General

  • Target

    2e3b62f4f1669b3615608ea31e1796dd

  • Size

    6.7MB

  • Sample

    211016-mkzzxabhc4

  • MD5

    2e3b62f4f1669b3615608ea31e1796dd

  • SHA1

    9f9584588e480c0cfc18b770da47b00919e24219

  • SHA256

    f464dae032967264173885899186be9eac89bd2016ded5ebc38c705fa6b1b625

  • SHA512

    2879f87ce2e3c075512408fbdb17a01209663c2f635c3e07cec1d8e9b1f0490c9219eea2229dcd5863467435d35bef874e9d5fd243e46b02850d0157288b95af

Malware Config

Targets

    • Target

      2e3b62f4f1669b3615608ea31e1796dd

    • Size

      6.7MB

    • MD5

      2e3b62f4f1669b3615608ea31e1796dd

    • SHA1

      9f9584588e480c0cfc18b770da47b00919e24219

    • SHA256

      f464dae032967264173885899186be9eac89bd2016ded5ebc38c705fa6b1b625

    • SHA512

      2879f87ce2e3c075512408fbdb17a01209663c2f635c3e07cec1d8e9b1f0490c9219eea2229dcd5863467435d35bef874e9d5fd243e46b02850d0157288b95af

    • ServHelper

      ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Executes dropped EXE

    • Modifies RDP port number used by Windows

    • Sets DLL path for service in the registry

    • Deletes itself

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Account Manipulation

1
T1098

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Lateral Movement

Remote Desktop Protocol

1
T1076

Tasks