Overview

overview

10

Static

static

3

4069c013a2...b7.exe

windows7-x64

10

4069c013a2...b7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4069c013a2ec0c082f78a73719dcabb7

  • Size

    5.9MB

  • Sample

    240104-krpfmsccgl

  • MD5

    4069c013a2ec0c082f78a73719dcabb7

  • SHA1

    14d643ed38a6c64c299bc24379b5b66ac958aff6

  • SHA256

    2f279b760ab7916b996d451904e1fea41c0f01bae1c80faddf667b8a865d1a0c

  • SHA512

    5a5bdfa931a1f9a2b8855e6331669404f332f504f15a5eae7fb6e51f7ac99bbb83f5c986931fadb00c761e81617a47707cff811eb6e2ebf55369cec8f6002f05

  • SSDEEP

    49152:pFWJLirb/TkvO90dL3BmAFd4A64nsfJ5mb5KN0ZKrVbLMe8paAzK1X4FXtPqnJ0x:pF8mmMmAQQQQQQQQQQQQQ

Score
10/10
servhelperbackdoordiscoveryexploitpersistencetrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

    • Target

      4069c013a2ec0c082f78a73719dcabb7

    • Size

      5.9MB

    • MD5

      4069c013a2ec0c082f78a73719dcabb7

    • SHA1

      14d643ed38a6c64c299bc24379b5b66ac958aff6

    • SHA256

      2f279b760ab7916b996d451904e1fea41c0f01bae1c80faddf667b8a865d1a0c

    • SHA512

      5a5bdfa931a1f9a2b8855e6331669404f332f504f15a5eae7fb6e51f7ac99bbb83f5c986931fadb00c761e81617a47707cff811eb6e2ebf55369cec8f6002f05

    • SSDEEP

      49152:pFWJLirb/TkvO90dL3BmAFd4A64nsfJ5mb5KN0ZKrVbLMe8paAzK1X4FXtPqnJ0x:pF8mmMmAQQQQQQQQQQQQQ

    Score
    10/10
    discoveryexploitservhelperbackdoorpersistencetrojanupx

    • ServHelper

      ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

      trojanbackdoorservhelper

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blocklisted process makes network request

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

      exploit

    • Sets DLL path for service in the registry

      persistence

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Remote Services

1
T1021

Remote Desktop Protocol

1
T1021.001

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks