General

  • Target

    3bb3d4d11e9e4c2f50e264e3bf7966d15260cf02403d2a9288709c97e355beab

  • Size

    3MB

  • Sample

    201113-qc4ajkf7mn

  • MD5

    1b41be90a36dcf5128437d5c85a71cfc

  • SHA1

    b35713b28d994c9c3d8b15231856d7d695d844f9

  • SHA256

    3bb3d4d11e9e4c2f50e264e3bf7966d15260cf02403d2a9288709c97e355beab

  • SHA512

    58d7e17d2b1a085bd4554b5a26cc3c82eb37705220718a1f614a214b6d6c950236b09eaeaf07fa112b4fc6b218c5014c1dfc47b32b754a72d1cdd0b0783cdc96

Malware Config

Targets

    • Target

      3bb3d4d11e9e4c2f50e264e3bf7966d15260cf02403d2a9288709c97e355beab

    • Size

      3MB

    • MD5

      1b41be90a36dcf5128437d5c85a71cfc

    • SHA1

      b35713b28d994c9c3d8b15231856d7d695d844f9

    • SHA256

      3bb3d4d11e9e4c2f50e264e3bf7966d15260cf02403d2a9288709c97e355beab

    • SHA512

      58d7e17d2b1a085bd4554b5a26cc3c82eb37705220718a1f614a214b6d6c950236b09eaeaf07fa112b4fc6b218c5014c1dfc47b32b754a72d1cdd0b0783cdc96

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Modifies file permissions

    • Drops file in System32 directory

    • Modifies service

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Account Manipulation

1
T1098

Registry Run Keys / Startup Folder

1
T1060

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

3
T1112

File Permissions Modification

1
T1222

Lateral Movement

Remote Desktop Protocol

1
T1076

Tasks