General
-
Target
eufive_20210710-170448
-
Size
3.6MB
-
Sample
210710-z8x2dmgrbj
-
MD5
85eb61ab9b4baad5a052fc8ad58d9596
-
SHA1
6b46f4e4191cf3eb8d159c1113cb4fa11928d9d9
-
SHA256
b06ce32e718dfcb37690801799d06bc04b85ece8151468cde9f93b1f10960108
-
SHA512
a61bc0ebbc0d06130c21c03bd56f277fd7998c1135b93323110bad1d16d158ed33b07b36dc1e5d6f20827cb6cb56d1aed42ef6d4557d08d1eb3556c1e80a2465
Static task
static1
Behavioral task
behavioral1
Sample
eufive_20210710-170448.exe
Resource
win7v20210408
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Targets
-
-
Target
eufive_20210710-170448
-
Size
3.6MB
-
MD5
85eb61ab9b4baad5a052fc8ad58d9596
-
SHA1
6b46f4e4191cf3eb8d159c1113cb4fa11928d9d9
-
SHA256
b06ce32e718dfcb37690801799d06bc04b85ece8151468cde9f93b1f10960108
-
SHA512
a61bc0ebbc0d06130c21c03bd56f277fd7998c1135b93323110bad1d16d158ed33b07b36dc1e5d6f20827cb6cb56d1aed42ef6d4557d08d1eb3556c1e80a2465
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies RDP port number used by Windows
-
Possible privilege escalation attempt
-
Sets DLL path for service in the registry
-
Deletes itself
-
Loads dropped DLL
-
Modifies file permissions
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-