MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 6228 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2204 --fi eld-trial- handle=190 8,i,529812 2064643480 494,657330 6596204310 756,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 6748 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= chrome.moj om.UtilRea dIcon --la ng=en-US - -service-s andbox-typ e=icon_rea der --mojo -platform- channel-ha ndle=5484 --field-tr ial-handle =1908,i,52 9812206464 3480494,65 7330659620 4310756,26 2144 --dis able-featu res=Optimi zationGuid eModelDown loading,Op timization Hints,Opti mizationHi ntsFetchin g,Optimiza tionTarget Prediction /prefetch :8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) 
PowerISO8.exe (PID: 4596 cmdline: "C:\Users\ user\Downl oads\Power ISO8.exe" MD5: E266C762C389D911887606E3D9BE7B1C) 
regsvr32.exe (PID: 7512 cmdline: regsvr32.e xe /s /u " C:\Program Files (x8 6)\PowerIS O\PWRISOSH .DLL" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - setup64.exe (PID: 7524 cmdline:
C:\Program Files (x8 6)\PowerIS O\setup64. exe" cp C: \Users\use r\AppData\ Local\Temp \nsh38D4.t mp "C:\Win dows\syste m32\Driver s\scdemu.s ys MD5: 110D5B3C1CD10640E9638DDE38D0B030) - regsvr32.exe (PID: 7800 cmdline:
C:\Windows \System32\ regsvr32.e xe" /s "C: \Program F iles (x86) \PowerISO\ PWRISOSH.D LL MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7816 cmdline:
/s "C:\Pr ogram File s (x86)\Po werISO\PWR ISOSH.DLL" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) 
PWRISOVM.EXE (PID: 7872 cmdline: "C:\Progra m Files (x 86)\PowerI SO\PWRISOV M.EXE" 999 MD5: 6DDBFA1A9BC9CF52916CC30538BB5804) - chrome.exe (PID: 7976 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://w ww.poweris o.com/than kyou.htm MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7304 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2076 --fi eld-trial- handle=190 8,i,124590 8216897967 5179,11890 3659890099 69599,2621 44 --disab le-feature s=Optimiza tionGuideM odelDownlo ading,Opti mizationHi nts,Optimi zationHint sFetching, Optimizati onTargetPr ediction / prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
avg_antivirus_free_setup.exe (PID: 7856 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\PowerI SO_Pub_fil es\avg_ant ivirus_fre e_setup.ex e" /silent /ws /psh: M75AarNmU9 6I81Vdyf7v VhoWDFduRf IC9yNGD0h8 Z9srOW3i6Z SL8OJToRze KM3cISmtNd oml2nBkvUO u6GV7qU MD5: 26816AF65F2A3F1C61FB44C682510C97) 
avg_antivirus_free_online_setup.exe (PID: 4028 cmdline: "C:\Window s\Temp\asw .376b45b5a c41c1ec\av g_antiviru s_free_onl ine_setup. exe" /sile nt /ws /ps h:M75AarNm U96I81Vdyf 7vVhoWDFdu RfIC9yNGD0 h8Z9srOW3i 6ZSL8OJToR zeKM3cISmt Ndoml2nBkv UOu6GV7qU /cookie:mm m_irs_ppi_ 902_451_o /ga_client id:597750d 7-6f15-4f7 c-9809-84c 7e762983a /edat_dir: C:\Windows \Temp\asw. 376b45b5ac 41c1ec MD5: 62D68511172418FBE4A8C75E1BE49913) - icarus.exe (PID: 1000 cmdline:
