General

  • Target

    clr.exe

  • Size

    6.0MB

  • Sample

    210524-96m9gh9rhx

  • MD5

    1e9f45329ffece31382bb884367f58df

  • SHA1

    52d3d55364d8c4d350231d38bfe6eb156cf8473f

  • SHA256

    8779c8ac97c45254bc243e2ee79b436d1a96bc56885dcaa72c4837790b2071fc

  • SHA512

    12272d5f20c42764992420aa1a178b16d7ef1873f2c9619bd8ac16e0eb9a0067a08a9d70863c1d3e95dd4a2aa19c081ae0baabaf3431f5068ea7191c8f4d6c62

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

    • Target

      clr.exe

    • Size

      6.0MB

    • MD5

      1e9f45329ffece31382bb884367f58df

    • SHA1

      52d3d55364d8c4d350231d38bfe6eb156cf8473f

    • SHA256

      8779c8ac97c45254bc243e2ee79b436d1a96bc56885dcaa72c4837790b2071fc

    • SHA512

      12272d5f20c42764992420aa1a178b16d7ef1873f2c9619bd8ac16e0eb9a0067a08a9d70863c1d3e95dd4a2aa19c081ae0baabaf3431f5068ea7191c8f4d6c62

    • ServHelper

      ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blocklisted process makes network request

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Modifies file permissions

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks