PowerPunch

Description

(Microsoft) PowerPunch is executed from within PowerShell as a one-line command, encoded using Base64. These binaries also exhibit features that rely on data from the compromised host to inform encryption of the next stage. PowerPunch also provides an excellent example of this. The VolumeSerialNumber of the host serves as the basis for a multibyte XOR key. The key is applied to an executable payload downloaded directly from adversary infrastructure, allowing for an encryption key unique to the target host. Ultimately, a next-stage executable is remotely retrieved and dropped to disk prior to execution.

Names

Name
PowerPunch

Type

Downloader
Loader

Information

https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/

Mitre Attack

https://attack.mitre.org/software/S0685/

Other Information

Uuid

2653faee-fcff-4add-8934-b0ae27606c61

Last Card Change

2022-12-30

Threat Intelligence Garden

Explorer

PowerPunch

PowerPunch

Description

Names

Category

Type

Information

Mitre Attack

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks