General
-
Target
40d10714cfb75e2f22c44fd44e85d1d0N
-
Size
7.1MB
-
Sample
240829-kt2travfmn
-
MD5
40d10714cfb75e2f22c44fd44e85d1d0
-
SHA1
79e291688ecb088468e0162b0685956be1206fbd
-
SHA256
1d35504c81463a2597916e4ea5448d45caee98ccc8557e256bcc05a567584b37
-
SHA512
98095c75bc12cc6a0f353f7d40155a44222dab25569ee736ab232f7c985ebfbf4ffb9fab80dd27e2c581729f571029ed6eaea61d5bac32ac1ac3566e7faf2e4b
-
SSDEEP
196608:ZJM3nfEyJ8X2RmnK0v0Ahh0yfcjkbMebHjgTF8R:Z2f6X2RFWhSyQe3sFS
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Targets
-
-
Target
40d10714cfb75e2f22c44fd44e85d1d0N
-
Size
7.1MB
-
MD5
40d10714cfb75e2f22c44fd44e85d1d0
-
SHA1
79e291688ecb088468e0162b0685956be1206fbd
-
SHA256
1d35504c81463a2597916e4ea5448d45caee98ccc8557e256bcc05a567584b37
-
SHA512
98095c75bc12cc6a0f353f7d40155a44222dab25569ee736ab232f7c985ebfbf4ffb9fab80dd27e2c581729f571029ed6eaea61d5bac32ac1ac3566e7faf2e4b
-
SSDEEP
196608:ZJM3nfEyJ8X2RmnK0v0Ahh0yfcjkbMebHjgTF8R:Z2f6X2RFWhSyQe3sFS
Score10/10-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Blocklisted process makes network request
-
Indicator Removal: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Modifies RDP port number used by Windows
-
Possible privilege escalation attempt
-
Server Software Component: Terminal Services DLL
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Account Manipulation
1Server Software Component
1Terminal Services DLL
1Defense Evasion
Indicator Removal
2File Deletion
1Network Share Connection Removal
1File and Directory Permissions Modification
1Modify Registry
1Discovery
Query Registry
1System Information Discovery
3Permission Groups Discovery
1Local Groups
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Remote System Discovery
1