Overview

overview

10

Static

static

Adobe-Inde...ee.msi

windows7_x64

10

Adobe-Inde...ee.msi

windows10_x64

10

Resubmissions

02-10-2021 16:02

211002-tg7znsedh5 10

26-09-2021 14:41

210926-r2e4aafaa8 10

Analysis

  • max time kernel
    132s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    02-10-2021 16:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Adobe-Indesign-Business-Plan-Template-Free.msi

  • Size

    108.5MB

  • MD5

    82dbf0d2b49de42dc700df7c96b41eb1

  • SHA1

    509c08fd9805cf2034fec547c0fc962423a96a3b

  • SHA256

    7ada6e666c34aacaf7c93d11ca2e563ec53da37fb23a181631809d0d5ef14387

  • SHA512

    3d256fba291eb2f4a81ef53d8db8a333f3fb26a9a2c90e3c28bb0a944dc8bba2a2c8902232b14e6a9debdf93a2ff100faabb2be2053aac7fc2ccbdbd2f98fc83

Score
10/10
jupyterbackdoordiscoverystealertrojan

Malware Config

Extracted

Family

jupyter

Version

SP-18

C2

http://188.241.83.61

Signatures

  • Jupyter Backdoor/Client Payload 1 IoCs
  • Jupyter, SolarMarker

    Jupyter is a backdoor and infostealer first seen in mid 2020.

    backdoortrojanstealerjupyter
  • Blocklisted process makes network request 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Adobe-Indesign-Business-Plan-Template-Free.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Users\Admin\AppData\Local\Temp\MSI7AF8.tmp
      "C:\Users\Admin\AppData\Local\Temp\MSI7AF8.tmp"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Windows\Temp\{F2F0D090-F14E-4740-849A-0EE31ABEC8CF}\.cr\MSI7AF8.tmp
        "C:\Windows\Temp\{F2F0D090-F14E-4740-849A-0EE31ABEC8CF}\.cr\MSI7AF8.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\MSI7AF8.tmp" -burn.filehandle.attached=544 -burn.filehandle.self=540
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2836
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 16C8ACD64AA8A7136796C7134E2D5381 C
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss7BD5.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi7B74.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr7B75.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr7B76.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:2444

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2444-134-0x0000000006660000-0x0000000006661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-173-0x0000000008EE0000-0x0000000008EE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-2374-0x00000000091C0000-0x00000000091CB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2444-191-0x0000000000E63000-0x0000000000E64000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-182-0x000000000A000000-0x000000000A001000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-140-0x0000000000E60000-0x0000000000E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-153-0x0000000006C20000-0x0000000006C21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-154-0x00000000073F0000-0x00000000073F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-155-0x0000000007460000-0x0000000007461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-156-0x0000000007710000-0x0000000007711000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-157-0x00000000075E0000-0x00000000075E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-141-0x0000000000E62000-0x0000000000E63000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-159-0x0000000007B80000-0x0000000007B81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-176-0x0000000009480000-0x0000000009481000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-175-0x0000000008C00000-0x0000000008C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-136-0x0000000006CD0000-0x0000000006CD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-164-0x0000000007E90000-0x0000000007E91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-174-0x0000000008B80000-0x0000000008B81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-162-0x0000000006A10000-0x0000000006A11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-172-0x0000000006BB0000-0x0000000006BB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-143-0x0000000006191000-0x0000000006192000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-165-0x0000000006194000-0x0000000006195000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-139-0x0000000003E30000-0x0000000003E31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-166-0x0000000006197000-0x0000000006198000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-177-0x0000000009620000-0x0000000009621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-152-0x00000000064E0000-0x00000000064E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-142-0x0000000006190000-0x0000000006191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-190-0x0000000006198000-0x0000000006199000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-144-0x0000000006193000-0x0000000006194000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-148-0x0000000006510000-0x0000000006511000-memory.dmp

    Filesize

    4KB

    Download