General

  • Target

    20f307c716a689f4afa3a76b7143db22

  • Size

    6.0MB

  • Sample

    210611-k2z4lyqftx

  • MD5

    20f307c716a689f4afa3a76b7143db22

  • SHA1

    2fd6796fd158c93b14654240533511af6fec03e5

  • SHA256

    3647e2dc4336b2eeb828371821c706a329dce645cb16f9c1c31c3faeae8f56dd

  • SHA512

    0a8d1b2d0cbd3860df907eb692aa2d775f021822b4d856c051d84e8056a2c1cf893bab68f471b69db0615341dd2dfe78dfac1b79d2239217cfbdf71bfb84061b

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

    • Target

      20f307c716a689f4afa3a76b7143db22

    • Size

      6.0MB

    • MD5

      20f307c716a689f4afa3a76b7143db22

    • SHA1

      2fd6796fd158c93b14654240533511af6fec03e5

    • SHA256

      3647e2dc4336b2eeb828371821c706a329dce645cb16f9c1c31c3faeae8f56dd

    • SHA512

      0a8d1b2d0cbd3860df907eb692aa2d775f021822b4d856c051d84e8056a2c1cf893bab68f471b69db0615341dd2dfe78dfac1b79d2239217cfbdf71bfb84061b

    • ServHelper

      ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blocklisted process makes network request

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Modifies file permissions

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Account Manipulation

1
T1098

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

File Permissions Modification

1
T1222

Lateral Movement

Remote Desktop Protocol

1
T1076

Tasks