General

  • Target

    b03d46139ca23de8da2d233986f00388

  • Size

    4.6MB

  • Sample

    210624-pjnad62cna

  • MD5

    b03d46139ca23de8da2d233986f00388

  • SHA1

    b609bb2d72faa50375e5f0264f5be90156518d05

  • SHA256

    7dc721c6b633d783562f73d629267da7a16a77b4dae9ab280250c116bdfec591

  • SHA512

    acbc9f1f1b0f35bf0e8f7a71baa0320259a76544f52a978a17590ab778d95ea08161a4cf36819d954ca93f09432128ad3174254e550a1f92f7e4df8289a55378

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

    • Target

      b03d46139ca23de8da2d233986f00388

    • Size

      4.6MB

    • MD5

      b03d46139ca23de8da2d233986f00388

    • SHA1

      b609bb2d72faa50375e5f0264f5be90156518d05

    • SHA256

      7dc721c6b633d783562f73d629267da7a16a77b4dae9ab280250c116bdfec591

    • SHA512

      acbc9f1f1b0f35bf0e8f7a71baa0320259a76544f52a978a17590ab778d95ea08161a4cf36819d954ca93f09432128ad3174254e550a1f92f7e4df8289a55378

    • ServHelper

      ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blocklisted process makes network request

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Modifies file permissions

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Account Manipulation

1
T1098

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

File Permissions Modification

1
T1222

Lateral Movement

Remote Desktop Protocol

1
T1076

Tasks