Powrprof.dll library: malware analysis

Important elements of the analysis  

  • Mostly heuristic detections  
  • Creation of mutex objects  
  • Child execution with WinExec function  
  • Rundll32 execution  
  • DLL related to NVIDIA components not signed correctly  
  • Suspicious mutex related to threats Backdoor:Win32/Temratanam.A 

Introduction 

In this analysis, the library powrprof.dll (Hash: dc9385b83a139db8606f4f9cb8d7d8e0aeac2dd963f03a669f231ef6deb951) was taken in consideration, which is identified by OSINT sources mainly due to heuristic and behavioural detections and machine learning algorithms. Only Microsoft recently classified it with the signature Trojan:Win32/FavLoader.A!MTB. In this specific case, the DLL powrprof.dll initialized a DLL child execution context by taking in consideration the file favicon.jpg, which masquerades behind a false image, yet it refers to a DLL library. The Portable Executable in question relates to an NVIDIA video card component with an unverified certificate, there is also evidence of a mutex relating to Backdoors threats. This type of threat can be defined as “Malicious DLL as a Service” since in a threat development and threat landscape perspective the DLL library executed in the second instance favicon.jpg can potentially be replaced with any type of threat, such as Ransomware or Remote Access Trojans. 

Powrprof.dll static analysis 

The compilation timestamp is 20th July 2023: 

The Relative Virtual Address of the entrypoint is 00001000

Below are the details of the DLL sections, including the CPU instructions contained in the .text section, with VirtualSize 000000B5. The .edata section contains references to library exports for external executions. 

One of the main features of the powrprof.dll library is the creation of a mutex object, via the CreateMutexA function, for the concurrential management of its executions. 

The library under analysis does not possess any particular packing characteristics, in fact the entropy coefficients of the various sections do not appear to be high: 

Suspicious indicators include details of reckoning and execution functions: 

The WinExec function is essential for the infection phase and child execution, so the execution of the (potentially malicious) external DLL called by the powrprof.dll library. 

By examining the hexadecimal code of the sample, we can see the presence of the rundll32 execution of the library called using the mutex created earlier in order to be able to handle the execution in question concurrentially. 

At the same time, there is a reference to the hexadecimal parameter 60B0I0O0Z0, which can potentially be identifying in a threat hunting perspective: 

By analyzing the strings that can be extracted from the library in question, it is possible to identify the DLL run command rundll32 favicon.jpg, #189, the mutex object named idozlopm and the functions WinExec and CreateMutex

Powrprof.dll debugging and disassembling 

In the DllEntryPoint there is a load addressing instruction inherent to the file favicon.jpg. 

The function CreateFileA is called with the dwCreationDisposition attribute set to 3, so the opening a file only if it exists: 

Here is the creation of the mutex idozlopm and the rundll32 execution of the external DLL favicon.jpg: 

The KERNEL32.DLL import library is used to call up and execute the WinExec, CreateFileA and CreateMutexA functions: 

The function GetFileVersionInfoSizeA returns the value 1, placed as a coefficient on the variable eax

Next, in the disassembled .text section, a call to the GetLastError function after the creation of the mutex object used, and a subsequent cmp instruction for the value 0XB7 with the EAX register. 

The number of bytes of the last page corresponds to 80: 

The PE sections have all the same dimensions: 

Here are some JBE jumping instructions (the “jump” occurs if the Carry Flag and Zero Flag flags are both 1) that refer to addresses 0x40207F and 0x402091

Favicon.jpg static analysis 

The file called up in the context of child execution favicon.jpg is actually a DLL library (note the MZ header). 

It refers to assembly details of an NVIDIA video card configuration extension. 

The DLL does not possess high entropy values: 

Suspicious indicators include evidence related to file management, services management, registry management, desktop and resources management (in order to manage video card properties), enumeration of RDP property details. There are correlations with GUID details, mutexes management and exports. 

Imported libraries include wtsapi32.dll (for the purpose of managing RDP sessions) and advapi32.dll (for the purpose of managing the registry). 

The most interesting functions performed are WTSEnumerateSessionsW (to enumerate RDP sessions on a server), QueryPerformanceFrequency (to obtain the frequency of the performance counter, therefore context execution discovery), LookupAccountSidW (to associate a user name with a specific SID), ImpersonateLoggedOnUser (to perform context-specific user impersonation executions), as well as the function for obtaining the details of the registry object HKEY_CURRENT_USER RegOpenCurrentUser. 

