Overview

overview

10

Static

static

1

Free-Busin...te.msi

windows7-x64

6

Free-Busin...te.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2024, 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Free-Business-Partner-Contract-Template.msi

  • Size

    109.5MB

  • MD5

    44d70c2dd1cdcfc30df95a6b676dc326

  • SHA1

    93846f239ecf71c1a8e067f880070a814868060b

  • SHA256

    0adfbce8a09d9f977e5fe90ccefc9612d1d742d980fe8dc889e10a5778592e4d

  • SHA512

    108cd1b9cb1fd387d20a06edc0be0e3e00ffc3b2dfe4d5dd636cd642072fa740311824dbdd1b403d8b650fc57d450dbae324ef2e22bed67f5467b6b4095aa80d

  • SSDEEP

    98304:TYsfUbJeGKExXADDHY2P9m6E1tsg/qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqm:TfUdD3xwXHY206y4LY

Score
10/10
jupyterbackdoordiscoverystealertrojan

Malware Config

Extracted

Family

jupyter

Version

SP-17

C2

http://188.241.83.61

Signatures

  • Jupyter Backdoor/Client payload 1 IoCs
  • Jupyter, SolarMarker

    Jupyter is a backdoor and infostealer first seen in mid 2020.

    backdoortrojanstealerjupyter
  • Blocklisted process makes network request 9 IoCs
  • Drops startup file 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Free-Business-Partner-Contract-Template.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Users\Admin\AppData\Local\Temp\MSI54F2.tmp
      "C:\Users\Admin\AppData\Local\Temp\MSI54F2.tmp"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\Temp\{358C4BE3-50B0-4DCB-BD05-A202816A65FF}\.cr\MSI54F2.tmp
        "C:\Windows\Temp\{358C4BE3-50B0-4DCB-BD05-A202816A65FF}\.cr\MSI54F2.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\MSI54F2.tmp" -burn.filehandle.attached=536 -burn.filehandle.self=556
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:876
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 0B0F578F5F72FE0EE3BE59FBB9A5AA02 C
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3484
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss562D.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi55DB.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr55DC.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr561C.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:3504
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4044 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:5072

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MSI3CF4.tmp
      Filesize

      392KB

      MD5

      07ce413b1af6342187514871dc112c74

      SHA1

      8008f8bfeae99918b6323a3d1270dea63b3a8394

      SHA256

      0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

      SHA512

      27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI54F2.tmp
      Filesize

      1.4MB

      MD5

      044a5d8e2f1356de889aedb11fdcc679

      SHA1

      4e8416eb12d209509d49998ebe714612709eb4d6

      SHA256

      e4492ccb97078cc32ee4437404ce04f4404884800a81fb34243d0a64936f82d7

      SHA512

      3cb6beaf46ec6ca3aa5a645b51b1df7a26826d8e65eb8f6cd1be63488f7a372c1e7e266f2950489a3ae8b3c6ca60d72f25504e4942e096c5c2045177557c79b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI54F3.tmp
      Filesize

      570KB

      MD5

      c26c68e4a79fd2629714b17514411c40

      SHA1

      00138d8edea0918c4476da303415be399cf704c6

      SHA256

      55434961c0b4bed88ae6bfe6e0e61a3a3dcc392858f0e53c6c14c272200203ed

      SHA512

      6fc8028e6e52b6c9e74ac3ea6d19ed750047d46b7e4021d46e581b58367ffc11fb13b696dfa30a15305e94098a7fd12051ee37d32df91ef2ae1e2d9c642b02ea

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xlnfcxie.nsd.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pss562D.ps1
      Filesize

      5KB

      MD5

      0c95bc11cfca37f84a19de0529377e13

      SHA1

      41f409dbbab04ef35c4f6489af6f85fceb9c501a

      SHA256

      88748aae11029228d84aef0855f4bc084dfd70450db1f7029746d8bc85182f93

      SHA512

      8a52f3c40440e3129a367609ee4b6e9e98aa62edec48592be03bad1aadcd389e2e58e095f4ea3d6f9cb458aa7101fcb5afdff66658885bfa0634c74c086db568

