Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 1540 set thread context of 1236	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1540 wrote to memory of 1236	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe
PID 1540 wrote to memory of 1236	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe
PID 1540 wrote to memory of 1236	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe
PID 1540 wrote to memory of 1236	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe
PID 1540 wrote to memory of 1236	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe
PID 1540 wrote to memory of 1236	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe
PID 1540 wrote to memory of 1236	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe
PID 1540 wrote to memory of 1236	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe
PID 1236 wrote to memory of 852	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1236 wrote to memory of 852	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1236 wrote to memory of 852	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1236 wrote to memory of 1444	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1236 wrote to memory of 1444	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1236 wrote to memory of 1444	N/A	C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe

"C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe"

C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe

"C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Ystnmcdkpe.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ystnmcdkpe.exe'

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	104.20.3.235:443	pastebin.com	tcp
US	64.188.16.134:7861		tcp
US	64.188.16.134:7861		tcp

Files

memory/1540-0-0x000000007466E000-0x000000007466F000-memory.dmp

memory/1540-1-0x0000000000480000-0x00000000008EE000-memory.dmp

memory/1540-2-0x0000000006600000-0x0000000006820000-memory.dmp

memory/1540-3-0x0000000006DD0000-0x0000000007376000-memory.dmp

memory/1540-4-0x00000000068C0000-0x0000000006952000-memory.dmp

memory/1540-14-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-5-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-20-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-53-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-66-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-68-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-65-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-62-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-60-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-58-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-56-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-50-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-48-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-44-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-41-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-54-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-46-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-42-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-36-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-32-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-30-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-26-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-24-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-22-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-19-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-16-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-12-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-10-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-8-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-6-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-38-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-34-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-28-0x0000000006600000-0x000000000681B000-memory.dmp

memory/1540-4891-0x0000000074660000-0x0000000074E11000-memory.dmp

memory/1540-4892-0x0000000074660000-0x0000000074E11000-memory.dmp

memory/1540-4893-0x00000000069D0000-0x0000000006A2C000-memory.dmp

memory/1540-4894-0x0000000006A30000-0x0000000006A7C000-memory.dmp

memory/1540-4895-0x0000000006AE0000-0x0000000006B34000-memory.dmp

memory/1540-4900-0x0000000074660000-0x0000000074E11000-memory.dmp

memory/1236-4901-0x0000000074660000-0x0000000074E11000-memory.dmp

memory/1236-4902-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1236-4903-0x0000000005250000-0x00000000052EC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ystnmcdkpe.exe.log

MD5	9d0cacca373731660e8268a162d9d4ff
SHA1	a82111d00132cdf7ef46af5681601d55c6a0e17c
SHA256	95932f81206717ff86f0974ee37dc40d5d914f730f00a08344b4c1765d663394
SHA512	8c971ab501fc322b13f53b03325b2295e1eedb12b6d50a4225e6e3b4bf5128665b1a3d8b560a8b04f14bfa6f5cba41058e4f546139101fc303f3b8393f5ca485

memory/1236-4904-0x00000000052F0000-0x0000000005356000-memory.dmp

memory/1236-4905-0x0000000074660000-0x0000000074E11000-memory.dmp

memory/852-4906-0x0000000002A40000-0x0000000002A76000-memory.dmp

memory/852-4907-0x0000000074660000-0x0000000074E11000-memory.dmp

memory/852-4908-0x0000000005460000-0x0000000005A8A000-memory.dmp

memory/852-4909-0x0000000074660000-0x0000000074E11000-memory.dmp

memory/852-4910-0x0000000005B80000-0x0000000005BA2000-memory.dmp

memory/852-4911-0x0000000005C20000-0x0000000005C86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u5ecxblm.ths.ps1

MD5	d17fe0a3f47be24a6453e9ef58c94641
SHA1	6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256	96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512	5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/852-4921-0x0000000005D70000-0x00000000060C7000-memory.dmp

memory/852-4920-0x0000000074660000-0x0000000074E11000-memory.dmp

memory/852-4922-0x00000000061E0000-0x00000000061FE000-memory.dmp

memory/852-4923-0x0000000006220000-0x000000000626C000-memory.dmp

memory/852-4924-0x00000000071B0000-0x00000000071E4000-memory.dmp

memory/852-4925-0x000000006F730000-0x000000006F77C000-memory.dmp

memory/852-4934-0x00000000071F0000-0x000000000720E000-memory.dmp

memory/852-4935-0x0000000007410000-0x00000000074B4000-memory.dmp

memory/852-4936-0x0000000007B80000-0x00000000081FA000-memory.dmp

memory/852-4937-0x0000000007540000-0x000000000755A000-memory.dmp

memory/852-4938-0x00000000075B0000-0x00000000075BA000-memory.dmp

memory/852-4939-0x00000000077E0000-0x0000000007876000-memory.dmp

memory/852-4940-0x0000000007750000-0x0000000007761000-memory.dmp

memory/852-4941-0x0000000007780000-0x000000000778E000-memory.dmp

memory/852-4942-0x0000000007790000-0x00000000077A5000-memory.dmp

memory/852-4943-0x00000000078A0000-0x00000000078BA000-memory.dmp

memory/852-4944-0x0000000007880000-0x0000000007888000-memory.dmp

memory/852-4947-0x0000000074660000-0x0000000074E11000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5	ac4917a885cf6050b1a483e4bc4d2ea5
SHA1	b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256	e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512	092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/1444-4949-0x0000000005630000-0x0000000005987000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	afe136a4141228176741e3771e0c1bfb
SHA1	eb28819b3ab290cd85008ac3673b2ce8c7eae70f
SHA256	a65405c3792f1bcf58abeacd7170a5b4580e3a9be2eab962cbc73249c0b77137
SHA512	ff32c42219327ca1ac1784e45cae65e27d3a27700559e6b544988474eb76d23dfe13297d7e4546209262b3a6047dc77c0b0fc6b6561b0d2eee6bab520b175f84

memory/1444-4959-0x000000006F730000-0x000000006F77C000-memory.dmp

memory/1236-4969-0x0000000006C60000-0x0000000006C6A000-memory.dmp

memory/1236-4970-0x0000000074660000-0x0000000074E11000-memory.dmp

memory/1236-4971-0x0000000006DC0000-0x0000000006DCC000-memory.dmp

memory/1236-4972-0x0000000074660000-0x0000000074E11000-memory.dmp

Malware Analysis Report

2024-09-11 13:53

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Sample ID	240615-ftea8stcpq
Target	Ystnmcdkpe.exe
SHA256	e76432493aab33f8765d104d3bbd345b5e8eafafea96b49e462e26b688ba85cf
Tags	xworm execution rat trojan