Overview

overview

10

Static

static

Due-Dilige...es.msi

windows7_x64

8

Due-Dilige...es.msi

windows10_x64

10

Resubmissions

19-06-2024 06:12

240619-gyadhsvhkh 10

16-09-2021 08:31

210916-keqg6scfa6 10

Analysis

  • max time kernel
    64s
  • max time network
    128s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    16-09-2021 08:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Due-Diligence-Checklist-For-Oil-And-Gas-Properties.msi

Score
10/10
jupyterbackdoorstealertrojan

Malware Config

Extracted

Family

jupyter

Version

SP-13

C2

http://45.42.201.248

Signatures

  • Jupyter Backdoor/Client Payload 1 IoCs
  • Jupyter, SolarMarker

    Jupyter is a backdoor and infostealer first seen in mid 2020.

    backdoortrojanstealerjupyter
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Due-Diligence-Checklist-For-Oil-And-Gas-Properties.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Users\Admin\AppData\Local\Temp\MSI502A.tmp
      "C:\Users\Admin\AppData\Local\Temp\MSI502A.tmp"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:1408
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding E3DA67FD23A1075CF4C32F37B6E2D57C C
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss50B9.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi5096.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr5097.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr50A8.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:1280

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSI47AD.tmp
    MD5

    07ce413b1af6342187514871dc112c74

    SHA1

    8008f8bfeae99918b6323a3d1270dea63b3a8394

    SHA256

    0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

    SHA512

    27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI502A.tmp
    MD5

    91841e006225ac500de7630740a21d91

    SHA1

    68875ce8177794df6bf125b2bb8b8ecc3b84517b

    SHA256

    cb1d73323d3d80004ada185844b0d461abd9ded736d5dc690607f935b4f2b58a

    SHA512

    d66e70b9d4d1997ac687589d0723c78e6ffe96aa35343b71f4e57750b7aad33d5555fd5d6b743125852e13cc9b9c338a8fb6b4844768054321404a8491546f0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI503B.tmp
    MD5

    c26c68e4a79fd2629714b17514411c40

    SHA1

    00138d8edea0918c4476da303415be399cf704c6

    SHA256

    55434961c0b4bed88ae6bfe6e0e61a3a3dcc392858f0e53c6c14c272200203ed

    SHA512

    6fc8028e6e52b6c9e74ac3ea6d19ed750047d46b7e4021d46e581b58367ffc11fb13b696dfa30a15305e94098a7fd12051ee37d32df91ef2ae1e2d9c642b02ea

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pss50B9.ps1
    MD5

    0c95bc11cfca37f84a19de0529377e13

    SHA1

    41f409dbbab04ef35c4f6489af6f85fceb9c501a

    SHA256

    88748aae11029228d84aef0855f4bc084dfd70450db1f7029746d8bc85182f93

    SHA512

    8a52f3c40440e3129a367609ee4b6e9e98aa62edec48592be03bad1aadcd389e2e58e095f4ea3d6f9cb458aa7101fcb5afdff66658885bfa0634c74c086db568

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\scr5097.ps1
    MD5

    2908843ef0e8bb1207fe9a351cece994

    SHA1

    f98cb3d404c5823eca0027740d44acc8bcce214b

    SHA256

    f6aa48bc45be3b603a48a5261a28cc75e9c1c2f65aa37bb807b6c1bd80dce05a

    SHA512

    b660f2393b3978db34057fae047b73ade6122f8fb56569996a81235c681442c9d55e2223ac2045579b6e27b886f20d7f04520eb851ea7efeef30b401900d08a0

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MSI47AD.tmp
    MD5

    07ce413b1af6342187514871dc112c74

    SHA1

    8008f8bfeae99918b6323a3d1270dea63b3a8394

    SHA256

    0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

    SHA512

    27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MSI503B.tmp
    MD5

    c26c68e4a79fd2629714b17514411c40

    SHA1

    00138d8edea0918c4476da303415be399cf704c6

    SHA256

    55434961c0b4bed88ae6bfe6e0e61a3a3dcc392858f0e53c6c14c272200203ed

    SHA512

    6fc8028e6e52b6c9e74ac3ea6d19ed750047d46b7e4021d46e581b58367ffc11fb13b696dfa30a15305e94098a7fd12051ee37d32df91ef2ae1e2d9c642b02ea

    Download Submit

  • memory/920-118-0x0000000000000000-mapping.dmp

    Download

  • memory/1280-136-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-139-0x00000000080A0000-0x00000000080A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-133-0x0000000004822000-0x0000000004823000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-132-0x0000000004820000-0x0000000004821000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-134-0x00000000071E0000-0x00000000071E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-135-0x0000000007970000-0x0000000007971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-130-0x0000000004860000-0x0000000004861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-137-0x0000000007C30000-0x0000000007C31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-138-0x0000000008040000-0x0000000008041000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-131-0x0000000007290000-0x0000000007291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-140-0x0000000008320000-0x0000000008321000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-1911-0x00000000096A0000-0x00000000096A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1280-146-0x00000000093E0000-0x00000000093E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-147-0x0000000009060000-0x0000000009061000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-148-0x00000000090D0000-0x00000000090D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-149-0x0000000009980000-0x0000000009981000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-154-0x000000000A500000-0x000000000A501000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-125-0x0000000000000000-mapping.dmp

    Download

  • memory/1280-186-0x0000000004823000-0x0000000004824000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1408-126-0x0000000000000000-mapping.dmp

    Download