Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\rundll64.exe	N/A

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 2392 set thread context of 3964	N/A	C:\Users\Admin\AppData\Local\Temp\Ziadambtz.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Ziadambtz.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Ziadambtz.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2392 wrote to memory of 3964	N/A	C:\Users\Admin\AppData\Local\Temp\Ziadambtz.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2392 wrote to memory of 3964	N/A	C:\Users\Admin\AppData\Local\Temp\Ziadambtz.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2392 wrote to memory of 3964	N/A	C:\Users\Admin\AppData\Local\Temp\Ziadambtz.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2392 wrote to memory of 3964	N/A	C:\Users\Admin\AppData\Local\Temp\Ziadambtz.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2392 wrote to memory of 3964	N/A	C:\Users\Admin\AppData\Local\Temp\Ziadambtz.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2392 wrote to memory of 3964	N/A	C:\Users\Admin\AppData\Local\Temp\Ziadambtz.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2392 wrote to memory of 3964	N/A	C:\Users\Admin\AppData\Local\Temp\Ziadambtz.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2392 wrote to memory of 3964	N/A	C:\Users\Admin\AppData\Local\Temp\Ziadambtz.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3964 wrote to memory of 1472	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 1472	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 1472	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 4752	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 4752	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 4752	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 2060	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 2060	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 2060	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 572	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 572	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 572	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3964 wrote to memory of 4612	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3964 wrote to memory of 4612	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3964 wrote to memory of 4612	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ziadambtz.exe

"C:\Users\Admin\AppData\Local\Temp\Ziadambtz.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\rundll64.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rundll64.exe'

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "rundll64" /tr "C:\Users\Admin\AppData\Local\rundll64.exe"

C:\Users\Admin\AppData\Local\rundll64.exe

C:\Users\Admin\AppData\Local\rundll64.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	pastebin.com	udp
US	8.8.8.8:53	pastebin.com	udp
US	8.8.8.8:53	pastebin.com	udp

Files

memory/2392-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

memory/2392-1-0x0000000000B60000-0x0000000000FB0000-memory.dmp

memory/2392-2-0x0000000006C80000-0x0000000006EA0000-memory.dmp

memory/2392-3-0x0000000007450000-0x00000000079F6000-memory.dmp

memory/2392-4-0x0000000006F40000-0x0000000006FD2000-memory.dmp

memory/2392-20-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-54-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-58-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-66-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-64-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-62-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-60-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-56-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-52-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-48-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-69-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-44-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-50-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-46-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-42-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-40-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-38-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-34-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-32-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-30-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-28-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-26-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-24-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-22-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-18-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-16-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-14-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-13-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-10-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-36-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-8-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-6-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-5-0x0000000006C80000-0x0000000006E9A000-memory.dmp

memory/2392-4891-0x0000000074AE0000-0x0000000075291000-memory.dmp

memory/2392-4892-0x0000000074AE0000-0x0000000075291000-memory.dmp

memory/2392-4893-0x0000000005BE0000-0x0000000005C3C000-memory.dmp

memory/2392-4894-0x0000000005C40000-0x0000000005C8C000-memory.dmp

memory/2392-4895-0x0000000005D60000-0x0000000005DC6000-memory.dmp

memory/2392-4896-0x0000000006300000-0x0000000006354000-memory.dmp

memory/3964-4900-0x0000000074AE0000-0x0000000075291000-memory.dmp

memory/2392-4899-0x0000000074AE0000-0x0000000075291000-memory.dmp

memory/3964-4901-0x00000000001A0000-0x00000000001B2000-memory.dmp

memory/3964-4902-0x0000000004A10000-0x0000000004AAC000-memory.dmp

memory/3964-4903-0x0000000074AE0000-0x0000000075291000-memory.dmp

memory/1472-4904-0x0000000003080000-0x00000000030B6000-memory.dmp

memory/1472-4905-0x0000000005B10000-0x000000000613A000-memory.dmp

memory/1472-4906-0x0000000074AE0000-0x0000000075291000-memory.dmp

memory/1472-4907-0x0000000074AE0000-0x0000000075291000-memory.dmp

memory/1472-4908-0x0000000074AE0000-0x0000000075291000-memory.dmp

memory/1472-4909-0x0000000005AD0000-0x0000000005AF2000-memory.dmp

memory/1472-4910-0x0000000006230000-0x0000000006296000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xque5uo1.1pn.ps1

