PowerLoaderV2 Full Behavioral Malware Analysis by Mahmoud NourEldin[Part2]

Hello there, This is my first writeup part 2 for malware that I analyzed, and today we will explain in detail How to do behavioral analysis, let’s go.

These IOCs which extracted from basic static analysis:

sha256: 5E56A3C4D4C304EE6278DF0B32AFB62BD0DD01E2A9894AD007F4CC5F873AB5CF [sdropper32.exe, sdropper64.exe]

B.cfg, logs123.txt,

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Cryptography

[main]\r\nsrvurls=http://ripnhuipn[.]ru/power/c1.php;http://fikuskalus[.]ru/power/c1.php;\r\nsrvdelay=15\r\nsrvretry=2\r\nbuildid=test\r\n

Let’s continue

Behavioral Analysis means running the malware in an isolated environment under specific conditions to know what the malware can do in the system by checking processes and threads, registry keys, files with folders, network communications, and any behavior that we can catch.

Let’s Open autoruns tool for checking if any programs can run automatically when the system start, a process monitor tool for monitoring registry keys with file systems and network, a task explorer tool for freezing the running processes if terminated, fakenet tool for fake DNS and fake famous network protocols like HTTP, and regshot for taking a registry shot before and after running the malware.

Process Monitor Output

Task Explorer Output

logs123.txt output

the registry key which created

As you can see it’s created those IOCs:

C:\Users\User\AppData\Local\Temp\logs123.txt

HKCU\SOFTWARE\cecdcdbcebsacfsfdsf\CurrentPath111

And inside log123.txt

Entry(): integrity: 2000, current: ‘$PATH\PowerLoaderV2.exe’, win: ‘6.2 9200 sp0.0 64bit’, admin: ‘0’, uac: ‘1’, wow64: ‘1’

which $PATH = The malware path where run. This is info about my machine [ 64bit not admin and windows version with Its WOW64 process? ]

and we didn’t see any network communication, which means it recognized our fake DNS or anything else.

Then run the error reporting problem.

So here we want to know additional details because we cannot see any network activity and additional registry activity with file system activities.

It’s useless Let’s analyze the code of the malware.

To be Continued… يتبع ..