Overview

overview

10

Static

static

Adobe-Inde...ee.msi

windows7_x64

8

Adobe-Inde...ee.msi

windows10_x64

10

Resubmissions

02-10-2021 16:02

211002-tg7znsedh5 10

26-09-2021 14:41

210926-r2e4aafaa8 10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-09-2021 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Adobe-Indesign-Business-Plan-Template-Free.msi

Score
10/10
jupyterbackdoordiscoverystealertrojan

Malware Config

Extracted

Family

jupyter

Version

SP-18

C2

http://188.241.83.61

Signatures

  • Jupyter Backdoor/Client Payload 1 IoCs
  • Jupyter, SolarMarker

    Jupyter is a backdoor and infostealer first seen in mid 2020.

    backdoortrojanstealerjupyter
  • Blocklisted process makes network request 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Adobe-Indesign-Business-Plan-Template-Free.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Users\Admin\AppData\Local\Temp\MSI603C.tmp
      "C:\Users\Admin\AppData\Local\Temp\MSI603C.tmp"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Windows\Temp\{83CE1938-E175-4618-917B-EDAC6D620417}\.cr\MSI603C.tmp
        "C:\Windows\Temp\{83CE1938-E175-4618-917B-EDAC6D620417}\.cr\MSI603C.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\MSI603C.tmp" -burn.filehandle.attached=600 -burn.filehandle.self=596
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:932
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 4AB555D5230267013CD3A4E9B9EA34E0 C
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3572
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss60EA.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi60B8.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr60B9.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr60BA.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/900-135-0x0000000004C70000-0x0000000004C71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-182-0x000000000A930000-0x000000000A931000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-142-0x00000000079C0000-0x00000000079C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-148-0x0000000007382000-0x0000000007383000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-3620-0x0000000009A70000-0x0000000009A7B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/900-150-0x00000000076E0000-0x00000000076E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-151-0x0000000007780000-0x0000000007781000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-225-0x0000000007383000-0x0000000007384000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-173-0x0000000009810000-0x0000000009811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-155-0x0000000007860000-0x0000000007861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-156-0x00000000080F0000-0x00000000080F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-157-0x00000000078F0000-0x00000000078F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-158-0x00000000087C0000-0x00000000087C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-136-0x0000000007380000-0x0000000007381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-160-0x0000000008700000-0x0000000008701000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-176-0x0000000009DB0000-0x0000000009DB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-175-0x0000000009530000-0x0000000009531000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-174-0x00000000094C0000-0x00000000094C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-138-0x0000000006CF1000-0x0000000006CF2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-163-0x00000000073E0000-0x00000000073E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-166-0x0000000006CF7000-0x0000000006CF8000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-170-0x0000000007580000-0x0000000007581000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-165-0x0000000006CF4000-0x0000000006CF5000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-149-0x0000000006CF3000-0x0000000006CF4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-137-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-177-0x000000000A280000-0x000000000A281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-146-0x0000000006F00000-0x0000000006F01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-154-0x0000000004910000-0x0000000004911000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-222-0x0000000006CF8000-0x0000000006CF9000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-141-0x0000000004830000-0x0000000004831000-memory.dmp

    Filesize

    4KB

    Download