Analysis
-
max time kernel
280s -
max time network
272s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
13-06-2022 00:02
Static task
static1
General
-
Target
jupyter.exe
-
Size
114.1MB
-
MD5
e56ad54905b09c1345207b7fdddf21c6
-
SHA1
6ad28e1810eb1be26e835e5224e78e13576887b9
-
SHA256
ee904ce81c66b774897f93b0301e297a9137295516d57ba1c4e078a383cbce39
-
SHA512
014f3b551431be47b6cdacae0898d599a38d0371becc4cdfd2cfce66f622a6b7f2ab3af88a8db92b385b9f2f3e79649215b7ef345bc7b271dcd26c00ba3f7efd
Malware Config
Extracted
jupyter
DR/1.1
http://91.241.19.21
Signatures
-
Jupyter Backdoor/Client Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1264-1273-0x0000000009240000-0x0000000009256000-memory.dmp family_jupyter -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 6 1264 powershell.exe 7 1264 powershell.exe 8 1264 powershell.exe 9 1264 powershell.exe 10 1264 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
jupyter.tmpDocx2Rtf.exepid process 3688 jupyter.tmp 2548 Docx2Rtf.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup\a6ee8c157724e7945bfcd9eb64fa3.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1436 powershell.exe 1264 powershell.exe 948 powershell.exe 2800 powershell.exe 628 powershell.exe 3668 powershell.exe 2340 powershell.exe 1144 powershell.exe 188 powershell.exe 2324 powershell.exe 1436 powershell.exe 1264 powershell.exe 948 powershell.exe 628 powershell.exe 2800 powershell.exe 3668 powershell.exe 1144 powershell.exe 2324 powershell.exe 188 powershell.exe 188 powershell.exe 2340 powershell.exe 628 powershell.exe 1264 powershell.exe 2800 powershell.exe 948 powershell.exe 1436 powershell.exe 1436 powershell.exe 3668 powershell.exe 188 powershell.exe 2340 powershell.exe 2340 powershell.exe 1144 powershell.exe 1144 powershell.exe 2324 powershell.exe 2324 powershell.exe 1264 powershell.exe 1264 powershell.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 1436 powershell.exe Token: SeDebugPrivilege 628 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 3668 powershell.exe Token: SeDebugPrivilege 2340 powershell.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 188 powershell.exe Token: SeDebugPrivilege 2324 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Docx2Rtf.exepid process 2548 Docx2Rtf.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
jupyter.exejupyter.tmpdescription pid process target process PID 1404 wrote to memory of 3688 1404 jupyter.exe jupyter.tmp PID 1404 wrote to memory of 3688 1404 jupyter.exe jupyter.tmp PID 1404 wrote to memory of 3688 1404 jupyter.exe jupyter.tmp PID 3688 wrote to memory of 2548 3688 jupyter.tmp Docx2Rtf.exe PID 3688 wrote to memory of 2548 3688 jupyter.tmp Docx2Rtf.exe PID 3688 wrote to memory of 2548 3688 jupyter.tmp Docx2Rtf.exe PID 3688 wrote to memory of 628 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 628 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 628 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 2800 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 2800 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 2800 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 1436 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 1436 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 1436 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 1264 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 1264 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 1264 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 948 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 948 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 948 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 3668 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 3668 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 3668 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 2340 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 2340 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 2340 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 1144 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 1144 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 1144 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 188 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 188 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 188 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 2324 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 2324 3688 jupyter.tmp powershell.exe PID 3688 wrote to memory of 2324 3688 jupyter.tmp powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\jupyter.exe"C:\Users\Admin\AppData\Local\Temp\jupyter.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp"C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp" /SL5="$60070,118835448,809472,C:\Users\Admin\AppData\Local\Temp\jupyter.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Users\Admin\AppData\Local\Temp\is-7EOMA.tmp\Docx2Rtf.exe"C:\Users\Admin\AppData\Local\Temp\is-7EOMA.tmp\Docx2Rtf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:188 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a4022a7d2b113226b000be0705680813
