jupyter | 5cd7eab6d1ff136e0f69ae76a45fa3f5e6f77e4c4185dc34205a5f2a6c054663

Analysis

max time kernel
57s
max time network
139s
platform
windows10_x64
resource
win10v20201028
submitted
24-11-2020 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe

Score

10^/10

jupyter backdoor stealer trojan

Malware Config

Signatures

Jupyter Backdoor/Client Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2380-176-0x0000000009DA0000-0x0000000009DB3000-memory.dmp	family_jupyter

Jupyter, SolarMarker
Jupyter is a backdoor and infostealer first seen in mid 2020.
backdoor trojan stealer jupyter

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	2380	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp
740	Docx2Rtf.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup\a7f9214c3844f0a883268d3853ba7.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
420	powershell.exe
420	powershell.exe
3932	powershell.exe
3932	powershell.exe
3712	powershell.exe
3712	powershell.exe
3752	powershell.exe
3752	powershell.exe
3800	powershell.exe
3800	powershell.exe
3476	powershell.exe
3476	powershell.exe
3764	powershell.exe
3764	powershell.exe
1988	powershell.exe
1988	powershell.exe
2380	powershell.exe
2380	powershell.exe
1612	powershell.exe
1612	powershell.exe
420	powershell.exe
1988	powershell.exe
2380	powershell.exe
1612	powershell.exe
3476	powershell.exe
3932	powershell.exe
3800	powershell.exe
3764	powershell.exe
3752	powershell.exe
3712	powershell.exe
3752	powershell.exe
420	powershell.exe
2380	powershell.exe
3712	powershell.exe
3476	powershell.exe
1988	powershell.exe
1612	powershell.exe
3800	powershell.exe
3932	powershell.exe
3764	powershell.exe
2380	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	420	powershell.exe
Token: SeDebugPrivilege	3476	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
740	Docx2Rtf.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 3820	3324	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	74
PID 3324 wrote to memory of 3820	3324	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	74
PID 3324 wrote to memory of 3820	3324	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	74
PID 3820 wrote to memory of 740	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	76
PID 3820 wrote to memory of 740	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	76
PID 3820 wrote to memory of 740	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	76
PID 3820 wrote to memory of 1988	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	80
PID 3820 wrote to memory of 1988	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	80
PID 3820 wrote to memory of 1988	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	80
PID 3820 wrote to memory of 2380	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	82
PID 3820 wrote to memory of 2380	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	82
PID 3820 wrote to memory of 2380	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	82
PID 3820 wrote to memory of 3764	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	84
PID 3820 wrote to memory of 3764	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	84
PID 3820 wrote to memory of 3764	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	84
PID 3820 wrote to memory of 3752	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	86
PID 3820 wrote to memory of 3752	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	86
PID 3820 wrote to memory of 3752	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	86
PID 3820 wrote to memory of 1612	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	88
PID 3820 wrote to memory of 1612	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	88
PID 3820 wrote to memory of 1612	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	88
PID 3820 wrote to memory of 3800	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	90
PID 3820 wrote to memory of 3800	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	90
PID 3820 wrote to memory of 3800	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	90
PID 3820 wrote to memory of 3712	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	92
PID 3820 wrote to memory of 3712	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	92
PID 3820 wrote to memory of 3712	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	92
PID 3820 wrote to memory of 420	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	94
PID 3820 wrote to memory of 420	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	94
PID 3820 wrote to memory of 420	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	94
PID 3820 wrote to memory of 3476	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	95
PID 3820 wrote to memory of 3476	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	95
PID 3820 wrote to memory of 3476	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	95
PID 3820 wrote to memory of 3932	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	98
PID 3820 wrote to memory of 3932	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	98
PID 3820 wrote to memory of 3932	3820	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	98

C:\Users\Admin\AppData\Local\Temp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe
"C:\Users\Admin\AppData\Local\Temp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Users\Admin\AppData\Local\Temp\is-QGV74.tmp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QGV74.tmp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp" /SL5="$40054,118835448,809472,C:\Users\Admin\AppData\Local\Temp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Users\Admin\AppData\Local\Temp\is-DIKLT.tmp\Docx2Rtf.exe
    "C:\Users\Admin\AppData\Local\Temp\is-DIKLT.tmp\Docx2Rtf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\392403ccdd1221d05be0450ca43a6c8a.txt';$c=get-content $p;remove-item $p;iex $c"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\392403ccdd1221d05be0450ca43a6c8a.txt';$c=get-content $p;remove-item $p;iex $c"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\392403ccdd1221d05be0450ca43a6c8a.txt';$c=get-content $p;remove-item $p;iex $c"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\392403ccdd1221d05be0450ca43a6c8a.txt';$c=get-content $p;remove-item $p;iex $c"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\392403ccdd1221d05be0450ca43a6c8a.txt';$c=get-content $p;remove-item $p;iex $c"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\392403ccdd1221d05be0450ca43a6c8a.txt';$c=get-content $p;remove-item $p;iex $c"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\392403ccdd1221d05be0450ca43a6c8a.txt';$c=get-content $p;remove-item $p;iex $c"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3712
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\392403ccdd1221d05be0450ca43a6c8a.txt';$c=get-content $p;remove-item $p;iex $c"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:420
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\392403ccdd1221d05be0450ca43a6c8a.txt';$c=get-content $p;remove-item $p;iex $c"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3476
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\392403ccdd1221d05be0450ca43a6c8a.txt';$c=get-content $p;remove-item $p;iex $c"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/420-16-0x00000000713A0000-0x0000000071A8E000-memory.dmp

Filesize
6.9MB

Download
memory/420-25-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/1612-127-0x00000000090C0000-0x00000000090C1000-memory.dmp

Filesize
4KB

Download
memory/1612-15-0x00000000713A0000-0x0000000071A8E000-memory.dmp

Filesize
6.9MB

Download
memory/1612-139-0x0000000009740000-0x0000000009741000-memory.dmp

Filesize
4KB

Download
memory/1612-120-0x0000000008500000-0x0000000008501000-memory.dmp

Filesize
4KB

Download
memory/1988-45-0x0000000007940000-0x0000000007941000-memory.dmp

Filesize
4KB

Download
memory/1988-19-0x00000000713A0000-0x0000000071A8E000-memory.dmp

Filesize
6.9MB

Download
memory/1988-95-0x0000000008A90000-0x0000000008A91000-memory.dmp

Filesize
4KB

Download
memory/2380-22-0x00000000713A0000-0x0000000071A8E000-memory.dmp

Filesize
6.9MB

Download
memory/2380-35-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/2380-156-0x000000000A330000-0x000000000A331000-memory.dmp

Filesize
4KB

Download
memory/2380-176-0x0000000009DA0000-0x0000000009DB3000-memory.dmp

Filesize
76KB

Download
memory/3476-23-0x00000000713A0000-0x0000000071A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3476-66-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/3476-85-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

Filesize
4KB

Download
memory/3712-18-0x00000000713A0000-0x0000000071A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3752-75-0x0000000008260000-0x0000000008261000-memory.dmp

Filesize
4KB

Download
memory/3752-21-0x00000000713A0000-0x0000000071A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3752-116-0x00000000097D0000-0x00000000097D1000-memory.dmp

Filesize
4KB

Download
memory/3752-105-0x0000000008A00000-0x0000000008A01000-memory.dmp

Filesize
4KB

Download
memory/3752-55-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/3764-20-0x00000000713A0000-0x0000000071A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3800-17-0x00000000713A0000-0x0000000071A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3932-24-0x00000000713A0000-0x0000000071A8E000-memory.dmp

Filesize
6.9MB

Download