Overview

overview

10

Static

static

Adobe-Inde...ee.msi

windows7_x64

8

Adobe-Inde...ee.msi

windows10_x64

10

Resubmissions

02-10-2021 16:02

211002-tg7znsedh5 10

26-09-2021 14:41

210926-r2e4aafaa8 10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-09-2021 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Adobe-Indesign-Business-Plan-Template-Free.msi

Score
10/10
jupyterbackdoordiscoverystealertrojan

Malware Config

Extracted

Family

jupyter

Version

SP-18

C2

http://188.241.83.61

Signatures

  • Jupyter Backdoor/Client Payload 1 IoCs
  • Jupyter, SolarMarker

    Jupyter is a backdoor and infostealer first seen in mid 2020.

    backdoortrojanstealerjupyter
  • Blocklisted process makes network request 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Adobe-Indesign-Business-Plan-Template-Free.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Users\Admin\AppData\Local\Temp\MSI603C.tmp
      "C:\Users\Admin\AppData\Local\Temp\MSI603C.tmp"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Windows\Temp\{83CE1938-E175-4618-917B-EDAC6D620417}\.cr\MSI603C.tmp
        "C:\Windows\Temp\{83CE1938-E175-4618-917B-EDAC6D620417}\.cr\MSI603C.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\MSI603C.tmp" -burn.filehandle.attached=600 -burn.filehandle.self=596
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:932
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 4AB555D5230267013CD3A4E9B9EA34E0 C
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3572
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss60EA.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi60B8.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr60B9.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr60BA.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSI559D.tmp
    MD5

    07ce413b1af6342187514871dc112c74

    SHA1

    8008f8bfeae99918b6323a3d1270dea63b3a8394

    SHA256

    0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

    SHA512

    27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MSI603C.tmp
    MD5

    044a5d8e2f1356de889aedb11fdcc679

    SHA1

    4e8416eb12d209509d49998ebe714612709eb4d6

    SHA256

    e4492ccb97078cc32ee4437404ce04f4404884800a81fb34243d0a64936f82d7

    SHA512

    3cb6beaf46ec6ca3aa5a645b51b1df7a26826d8e65eb8f6cd1be63488f7a372c1e7e266f2950489a3ae8b3c6ca60d72f25504e4942e096c5c2045177557c79b9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MSI603C.tmp
    MD5

    044a5d8e2f1356de889aedb11fdcc679

    SHA1

    4e8416eb12d209509d49998ebe714612709eb4d6

    SHA256

    e4492ccb97078cc32ee4437404ce04f4404884800a81fb34243d0a64936f82d7

    SHA512

    3cb6beaf46ec6ca3aa5a645b51b1df7a26826d8e65eb8f6cd1be63488f7a372c1e7e266f2950489a3ae8b3c6ca60d72f25504e4942e096c5c2045177557c79b9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MSI605D.tmp
    MD5

    c26c68e4a79fd2629714b17514411c40

    SHA1

    00138d8edea0918c4476da303415be399cf704c6

    SHA256

    55434961c0b4bed88ae6bfe6e0e61a3a3dcc392858f0e53c6c14c272200203ed

    SHA512

    6fc8028e6e52b6c9e74ac3ea6d19ed750047d46b7e4021d46e581b58367ffc11fb13b696dfa30a15305e94098a7fd12051ee37d32df91ef2ae1e2d9c642b02ea

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pss60EA.ps1
    MD5

    0c95bc11cfca37f84a19de0529377e13

    SHA1

    41f409dbbab04ef35c4f6489af6f85fceb9c501a

    SHA256

    88748aae11029228d84aef0855f4bc084dfd70450db1f7029746d8bc85182f93

    SHA512

    8a52f3c40440e3129a367609ee4b6e9e98aa62edec48592be03bad1aadcd389e2e58e095f4ea3d6f9cb458aa7101fcb5afdff66658885bfa0634c74c086db568

