General

  • Target

    261603776412fc9028feb04ba71a42c5d6bd99c0e4fbb4610d19e6d649dba700

  • Size

    3.5MB

  • Sample

    201113-917ysv92pn

  • MD5

    1b9749d2a3369e1f81423a8788c3f338

  • SHA1

    aaa78b7cb195bc4a645b0b625daa41ffcd3bf353

  • SHA256

    261603776412fc9028feb04ba71a42c5d6bd99c0e4fbb4610d19e6d649dba700

  • SHA512

    645848aa7c1272b395294e90189988411c4dfa2cf30f1855f3a5180115a3b97ed04ac033dd182b1c2e9ee711b8b05fb09150916ecfa42b78beb7a672b73c6eaa

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

    • Target

      261603776412fc9028feb04ba71a42c5d6bd99c0e4fbb4610d19e6d649dba700

    • Size

      3.5MB

    • MD5

      1b9749d2a3369e1f81423a8788c3f338

    • SHA1

      aaa78b7cb195bc4a645b0b625daa41ffcd3bf353

    • SHA256

      261603776412fc9028feb04ba71a42c5d6bd99c0e4fbb4610d19e6d649dba700

    • SHA512

      645848aa7c1272b395294e90189988411c4dfa2cf30f1855f3a5180115a3b97ed04ac033dd182b1c2e9ee711b8b05fb09150916ecfa42b78beb7a672b73c6eaa

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blacklisted process makes network request

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

    • Drops file in System32 directory

    • Modifies service

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Account Manipulation

1
T1098

Registry Run Keys / Startup Folder

1
T1060

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

3
T1112

File Permissions Modification

1
T1222

Lateral Movement

Remote Desktop Protocol

1
T1076

Tasks