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\scr55DC.ps1
      Filesize

      118KB

      MD5

      dac33a6ccbcb047e268c2b4d8683d458

      SHA1

      0975b054358bd83656011e3f9e1e7790b5f26c07

      SHA256

      c05e705645b1e77256f93b4ae93a12a3adbd7433f7b8f1c68fa84ea1c0838a77

      SHA512

      1c1692ee65c6bcb86d0093040adbb935522a875a32207b345f9375f6c40bc90225963302cf157921d9d4b60f54776f3b2c52bc63bbdd911bd438a832248484fe

      Download Submit

    • C:\Windows\Temp\{76407222-95ED-4044-BD8A-2C64A5A08406}\.ba\BootstrapperCore.config
      Filesize

      752B

      MD5

      efe91fd0b4eb17cc897621c133c53ade

      SHA1

      c28fa3c594cc6d2ce8fad00f2d1d2c09b220ce74

      SHA256

      77d45ae9bda3349bbcbf2069503835c3bbb37fed0c1e2311b4c3e3bb26640940

      SHA512

      034043d96e709795852918fdac7606918453df59660a01af25dbbc844c98c7ec28bb7f0a1764d2148c83ec6b0e94e8e8317e9610f1c9bb1fe055b65fcace0549

      Download Submit

    • C:\Windows\Temp\{76407222-95ED-4044-BD8A-2C64A5A08406}\.ba\BootstrapperCore.dll
      Filesize

      80KB

      MD5

      c4f7146ddc56763ccdb1cb3c09478708

      SHA1

      bca088ab33cfb69adeae11a272e9c8a83f39a8c9

      SHA256

      886cb2a994461f091752fc7b21e3143c212efd8841c757909e74ac32761880da

      SHA512

      df2ca029e95f80fc5870e541db8b1d5a03266307bb5f7680ad630868a9a3c584b3a702fbec09c26fef7287c99f5d9d1f59cd59b74dcf740c9a8e7508e07d18b5

      Download Submit

    • C:\Windows\Temp\{76407222-95ED-4044-BD8A-2C64A5A08406}\.ba\GalaSoft.MvvmLight.WPF4.dll
      Filesize

      27KB

      MD5

      1e40431b501d55fe8ba59cabb3ce5c17

      SHA1

      b8aef0f6829345d844960c3eaf96c41f76142f6c

      SHA256

      92ef1bdf8c8140e34e5ae1eb8d9b7afba9921e5ada6317c6cdd0da2712f7e000

      SHA512

      2ab5d887e717add46959a7193cbf1dbf73f2792130025e5712ae76058ce5923be8afdf3ed8d11ea6859b13126f88bb9e1099741c799ca90e3f7713955dd9638d

      Download Submit

    • C:\Windows\Temp\{76407222-95ED-4044-BD8A-2C64A5A08406}\.ba\NitroBA.dll
      Filesize

      363KB

      MD5

      6726d4b46346ef40dd3ea4376ae7d259

      SHA1

      ffdaa10e1e3d1c7d7411f799a0889ce66014bc29

      SHA256

      3e96b189fa7a160396742cdc93564dfce3ad3993a3e21118cf9114c8cb45e963

      SHA512

      cd2a68f1ce4bc161b26466fa8f472803d7a10b339dff6c599e64863236ef59d9a0ed1b2f4168f8557b35d81d92edccdfd9d313096a88415838b6351af1ae249a

      Download Submit

    • C:\Windows\Temp\{76407222-95ED-4044-BD8A-2C64A5A08406}\.ba\PageTransitions.dll
      Filesize

      16KB

      MD5

      ad69d408b05b98180b25d23b0a790f01

      SHA1

      5fdbdae2979685db500d2b031e2a430ce16e592e

      SHA256

      14090b63240c63bfe118a24b6f0112095f331ac46819f6f4ab62d8e9bbe4c646

      SHA512

      12323f7190fd785277965996cffe141a5b2d5b11679961db6aa6744b8157df7f9bd7b5b935d3ca2a7e0be7ca5f0f60fd8885b94ae7cd70aea1572e90a2599eac

