Overview

overview

10

Static

static

689d8b997a...98.exe

windows7_x64

10

689d8b997a...98.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98

  • Size

    3.4MB

  • Sample

    201112-fe5epkchwn

  • MD5

    a8d7894060ed9e3a80de995fcbf81864

  • SHA1

    8ed59a83db92328d05ec05af58f2b4e259be3af4

  • SHA256

    689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98

  • SHA512

    5e66992066cf9e0a698cf1271068a5c73aa0f8769b4b712317e528b8da83ca1780a730e72e19c4c20358b351e44692bfb6a957a0e782873063597baa3d97fa59

Score
10/10
discoveryexploitpersistenceupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

    • Target

      689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98

    • Size

      3.4MB

    • MD5

      a8d7894060ed9e3a80de995fcbf81864

    • SHA1

      8ed59a83db92328d05ec05af58f2b4e259be3af4

    • SHA256

      689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98

    • SHA512

      5e66992066cf9e0a698cf1271068a5c73aa0f8769b4b712317e528b8da83ca1780a730e72e19c4c20358b351e44692bfb6a957a0e782873063597baa3d97fa59

    Score
    10/10
    discoveryexploitpersistenceupx

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blacklisted process makes network request

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

      exploit

    • Sets DLL path for service in the registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops file in System32 directory

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1
T1098

Registry Run Keys / Startup Folder

1
T1060

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

File Permissions Modification

1
T1222

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

1
T1076

Collection

Exfiltration

Command and Control

Impact

Tasks