MD5	d17fe0a3f47be24a6453e9ef58c94641
SHA1	6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256	96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512	5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1472-4919-0x00000000063C0000-0x0000000006717000-memory.dmp

memory/1472-4920-0x0000000006870000-0x000000000688E000-memory.dmp

memory/1472-4921-0x0000000006920000-0x000000000696C000-memory.dmp

memory/1472-4923-0x000000006FC10000-0x000000006FC5C000-memory.dmp

memory/1472-4932-0x0000000006E90000-0x0000000006EAE000-memory.dmp

memory/1472-4922-0x0000000007860000-0x0000000007894000-memory.dmp

memory/1472-4933-0x0000000007AA0000-0x0000000007B44000-memory.dmp

memory/1472-4934-0x0000000008210000-0x000000000888A000-memory.dmp

memory/1472-4935-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

memory/1472-4936-0x0000000007C30000-0x0000000007C3A000-memory.dmp

memory/1472-4937-0x0000000007E60000-0x0000000007EF6000-memory.dmp

memory/1472-4938-0x0000000007DD0000-0x0000000007DE1000-memory.dmp

memory/1472-4939-0x0000000007E00000-0x0000000007E0E000-memory.dmp

memory/1472-4940-0x0000000007E10000-0x0000000007E25000-memory.dmp

memory/1472-4941-0x0000000007F20000-0x0000000007F3A000-memory.dmp

memory/1472-4942-0x0000000007F00000-0x0000000007F08000-memory.dmp

memory/1472-4945-0x0000000074AE0000-0x0000000075291000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5	d0c46cad6c0778401e21910bd6b56b70
SHA1	7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256	9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512	057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4752-4952-0x0000000005710000-0x0000000005A67000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	441e43b0a93fc5bbb9fb92933c5db7fd
SHA1	ab0be2badd952243f0fccd7e605b42fbb4b833e7
SHA256	1d0c1008e9d908a5557b30e2266f8ccc39f8a980dcfd9cfe265a712301ee0ec3
SHA512	130a7dcb922f4c4c7303c680f09dd1aa6d07ff774c90170b6dff282637f722b5459f6e372bb6f9100a45f7d2bbee0337bf11926666edff81e83358633b196480

memory/4752-4957-0x000000006FC10000-0x000000006FC5C000-memory.dmp

memory/3964-4967-0x0000000074AE0000-0x0000000075291000-memory.dmp

memory/2060-4976-0x0000000005E30000-0x0000000006187000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	3c379e104f17cb81f348900ad2a74f25
SHA1	5d1193b9c866962be3f752bd32eebf752014ee5d
SHA256	e6fab43d3d7098498fec79bd5aab0f5cdbe217337c2cab2df6449b1ad86f190a
SHA512	e94fac27c8857efaa801acf00609a0dc8ad5842dc7c1037075aa567eb893b7438149fb96efda56767ec518dd12b4916762a0775d2184b101bae1a833e3020c29

memory/2060-4978-0x000000006FC10000-0x000000006FC5C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	090026e509e08d793f3ce28352403a97
SHA1	5bd43cec0cb0e3703b5576a7ff1353f5423f87ea
SHA256	970d74ce80f26afa80649964f9786a644a650cda275b1edef5c44483f0b30aa3
SHA512	383558f4b2a1f8095630f89c465fb52150c1bcd17fb796504cd21a68ad40ed4c3382f2a7216b9308b5e101e09e908879a8c9b21972892f1c143c1ad232075235

memory/572-4997-0x000000006FC10000-0x000000006FC5C000-memory.dmp

memory/3964-5007-0x0000000074AE0000-0x0000000075291000-memory.dmp

C:\Users\Admin\AppData\Local\rundll64.exe

MD5	3c94b02364ba067e6c181191a5273824
SHA1	a44d2d25e0c36bee0fd319f4b990a67d8c34e852
SHA256	56763f94d6998304d137f5c202fb2147da5f14a39f318c68a810fc351701486f
SHA512	4b8bbcd2c0105170142a2b1f74569fac542180953bde7bdc7625c4d17e860cbfcb818a6813aedff39fe6e13bd71cfd5e3b3187b984e81532a6ed5998bab89cb9

memory/2804-5011-0x00000000001C0000-0x00000000001CC000-memory.dmp

Malware Analysis Report

2024-09-11 13:48

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Sample ID	240615-et5yhsyeka
Target	Ziadambtz.exe
SHA256	fd43504919323178d05fa0c57b63eb316a512fdc366e20761f16c6e7e5c56904
Tags	xworm execution rat trojan