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\scr60B9.ps1
    MD5

    c803797d8af1ef2779336e1c31743a44

    SHA1

    66b903d47f23a52a428daf3f358ff9522a1761b0

    SHA256

    f8ffeda0cf4e3519a3af952f17ac137aa59b7d547612e5b6595dad4e26165027

    SHA512

    086b7ea1b3d07e2f3d2aa10927c9cd61a659cc168ccb67226cf3d142e9b14ce861ac866997838c1295904da86ec0d50873c0c359add2bf829f59596fde1d3385

    Download Submit
  • C:\Windows\Temp\{83CE1938-E175-4618-917B-EDAC6D620417}\.cr\MSI603C.tmp
    MD5

    044a5d8e2f1356de889aedb11fdcc679

    SHA1

    4e8416eb12d209509d49998ebe714612709eb4d6

    SHA256

    e4492ccb97078cc32ee4437404ce04f4404884800a81fb34243d0a64936f82d7

    SHA512

    3cb6beaf46ec6ca3aa5a645b51b1df7a26826d8e65eb8f6cd1be63488f7a372c1e7e266f2950489a3ae8b3c6ca60d72f25504e4942e096c5c2045177557c79b9

    Download Submit
  • C:\Windows\Temp\{83CE1938-E175-4618-917B-EDAC6D620417}\.cr\MSI603C.tmp
    MD5

    044a5d8e2f1356de889aedb11fdcc679

    SHA1

    4e8416eb12d209509d49998ebe714612709eb4d6

    SHA256

    e4492ccb97078cc32ee4437404ce04f4404884800a81fb34243d0a64936f82d7

    SHA512

    3cb6beaf46ec6ca3aa5a645b51b1df7a26826d8e65eb8f6cd1be63488f7a372c1e7e266f2950489a3ae8b3c6ca60d72f25504e4942e096c5c2045177557c79b9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\MSI559D.tmp
    MD5

    07ce413b1af6342187514871dc112c74

    SHA1

    8008f8bfeae99918b6323a3d1270dea63b3a8394

    SHA256

    0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

    SHA512

    27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

    Download Submit
  • \Users\Admin\AppData\Local\Temp\MSI605D.tmp
    MD5

    c26c68e4a79fd2629714b17514411c40

    SHA1

    00138d8edea0918c4476da303415be399cf704c6

    SHA256

    55434961c0b4bed88ae6bfe6e0e61a3a3dcc392858f0e53c6c14c272200203ed

    SHA512

    6fc8028e6e52b6c9e74ac3ea6d19ed750047d46b7e4021d46e581b58367ffc11fb13b696dfa30a15305e94098a7fd12051ee37d32df91ef2ae1e2d9c642b02ea

    Download Submit
  • \Windows\Temp\{9A147049-5133-4AB8-9C05-DCD43A90AB81}\.ba\BootstrapperCore.dll
    MD5

    c4f7146ddc56763ccdb1cb3c09478708

    SHA1

    bca088ab33cfb69adeae11a272e9c8a83f39a8c9

    SHA256

    886cb2a994461f091752fc7b21e3143c212efd8841c757909e74ac32761880da

    SHA512

    df2ca029e95f80fc5870e541db8b1d5a03266307bb5f7680ad630868a9a3c584b3a702fbec09c26fef7287c99f5d9d1f59cd59b74dcf740c9a8e7508e07d18b5

    Download Submit
  • \Windows\Temp\{9A147049-5133-4AB8-9C05-DCD43A90AB81}\.ba\BootstrapperCore.dll
    MD5

    c4f7146ddc56763ccdb1cb3c09478708

    SHA1

    bca088ab33cfb69adeae11a272e9c8a83f39a8c9

    SHA256

    886cb2a994461f091752fc7b21e3143c212efd8841c757909e74ac32761880da

    SHA512

    df2ca029e95f80fc5870e541db8b1d5a03266307bb5f7680ad630868a9a3c584b3a702fbec09c26fef7287c99f5d9d1f59cd59b74dcf740c9a8e7508e07d18b5