      Download Submit

    • C:\Windows\Temp\{76407222-95ED-4044-BD8A-2C64A5A08406}\.ba\mbahost.dll
      Filesize

      111KB

      MD5

      d7c697ceb6f40ce91dabfcbe8df08e22

      SHA1

      49cd0213a1655dcdb493668083ab2d7f55135381

      SHA256

      b925d9d3e1e2c49bf05a1b0713e2750ee6e0c43c7adc9d3c3a1b9fb8c557c3df

      SHA512

      22ca87979ca68f10b5fda64c27913d0f2a12c359b04e4a6caa3645303fbd47cd598c805fd9a43c8f3e0934e9d2db85f7a4e1eff26cb33d233efc05ee2613cfc1

      Download Submit

    • C:\Windows\Temp\{76407222-95ED-4044-BD8A-2C64A5A08406}\.ba\metrics.dll
      Filesize

      541KB

      MD5

      aed8280e90f672f631d2aedebd6452bf

      SHA1

      390b96ce6b4b1a47c12d8932c5e8da6e51fdd38a

      SHA256

      a82332e0a9c9cee34f9a46d5e984901fa57a011f54e7b37b9716acf834746ced

      SHA512

      23a223fc4da00038ff6b584f0a2a4186f49eaf4d8cb28dfdfa795048a4a977aa39848cb83bbfd8f0555412fd04c802b122267266e33a5ddc49d3e0ff1e2eca4f

      Download Submit

    • memory/876-96-0x0000000003FE0000-0x0000000003FF8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/876-124-0x0000000006380000-0x000000000638E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/876-437-0x000000000A4E0000-0x000000000A4EE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/876-100-0x00000000063B0000-0x00000000063C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-436-0x000000000A500000-0x000000000A538000-memory.dmp

      Filesize

      224KB

      Download

    • memory/876-108-0x00000000066C0000-0x0000000006722000-memory.dmp

      Filesize

      392KB

      Download

    • memory/876-433-0x00000000077D0000-0x00000000077D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/876-97-0x00000000063B0000-0x00000000063C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-425-0x00000000063B0000-0x00000000063C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-439-0x00000000063B0000-0x00000000063C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-139-0x00000000734D0000-0x0000000073C80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/876-423-0x00000000063B0000-0x00000000063C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-172-0x00000000063B0000-0x00000000063C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-440-0x00000000063B0000-0x00000000063C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-90-0x00000000063B0000-0x00000000063C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-89-0x00000000734D0000-0x0000000073C80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/876-147-0x0000000006E90000-0x0000000006E9A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/876-442-0x00000000063B0000-0x00000000063C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-141-0x00000000063B0000-0x00000000063C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-140-0x00000000063B0000-0x00000000063C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3504-99-0x0000000004AF0000-0x0000000004B00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3504-137-0x00000000734D0000-0x0000000073C80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3504-136-0x00000000074E0000-0x0000000007A84000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3504-135-0x00000000063E0000-0x0000000006402000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3504-142-0x0000000008110000-0x000000000878A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3504-134-0x0000000006390000-0x00000000063AA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3504-133-0x0000000006E20000-0x0000000006EB6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3504-128-0x0000000004AF0000-0x0000000004B00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3504-126-0x0000000005EB0000-0x0000000005EFC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3504-125-0x0000000005DD0000-0x0000000005DEE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3504-120-0x0000000005980000-0x0000000005CD4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3504-429-0x0000000004AF0000-0x0000000004B00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3504-430-0x0000000006FC0000-0x0000000006FD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3504-110-0x0000000005810000-0x0000000005876000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3504-109-0x0000000005010000-0x0000000005076000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3504-102-0x0000000004E70000-0x0000000004E92000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3504-101-0x0000000005130000-0x0000000005758000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3504-91-0x0000000002890000-0x00000000028C6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3504-83-0x00000000734D0000-0x0000000073C80000-memory.dmp

      Filesize

      7.7MB

      Download