SHA1599e22d03201704127a045ca53ffb78f9ea3b6c3
SHA2562557a14e476d55330043af2858dbf1377e24dba3fa9aedc369d5feefefb7f9a7
SHA51240ef88632a4ad38a7d21c640a7f0c8cd7c76b8451f55dd758c15baa5a90f4f0938de409426570c4405362fd2d90fadd96d23d190e09692b5fbe2c87ebc8d3c60
-
Filesize
19KB
MD558674177538f6429aa51bfd9e78f5944
SHA1526a419a8307f9b89da9785e4da42840ff77f136
SHA2565830ff840bc14ca7b2c355b00144eaa63594197bfdcc21075204123bfa89396d
SHA512ed30996df8bdf0d07a4360264fb022ac62fce82654fe99fcb6c777f1c2eee82b78da183588bab5264fadb7c53924ed023bbd8469d7616c3e7f8f4586bcdef94d
-
Filesize
19KB
MD5c89d1a9b85641c339615d5530922b7ea
SHA18031ab43eaaf15a1aa1470ab17ec8641441009e9
SHA2561ea443496f1eb9488a58466b7848d8826a78761ed7221e0e8ab087c62b5dab87
SHA512d51dad3b5817b1bf3e38445fe103964561cfff605591e2b366ebd37fbc29dae011486b13c132b70d3d2dcfd0ca16357287a86d009eb345c83f1c1ff34e13e656
-
Filesize
19KB
MD5aba356db37cff7efff4b164f32999d25
SHA14766c9fdf2312d1ad1f284878c8985356ff4673f
SHA2566d7091f75056a643abb46463f782d1f0e8d2c90eb606b6bd0718d87a2dd69c79
SHA5121d2f8f69a18d34be44c2395a075476a3244d7d9c40e0f74177f20969dc78c19776fe9086dcad1b2c16db60d7b46dd9eb33d9282635d42f2a652ad3dc5f5dd2f6
-
Filesize
19KB
MD5aba356db37cff7efff4b164f32999d25
SHA14766c9fdf2312d1ad1f284878c8985356ff4673f
SHA2566d7091f75056a643abb46463f782d1f0e8d2c90eb606b6bd0718d87a2dd69c79
SHA5121d2f8f69a18d34be44c2395a075476a3244d7d9c40e0f74177f20969dc78c19776fe9086dcad1b2c16db60d7b46dd9eb33d9282635d42f2a652ad3dc5f5dd2f6
-
Filesize
19KB
MD5f130d92dd726381553c3a1d84a9ec517
SHA1540549fb700db937119878a60c4cc55d3c91a7cf
SHA256bfa14677838a83fc2b2f06d46959611bd31b533b1d1f362fb4c6342a45509b6e
SHA512570734ab8eca6bdf6c5ba8f7ee7ed00b764c5dc9720b7598d4b77c98559dffa6cc97f793e29b7169d66d5e7c3125675d56904bdebfc90726c691af227b00668a
-
Filesize
19KB
MD5547011490e62c87690f84c16496de184
SHA15b9d6a2eb1fdb9ba2fe5dfef4591ee03071fea1d
SHA256240dee229f739faf33f238dd45450f25cc2c243ae6918730c030876f9051cd68
SHA5123a663215f71e31ae296089ef422770b465e62155e572684b5a3e9696510c315b4f665ca61767773dfedfd6ff5a4fdf3c73ea5259fcca8f9b5290805edcd4618a
-
Filesize
19KB
MD58a597654625ca54d94b482c0eb9a0232
SHA17ec11737640d334f703ccf79ac35d575ccb2014d
SHA2564a8ce3a76f8c9ce8edfdd530773b1e7f9efa644154ac3e121f1164bafc40af07
SHA5122fb09e2503e8097decc3e80dfa06756b2dbf2159a10525af2c6d51fdb995a4ec72ee9d190fc9837445608805afecc4338e60902b93a18d9dc4db02f0c076f009
-
Filesize
19KB
MD5efce47f23fc8ee486cae60306030c461
SHA111040ac1ad1ef7b5b88630e13bd101cc7aede34d
SHA256ba6c35afaa143fb36c42a5c87ace348557f938fac0e243fc6303ddc33936a44f
SHA512e48debee07bc2fd0e23196153c60f05ee0bee42cf97575bcc99ca37b78c38b850698bed8477fb5d7cbc0824e19880545e9b8a98789dba5bab39e4eb7a7c75767
-
Filesize
134KB
MD51d4806a4758ef9a5aa52f542468faf88
SHA175ef7bfd2e46486a05c38e7857be00fd69131929
SHA256e17d7f14dc48bebbf4635d070e09801d71d93280f8ab6df92e498fbc215fc7cb
SHA512bcb4e44e95a64c496e2efbc5bb640ed4ce937dae592c7cd8ea67890b5c01f2daa4b15db5019151fb861047257434089c7d3556acb54bca7969b0b850a7e8f68d
-
Filesize
414B
MD526942684201095254e6aee50776bb73b
SHA1ec2621c613329473f1959fa0f3f0d4349c6ba337
SHA25690c979adbe5d7b7d340dd0ed6743445f0bd666bb969cd880ef9bee95aaadcf41
SHA512bff53f547699ddca929d7bc6b2f6737c555fcf477264e773c873883e7927176bca33f0c085b0dc6fa0e70bd0a10cf68997d1730a1c18024e822c3178cc03027f
-
Filesize
6.7MB
MD5ba95ebd0d6f6e7861b75149561f1fbd3
SHA1639a1e699d3aea6a0a204e4023f87ef05b4df5fb
SHA256caf8e546f8c6ce56009d28b96c4c8229561d10a6dd89d12be30fa9021b1ce2f4
SHA5127c1f01685bb73865e954a8629712c8183cdd9416d7eadf478dfb54eef18424c71c9f9e9d40e7d5889a7212a45585c6f22726bfa81160eedf5b7a6ab450a2cd51
-
Filesize
6.7MB
MD5ba95ebd0d6f6e7861b75149561f1fbd3
SHA1639a1e699d3aea6a0a204e4023f87ef05b4df5fb
SHA256caf8e546f8c6ce56009d28b96c4c8229561d10a6dd89d12be30fa9021b1ce2f4
SHA5127c1f01685bb73865e954a8629712c8183cdd9416d7eadf478dfb54eef18424c71c9f9e9d40e7d5889a7212a45585c6f22726bfa81160eedf5b7a6ab450a2cd51
-
Filesize
2.5MB
MD526fcf4debd7de2d67fc0289257d02300
SHA1e31cf43e9a8346e320e19618f9d8c9de2b641c20
SHA256aab26ce34cd22bdfab7aa5270218f5af2e34276bfc155a7f51c26dc53c14d3f2
SHA512bf24ffd2fef7f72b853f44b477ee70c8c721a7411e928ab7719dc0f208e687bed8f47883033e658a0a04735a42640398ee5e7e486b38e46254f16fb2154cb67a