    Download Submit
  • \Windows\Temp\{9A147049-5133-4AB8-9C05-DCD43A90AB81}\.ba\GalaSoft.MvvmLight.WPF4.dll
    MD5

    1e40431b501d55fe8ba59cabb3ce5c17

    SHA1

    b8aef0f6829345d844960c3eaf96c41f76142f6c

    SHA256

    92ef1bdf8c8140e34e5ae1eb8d9b7afba9921e5ada6317c6cdd0da2712f7e000

    SHA512

    2ab5d887e717add46959a7193cbf1dbf73f2792130025e5712ae76058ce5923be8afdf3ed8d11ea6859b13126f88bb9e1099741c799ca90e3f7713955dd9638d

    Download Submit
  • \Windows\Temp\{9A147049-5133-4AB8-9C05-DCD43A90AB81}\.ba\GalaSoft.MvvmLight.WPF4.dll
    MD5

    1e40431b501d55fe8ba59cabb3ce5c17

    SHA1

    b8aef0f6829345d844960c3eaf96c41f76142f6c

    SHA256

    92ef1bdf8c8140e34e5ae1eb8d9b7afba9921e5ada6317c6cdd0da2712f7e000

    SHA512

    2ab5d887e717add46959a7193cbf1dbf73f2792130025e5712ae76058ce5923be8afdf3ed8d11ea6859b13126f88bb9e1099741c799ca90e3f7713955dd9638d

    Download Submit
  • \Windows\Temp\{9A147049-5133-4AB8-9C05-DCD43A90AB81}\.ba\NitroBA.dll
    MD5

    6726d4b46346ef40dd3ea4376ae7d259

    SHA1

    ffdaa10e1e3d1c7d7411f799a0889ce66014bc29

    SHA256

    3e96b189fa7a160396742cdc93564dfce3ad3993a3e21118cf9114c8cb45e963

    SHA512

    cd2a68f1ce4bc161b26466fa8f472803d7a10b339dff6c599e64863236ef59d9a0ed1b2f4168f8557b35d81d92edccdfd9d313096a88415838b6351af1ae249a

    Download Submit
  • \Windows\Temp\{9A147049-5133-4AB8-9C05-DCD43A90AB81}\.ba\NitroBA.dll
    MD5

    6726d4b46346ef40dd3ea4376ae7d259

    SHA1

    ffdaa10e1e3d1c7d7411f799a0889ce66014bc29

    SHA256

    3e96b189fa7a160396742cdc93564dfce3ad3993a3e21118cf9114c8cb45e963

    SHA512

    cd2a68f1ce4bc161b26466fa8f472803d7a10b339dff6c599e64863236ef59d9a0ed1b2f4168f8557b35d81d92edccdfd9d313096a88415838b6351af1ae249a

    Download Submit
  • \Windows\Temp\{9A147049-5133-4AB8-9C05-DCD43A90AB81}\.ba\PageTransitions.dll
    MD5

    ad69d408b05b98180b25d23b0a790f01

    SHA1

    5fdbdae2979685db500d2b031e2a430ce16e592e

    SHA256

    14090b63240c63bfe118a24b6f0112095f331ac46819f6f4ab62d8e9bbe4c646

    SHA512

    12323f7190fd785277965996cffe141a5b2d5b11679961db6aa6744b8157df7f9bd7b5b935d3ca2a7e0be7ca5f0f60fd8885b94ae7cd70aea1572e90a2599eac

    Download Submit
  • \Windows\Temp\{9A147049-5133-4AB8-9C05-DCD43A90AB81}\.ba\PageTransitions.dll
    MD5

    ad69d408b05b98180b25d23b0a790f01

    SHA1

    5fdbdae2979685db500d2b031e2a430ce16e592e

    SHA256

    14090b63240c63bfe118a24b6f0112095f331ac46819f6f4ab62d8e9bbe4c646

    SHA512

    12323f7190fd785277965996cffe141a5b2d5b11679961db6aa6744b8157df7f9bd7b5b935d3ca2a7e0be7ca5f0f60fd8885b94ae7cd70aea1572e90a2599eac

