General

  • Target

    c75628570312cdb6e8607ad1e46aeb3ae3031d4f450262ccb163245a8c467e3a

  • Size

    3.4MB

  • Sample

    201113-4jsvnj83be

  • MD5

    3a34e91875163547cb960ee35bc3090a

  • SHA1

    71dcc3284f6b9bdf27ce0bb3fb136b5dfee14169

  • SHA256

    c75628570312cdb6e8607ad1e46aeb3ae3031d4f450262ccb163245a8c467e3a

  • SHA512

    1cbd076fc0fe7ffd1c3616ec6bda8d08596d5459496392221452f7c3b74553fc9ad87438a24564578879530db0d0d7200e0d6f9b9f59d5b3538da3c17576b012

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

    • Target

      c75628570312cdb6e8607ad1e46aeb3ae3031d4f450262ccb163245a8c467e3a

    • Size

      3.4MB

    • MD5

      3a34e91875163547cb960ee35bc3090a

    • SHA1

      71dcc3284f6b9bdf27ce0bb3fb136b5dfee14169

    • SHA256

      c75628570312cdb6e8607ad1e46aeb3ae3031d4f450262ccb163245a8c467e3a

    • SHA512

      1cbd076fc0fe7ffd1c3616ec6bda8d08596d5459496392221452f7c3b74553fc9ad87438a24564578879530db0d0d7200e0d6f9b9f59d5b3538da3c17576b012

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blacklisted process makes network request

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

    • Drops file in System32 directory

    • Modifies service

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Account Manipulation

1
T1098

Registry Run Keys / Startup Folder

1
T1060

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

3
T1112

File Permissions Modification

1
T1222

Lateral Movement

Remote Desktop Protocol

1
T1076

Tasks