General

  • Target

    dbad0a50ee82c2e5dff20a24858b7a06

  • Size

    3.2MB

  • Sample

    210709-4hevejhr5a

  • MD5

    dbad0a50ee82c2e5dff20a24858b7a06

  • SHA1

    ccc3ee69a33b31581de0fecb911d5d8974288d60

  • SHA256

    2142824c415eb4f05facc471942840e5065aa41b322f36dac198d30d00e8b6fc

  • SHA512

    efa131f53702c4f2165616981372d853bde00fe4d255ee3e5ee40fac6675ec1d6acac7e98db47fd2cdaa0175fdda07d6bbb76b971a62eeb5d0ff03a0ddb20ca2

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

    • Target

      dbad0a50ee82c2e5dff20a24858b7a06

    • Size

      3.2MB

    • MD5

      dbad0a50ee82c2e5dff20a24858b7a06

    • SHA1

      ccc3ee69a33b31581de0fecb911d5d8974288d60

    • SHA256

      2142824c415eb4f05facc471942840e5065aa41b322f36dac198d30d00e8b6fc

    • SHA512

      efa131f53702c4f2165616981372d853bde00fe4d255ee3e5ee40fac6675ec1d6acac7e98db47fd2cdaa0175fdda07d6bbb76b971a62eeb5d0ff03a0ddb20ca2

    • ServHelper

      ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    • Core1 .NET packer

      Detects packer/loader used by .NET malware.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blocklisted process makes network request

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks