General

  • Target

    63151e4f7c3972f18a23c0e9996e14ef.exe

  • Size

    5.7MB

  • Sample

    211026-r617baaabr

  • MD5

    63151e4f7c3972f18a23c0e9996e14ef

  • SHA1

    5d041fde6433a8ff8fc78a69fca1fd4630e3f270

  • SHA256

    cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

  • SHA512

    f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

    • Target

      63151e4f7c3972f18a23c0e9996e14ef.exe

    • Size

      5.7MB

    • MD5

      63151e4f7c3972f18a23c0e9996e14ef

    • SHA1

      5d041fde6433a8ff8fc78a69fca1fd4630e3f270

    • SHA256

      cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

    • SHA512

      f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

    • ServHelper

      ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    • suricata: ET MALWARE ServHelper CnC Inital Checkin

      suricata: ET MALWARE ServHelper CnC Inital Checkin

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blocklisted process makes network request

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Modifies file permissions

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks