General

  • Target

    dfc0833ac8fd56c6664557a1a631fb1e90b5fe768be924d11f44e5ad1757c5a8

  • Size

    2.3MB

  • Sample

    220521-pph83afgb5

  • MD5

    6a6cf415c98656519c7b217fa2e434e4

  • SHA1

    ceb82170eaa139f3d32212a1484190d6076adbf4

  • SHA256

    dfc0833ac8fd56c6664557a1a631fb1e90b5fe768be924d11f44e5ad1757c5a8

  • SHA512

    5dec972762ba694dd4e58ff75e19e425dc67956a318a6c27b7af55017cb29c2816a008335a280734cdb7aff98518e5f9c26b4cd8c3b0082c0ee72888def18724

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

    • Target

      dfc0833ac8fd56c6664557a1a631fb1e90b5fe768be924d11f44e5ad1757c5a8

    • Size

      2.3MB

    • MD5

      6a6cf415c98656519c7b217fa2e434e4

    • SHA1

      ceb82170eaa139f3d32212a1484190d6076adbf4

    • SHA256

      dfc0833ac8fd56c6664557a1a631fb1e90b5fe768be924d11f44e5ad1757c5a8

    • SHA512

      5dec972762ba694dd4e58ff75e19e425dc67956a318a6c27b7af55017cb29c2816a008335a280734cdb7aff98518e5f9c26b4cd8c3b0082c0ee72888def18724

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blocklisted process makes network request

    • Possible privilege escalation attempt

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Account Manipulation

1
T1098

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

File Permissions Modification

1
T1222

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Tasks