Here we can see the CreateThread function call for the creation of specific threads and EncodePointer (which obfuscates the value of taken pointers). 

Further registry management functions are, for instance, RegEnumKeyExW, RegOpenKeyW, RegEnumValueW. There is evidence of the RegisterTraceGuidsW function (in order to track and monitor certain punctual types of events), the StringFromGUID2 type conversion function in order to obtain string-type attributes from GUID elements, as well as the function for accessing special folders SHGetSpecialFolderPathW

Following are elements relating to NVIDIA API calls in the .text section (instructions executed by the CPU). 

Here are the NVIDIA library resources, which include the icons and the manifest file: 

API calls include functions for obtaining details and information of the GPU. 

Here are references to driver installation packages and setup scripts .bat and .cmd, .com. 

Here, instead, we find details of obtaining physiological persistence from the video card drivers: 

The DLL calls the SCManager to install the appropriate services. 

Following are elements associated with the management (START and STOP) of NVIDIA drivers. 

In the strings that can be extracted from the DLL under inspection, we can see evidence of the mutex attribute {C15730E2-145C-4c5e-B005-3BC753F42475}, which is associated with Backdoor:Win32/Temratanam.A. threats: 

Below are the details of the certificate, which is valid from 2011 to 2028: 

Favicon.jpg debugging and disassembling 

Here some executions in the sub_642877A0 function referring to the ADVAPI32.dll library, the OpenSCManagerW and OpenServiceW service opening functions, and QueryServiceConfigW

Favicon.jpg enumerates values of register keys and D3DKMT graphic adapters. 

The ChipsetMatchID value, individualizing the video card, is saved in the registry. 

In the function sub_642A1660, a reference to SYSTEMID is highlighted. 

Below is a detail of the hexadecimal code of the DLL containing NvStartup for physiological persistence. 

Here below an evidence of executions related to obtaining the current SystemTime and the performance counter.

In conjunction with an NVIDIA driver exception, there is a set of INT3 instructions. 

There are AND instructions between dword [rbp + 0x40] and 0xfffffe for the value 4294967294. 

Below is a construct for the cancellation of execution of a concurrential task.

There is a structure of the IDs used and obtained with the types %s (string) and %d (decimal value). 

Below is a listing of the hexadecimal code of favicon.jpg containing details of NVIDIA: 

In the library exports, we can see functions related to graphics card contexts: 

From the disassembled .text section we can see references to NVIDIA driver check updates, mutexes management in graphics attribute management. 

During a debugging session, it was possible to observe an execution of the function IsDebuggerPresent for the current process. 

IOCs: 

5253201a250b909a01251a8984c3451b 

6800ad564eac58ca2694dc10f9a51603229639e6 

dc9385b83a139db8606f4f9cb8d7d8d8e0aeac2dd963f03a669f231ef6deb951 

idozlopm 

YARA rule: 

rule SuspiciousPowrProfDLLRule 

    strings: 

        $str = ” idozlopm” 

        $hexStr = { 69 64 6f 7a 6c 6f 70 6d } 

        $str1 = “60B0I0O0Z0” 

    condition: 

        $str or $hexStr or $str1 

CONCLUSIONS: 

The DLL powrprof.dll possesses noteworthy features, specifically the fact that it is identified behind a Microsoft library, possesses evasion techniques causing mostly only heuristic and behavioural detections. In fact, it possesses the DLLEntrypoint that directly calls the DLL that can be used in the child execution phase. In the specific case, the DLL favicon.jpg executed by a rundll32 command refers to a driver and NVIDIA component management library, but it is possible to hypothesise further and different scenarios in which the DLL library called and executed could be, for instance, a connection “bridge” to a C&C domain, a backdoor threat or a ransomware threat. 

In conclusion, it is a DLL library that can be defined as “Malicious DLL as a Service” due to the fact that, by customizing the execution of the invoked DLL, infection entrypoints that have evasion tasks can be created and, therefore, a scenario that could be increasingly present in terms of threat landscapes. 

References: 

[0]: Backdoor:Win32/Temratanam.A threat description – Microsoft Security Intelligence 

Cactus Ransomware: malware analysis
XWorm Darknet: malware analysis 

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.