Overview

overview

10

Static

static

1

Ondura-Spe...ps.exe

windows7-x64

1

Ondura-Spe...ps.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1802s
  • max time network
    1801s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2023 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ondura-Specs-and-Installation-Tips.exe

  • Size

    300.3MB

  • MD5

    6534e49478f1c797df13b1cb34242280

  • SHA1

    a0878d6515159dfd4174070e6364b84987f9fcb6

  • SHA256

    86de8294aff50b4a37ec51864f2c2ce4416db78309d64fa8ee33088f75abc5b6

  • SHA512

    99d8a59b902b384404d4b8fddf06740baaa8aa2dc15c8b93299f138ff67c77272f136204fe11f46149ad4e633684b2ef30a3ea0b646b41924110e909e9bcaa50

  • SSDEEP

    49152:QPZa6Jr7GhXX7KbAC0yzH444444444444444444444444444444444444444444K:Qi

Score
10/10
jupyterbackdoorstealertrojan

Malware Config

Extracted

Family

jupyter

C2

http://91.206.178.109

Signatures

  • Jupyter, SolarMarker

    Jupyter is a backdoor and infostealer first seen in mid 2020.

    backdoortrojanstealerjupyter
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ondura-Specs-and-Installation-Tips.exe
    "C:\Users\Admin\AppData\Local\Temp\Ondura-Specs-and-Installation-Tips.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3300
    • C:\Users\Admin\AppData\Local\Temp\ebook-dist-x64.exe
      "C:\Users\Admin\AppData\Local\Temp\ebook-dist-x64.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Users\Admin\AppData\Local\Temp\is-8EVQJ.tmp\ebook-dist-x64.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-8EVQJ.tmp\ebook-dist-x64.tmp" /SL5="$501CA,31963475,231424,C:\Users\Admin\AppData\Local\Temp\ebook-dist-x64.exe"
        3⤵
        • Executes dropped EXE
        PID:3740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:9132
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\APPDATA\ROAMING\N6QcBuNhnirvcExmPO3YNTvmqe9Ey3NgBrpKlgBiJemFSefJVaF71FpnUJhyhmvm
    Filesize

    81B

    MD5

    f440d2a71f73a7e0f7169379a1136d74

    SHA1

    dd6c6b639ca3ba326f207348e5aed654afb45f3b

    SHA256

    04ddc0b1ff780e314f4f9c8a57c42e72e46b6eb2f11882bb24ae77959480308d

    SHA512

    77512546d86bcc14bfc9cfe0aafa6d6aa2d13154baac30a4e87a98810f026de689f822230c1a8732667151e1caaf88240eff51b722629d5f7f65d486b42cea10

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    a26df49623eff12a70a93f649776dab7

    SHA1

    efb53bd0df3ac34bd119adf8788127ad57e53803

    SHA256

    4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

    SHA512

    e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qwu45s1l.cxy.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ebook-dist-x64.exe
    Filesize

    31.1MB

    MD5

    9ae4b9777fa38840806dadb0a32a4c68

    SHA1

    5397cdba0ee59a3ccdb333260fad48b9c9fd0945

    SHA256

    0084f62c6b5f5372fc4b789170a208373594b0be58837ec9166c4184122c368f

    SHA512

    6a5557c434a8dcbea04ddfd454fc2451fc7db2cd29c4e685503cfc976098b42f5d0492521a23290f130c3b2e8d5574889c0ca51cc67d60904460240f4c43a98f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ebook-dist-x64.exe
    Filesize

    31.1MB

    MD5

    9ae4b9777fa38840806dadb0a32a4c68

    SHA1

    5397cdba0ee59a3ccdb333260fad48b9c9fd0945

    SHA256

    0084f62c6b5f5372fc4b789170a208373594b0be58837ec9166c4184122c368f

    SHA512

    6a5557c434a8dcbea04ddfd454fc2451fc7db2cd29c4e685503cfc976098b42f5d0492521a23290f130c3b2e8d5574889c0ca51cc67d60904460240f4c43a98f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ebook-dist-x64.exe
    Filesize

    31.1MB

    MD5

    9ae4b9777fa38840806dadb0a32a4c68

    SHA1

    5397cdba0ee59a3ccdb333260fad48b9c9fd0945

    SHA256

    0084f62c6b5f5372fc4b789170a208373594b0be58837ec9166c4184122c368f

    SHA512

    6a5557c434a8dcbea04ddfd454fc2451fc7db2cd29c4e685503cfc976098b42f5d0492521a23290f130c3b2e8d5574889c0ca51cc67d60904460240f4c43a98f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-8EVQJ.tmp\ebook-dist-x64.tmp
    Filesize

    1.2MB

    MD5

    9987cc669f78a518ba68209321aa6950

    SHA1

    cd485c8859f7694ac9c5e0cd5150b47cb7ee417f

    SHA256

    985d4ac860cf5f5f3edaf81d3f4789c231d6c7367f4037586b0f7c839bd52f80

    SHA512

    cd8ae66ad6d3044fc91961518b7bded20a618a78becbfd75507d8004ba1d7247bb840020dc59a1db869f3c92c16b4acfe10909281c425772974863932f8c1405

    Download Submit

  • memory/1612-27-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1612-35-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/3224-347-0x00007FFBD7040000-0x00007FFBD7B01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3224-354-0x0000025542610000-0x0000025542620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3224-348-0x0000025542610000-0x0000025542620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3224-351-0x00007FFBD7040000-0x00007FFBD7B01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3224-368-0x00007FFBD7040000-0x00007FFBD7B01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3224-353-0x0000025542610000-0x0000025542620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3224-364-0x000002555CF70000-0x000002555CFC0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3224-360-0x000002555CAC0000-0x000002555CB74000-memory.dmp

    Filesize

    720KB

    Download

  • memory/3300-1-0x0000000000640000-0x0000000001640000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3300-26-0x00000000329D0000-0x0000000032A76000-memory.dmp

    Filesize

    664KB

    Download

  • memory/3300-0-0x00007FFBD7040000-0x00007FFBD7B01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3300-12-0x000000002ECC0000-0x000000002ECE2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3300-13-0x00007FFBD7040000-0x00007FFBD7B01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3300-11-0x000000002ED80000-0x000000002ED90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3300-14-0x000000002ED80000-0x000000002ED90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3740-37-0x0000000002440000-0x0000000002441000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3740-36-0x0000000000400000-0x0000000000548000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3740-33-0x0000000002440000-0x0000000002441000-memory.dmp

    Filesize

    4KB

    Download

  • memory/9132-155-0x0000026AF1B80000-0x0000026AF1B90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/9132-162-0x0000026AF23B0000-0x0000026AF2450000-memory.dmp

    Filesize

    640KB

    Download

  • memory/9132-154-0x0000026AF1B80000-0x0000026AF1B90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/9132-153-0x0000026AF1B80000-0x0000026AF1B90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/9132-152-0x00007FFBD7040000-0x00007FFBD7B01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/9132-150-0x0000026AF2290000-0x0000026AF2306000-memory.dmp

    Filesize

    472KB

    Download

  • memory/9132-148-0x0000026AF21C0000-0x0000026AF2204000-memory.dmp

    Filesize

    272KB

    Download

  • memory/9132-147-0x0000026AF1B80000-0x0000026AF1B90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/9132-137-0x0000026AF1B80000-0x0000026AF1B90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/9132-136-0x00007FFBD7040000-0x00007FFBD7B01000-memory.dmp

    Filesize

    10.8MB

    Download