C:\Windows \Temp\asw- 3daf44fe-c 583-4a1c-8 0e1-cf40f7 266dbb\com mon\icarus .exe /icar us-info-pa th:C:\Wind ows\Temp\a sw-3daf44f e-c583-4a1 c-80e1-cf4 0f7266dbb\ icarus-inf o.xml /ins tall /sile nt /ws /ps h:M75AarNm U96I81Vdyf 7vVhoWDFdu RfIC9yNGD0 h8Z9srOW3i 6ZSL8OJToR zeKM3cISmt Ndoml2nBkv UOu6GV7qU /cookie:mm m_irs_ppi_ 902_451_o /track-gui d:597750d7 -6f15-4f7c -9809-84c7 e762983a / edat_dir:C :\Windows\ Temp\asw.3 76b45b5ac4 1c1ec MD5: 296B5F218A5D9EE481D1EBC0CAB61E75) - icarus.exe (PID: 1956 cmdline:
C:\Windows \Temp\asw- 3daf44fe-c 583-4a1c-8 0e1-cf40f7 266dbb\avg -av-vps\ic arus.exe / silent /ws /psh:M75A arNmU96I81 Vdyf7vVhoW DFduRfIC9y NGD0h8Z9sr OW3i6ZSL8O JToRzeKM3c ISmtNdoml2 nBkvUOu6GV 7qU /cooki e:mmm_irs_ ppi_902_45 1_o /track -guid:5977 50d7-6f15- 4f7c-9809- 84c7e76298 3a /edat_d ir:C:\Wind ows\Temp\a sw.376b45b 5ac41c1ec /er_master :master_ep _10956a9e- daf4-4cf0- 8e0e-7e798 9859c4b /e r_ui:ui_ep _26792b6a- 7f9c-413d- 8b78-bf2ff 319abc0 /e r_slave:av g-av-vps_s lave_ep_91 f9623a-6b1 6-4bae-a07 d-2c9e87ce b349 /slav e:avg-av-v ps MD5: 296B5F218A5D9EE481D1EBC0CAB61E75) - icarus.exe (PID: 1920 cmdline:
C:\Windows \Temp\asw- 3daf44fe-c 583-4a1c-8 0e1-cf40f7 266dbb\avg -av\icarus .exe /sile nt /ws /ps h:M75AarNm U96I81Vdyf 7vVhoWDFdu RfIC9yNGD0 h8Z9srOW3i 6ZSL8OJToR zeKM3cISmt Ndoml2nBkv UOu6GV7qU /cookie:mm m_irs_ppi_ 902_451_o /track-gui d:597750d7 -6f15-4f7c -9809-84c7 e762983a / edat_dir:C :\Windows\ Temp\asw.3 76b45b5ac4 1c1ec /er_ master:mas ter_ep_109 56a9e-daf4 -4cf0-8e0e -7e7989859 c4b /er_ui :ui_ep_267 92b6a-7f9c -413d-8b78 -bf2ff319a bc0 /er_sl ave:avg-av _slave_ep_ 5b75bcf2-2 27d-45b4-b 041-558414 1603d6 /sl ave:avg-av MD5: 296B5F218A5D9EE481D1EBC0CAB61E75)
- saBSI.exe (PID: 7864 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\PowerI SO_Pub_fil es\saBSI.e xe" /affid 91088 Pai dDistribut ion=true C ountryCode =US MD5: BB7CF61C4E671FF05649BDA83B85FA3D) - saBSI.exe (PID: 3428 cmdline:
"C:\Progra mData\McAf ee\WebAdvi sor\saBSI\ saBSI.exe" /install /affid 910 88 PaidDis tribution= true saB siVersion= 4.1.1.818 CountryCod e=US /no_s elf_update MD5: 143255618462A577DE27286A272584E1) 
installer.exe (PID: 4200 cmdline: "C:\Progra mData\McAf ee\WebAdvi sor\saBSI\ \installer .exe" /set Oem:Affid= 91088 /s / thirdparty /upgrade MD5: 5BEA0FFB70CA31956AA3C9DBCA6F7C08) - installer.exe (PID: 2672 cmdline:
"C:\Progra m Files\Mc Afee\Temp7 11842692\i nstaller.e xe" /setOe m:Affid=91 088 /s /th irdparty / upgrade MD5: 9DAF36D81B100292BFD1104A310756F6)
- cleanup
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | HTTP Parser: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Window detected: | ||