General

  • Target

    6efc7601be401f3e9b49f4f2cf63fee9

  • Size

    6.0MB

  • Sample

    210616-jgm73r6cje

  • MD5

    6efc7601be401f3e9b49f4f2cf63fee9

  • SHA1

    6c975b9f64a3e0840c43f11571bc4b1bccdc3d83

  • SHA256

    9d2a3042c4e2d68df7a39cd7efae7c64f2b7ed5ae507bac9282e154591757724

  • SHA512

    87998010dd888280388f65637945aca1c641c45ad482d9abb193b1f00c5838aff22dcec68c695feb357dab26f536edd8364640cda4814de461c506b1ff288c7a

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

    • Target

      6efc7601be401f3e9b49f4f2cf63fee9

    • Size

      6.0MB

    • MD5

      6efc7601be401f3e9b49f4f2cf63fee9

    • SHA1

      6c975b9f64a3e0840c43f11571bc4b1bccdc3d83

    • SHA256

      9d2a3042c4e2d68df7a39cd7efae7c64f2b7ed5ae507bac9282e154591757724

    • SHA512

      87998010dd888280388f65637945aca1c641c45ad482d9abb193b1f00c5838aff22dcec68c695feb357dab26f536edd8364640cda4814de461c506b1ff288c7a

    • ServHelper

      ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blocklisted process makes network request

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Modifies file permissions

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Account Manipulation

1
T1098

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

File Permissions Modification

1
T1222

Lateral Movement

Remote Desktop Protocol

1
T1076

Tasks