    Download Submit
  • \Windows\Temp\{9A147049-5133-4AB8-9C05-DCD43A90AB81}\.ba\mbahost.dll
    MD5

    d7c697ceb6f40ce91dabfcbe8df08e22

    SHA1

    49cd0213a1655dcdb493668083ab2d7f55135381

    SHA256

    b925d9d3e1e2c49bf05a1b0713e2750ee6e0c43c7adc9d3c3a1b9fb8c557c3df

    SHA512

    22ca87979ca68f10b5fda64c27913d0f2a12c359b04e4a6caa3645303fbd47cd598c805fd9a43c8f3e0934e9d2db85f7a4e1eff26cb33d233efc05ee2613cfc1

    Download Submit
  • \Windows\Temp\{9A147049-5133-4AB8-9C05-DCD43A90AB81}\.ba\metrics.dll
    MD5

    aed8280e90f672f631d2aedebd6452bf

    SHA1

    390b96ce6b4b1a47c12d8932c5e8da6e51fdd38a

    SHA256

    a82332e0a9c9cee34f9a46d5e984901fa57a011f54e7b37b9716acf834746ced

    SHA512

    23a223fc4da00038ff6b584f0a2a4186f49eaf4d8cb28dfdfa795048a4a977aa39848cb83bbfd8f0555412fd04c802b122267266e33a5ddc49d3e0ff1e2eca4f

    Download Submit
  • memory/772-125-0x0000000000000000-mapping.dmp
    Download
  • memory/900-135-0x0000000004C70000-0x0000000004C71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-182-0x000000000A930000-0x000000000A931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-142-0x00000000079C0000-0x00000000079C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-148-0x0000000007382000-0x0000000007383000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-3620-0x0000000009A70000-0x0000000009A7B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/900-150-0x00000000076E0000-0x00000000076E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-151-0x0000000007780000-0x0000000007781000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-225-0x0000000007383000-0x0000000007384000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-128-0x0000000000000000-mapping.dmp
    Download
  • memory/900-173-0x0000000009810000-0x0000000009811000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-155-0x0000000007860000-0x0000000007861000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-156-0x00000000080F0000-0x00000000080F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-157-0x00000000078F0000-0x00000000078F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-158-0x00000000087C0000-0x00000000087C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-136-0x0000000007380000-0x0000000007381000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-160-0x0000000008700000-0x0000000008701000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-176-0x0000000009DB0000-0x0000000009DB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-175-0x0000000009530000-0x0000000009531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-174-0x00000000094C0000-0x00000000094C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/932-138-0x0000000006CF1000-0x0000000006CF2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/932-163-0x00000000073E0000-0x00000000073E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/932-166-0x0000000006CF7000-0x0000000006CF8000-memory.dmp
    Filesize

    4KB

    Download
  • memory/932-170-0x0000000007580000-0x0000000007581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/932-165-0x0000000006CF4000-0x0000000006CF5000-memory.dmp
    Filesize

    4KB

    Download
  • memory/932-149-0x0000000006CF3000-0x0000000006CF4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/932-137-0x0000000006CF0000-0x0000000006CF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/932-129-0x0000000000000000-mapping.dmp
    Download
  • memory/932-177-0x000000000A280000-0x000000000A281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/932-146-0x0000000006F00000-0x0000000006F01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/932-154-0x0000000004910000-0x0000000004911000-memory.dmp
    Filesize

    4KB

    Download
  • memory/932-222-0x0000000006CF8000-0x0000000006CF9000-memory.dmp
    Filesize

    4KB

    Download
  • memory/932-141-0x0000000004830000-0x0000000004831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-118-0x0000000000000000-mapping.dmp
    Download