Analysis Overview
SHA256
25a144002a8255a86b41f65977f80a7939384b7c4a18aa4c9aa14cb8d5210359
Threat Level: Known bad
The file 1d8cf8997c79b9d5b0dabbcf698ff8ad.bin was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
ModiLoader, DBatLoader
ModiLoader Second Stage
Deletes itself
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
UPX packed file
Drops desktop.ini file(s)
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 01:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 01:40
Reported
2024-07-04 01:43
Platform
win7-20240221-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\yaaupot.exe | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
| N/A | N/A | C:\Users\Admin\yaaupot.exe | N/A |
| N/A | N/A | C:\Users\Admin\ayhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\ayhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bahost.exe | N/A |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\djhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\ekhost.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /H" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /d" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /K" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /q" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /I" | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /B" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /v" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /z" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /m" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /W" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /J" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /n" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /Z" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /S" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /F" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /l" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /L" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /g" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /A" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /V" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /o" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /h" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /G" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /a" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /j" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /k" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /T" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /O" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /i" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /x" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /w" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /u" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /P" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /e" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /U" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /c" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /E" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /Y" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /C" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /X" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /t" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /D" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /s" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /p" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /r" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /N" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /b" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /Q" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /I" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /y" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /f" | C:\Users\Admin\yaaupot.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaupot = "C:\\Users\\Admin\\yaaupot.exe /M" | C:\Users\Admin\yaaupot.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | \systemroot\assembly\GAC_32\Desktop.ini | C:\Windows\system32\csrss.exe | N/A |
| File created | \systemroot\assembly\GAC_64\Desktop.ini | C:\Windows\system32\csrss.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2492 set thread context of 2496 | N/A | C:\Users\Admin\ayhost.exe | C:\Users\Admin\ayhost.exe |
| PID 848 set thread context of 2748 | N/A | C:\Users\Admin\bahost.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\bahost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\bahost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe | N/A |
| N/A | N/A | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
| N/A | N/A | C:\Users\Admin\yaaupot.exe | N/A |
| N/A | N/A | C:\Users\Admin\djhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\ekhost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe
"C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe"
C:\Users\Admin\d3s3Jf2gX6.exe
C:\Users\Admin\d3s3Jf2gX6.exe
C:\Users\Admin\yaaupot.exe
"C:\Users\Admin\yaaupot.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del d3s3Jf2gX6.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\ayhost.exe
C:\Users\Admin\ayhost.exe
C:\Users\Admin\ayhost.exe
ayhost.exe
C:\Users\Admin\bahost.exe
C:\Users\Admin\bahost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\djhost.exe
C:\Users\Admin\djhost.exe
C:\Users\Admin\ekhost.exe
C:\Users\Admin\ekhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 1d8cf8997c79b9d5b0dabbcf698ff8ad.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del ekhost.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | elegantweddingdecor.com | udp |
| CA | 66.49.203.74:80 | elegantweddingdecor.com | tcp |
| US | 67.85.181.95:25700 | tcp | |
| US | 75.194.28.245:25700 | tcp | |
| OM | 188.66.136.181:25700 | tcp | |
| US | 67.181.89.116:25700 | tcp | |
| US | 68.51.12.254:25700 | tcp | |
| DE | 95.91.41.161:25700 | tcp | |
| PH | 112.205.160.134:25700 | tcp | |
| US | 65.113.118.94:25700 | tcp | |
| US | 98.248.170.108:25700 | tcp | |
| US | 207.38.138.33:25700 | tcp | |
| US | 75.72.141.181:25700 | tcp | |
| HR | 89.18.52.87:25700 | tcp | |
| KZ | 95.57.252.244:25700 | tcp | |
| US | 173.19.200.8:25700 | tcp | |
| US | 97.88.140.101:25700 | tcp | |
| US | 24.253.33.30:25700 | tcp | |
| US | 108.107.200.151:25700 | tcp | |
| US | 96.42.113.52:25700 | tcp | |
| US | 97.115.97.115:25700 | tcp | |
| US | 24.187.91.160:25700 | tcp | |
| US | 68.189.105.18:25700 | tcp | |
| US | 75.196.35.155:25700 | tcp | |
| US | 98.196.30.132:25700 | tcp | |
| US | 24.152.191.210:25700 | tcp | |
| US | 68.63.230.90:25700 | tcp | |
| US | 66.177.71.82:25700 | tcp | |
| US | 76.118.218.158:25700 | tcp | |
| US | 75.143.148.26:25700 | tcp | |
| US | 71.75.75.170:25700 | tcp | |
| JP | 114.158.142.100:25700 | tcp | |
| US | 64.53.184.103:25700 | tcp | |
| IN | 14.98.119.33:25700 | tcp | |
| FR | 85.171.0.142:25700 | tcp | |
| US | 18.245.7.14:25700 | tcp | |
| US | 75.185.13.10:25700 | tcp | |
| LK | 112.134.96.44:25700 | tcp | |
| US | 75.136.106.185:25700 | tcp | |
| US | 72.178.104.115:25700 | tcp | |
| US | 24.12.36.210:25700 | tcp | |
| US | 75.92.67.82:25700 | tcp | |
| NO | 84.52.210.234:25700 | tcp | |
| GB | 92.41.46.218:25700 | tcp | |
| FI | 91.155.181.198:25700 | tcp | |
| US | 75.83.61.197:25700 | tcp | |
| US | 71.197.250.192:25700 | tcp | |
| US | 67.185.176.150:25700 | tcp | |
| BR | 189.103.32.63:25700 | tcp | |
| US | 72.161.208.91:25700 | tcp | |
| US | 74.233.130.58:25700 | tcp | |
| US | 69.201.159.20:25700 | tcp | |
| IN | 65.3.163.60:25700 | tcp | |
| US | 71.68.194.76:25700 | tcp | |
| US | 75.65.115.171:25700 | tcp | |
| US | 71.193.8.197:25700 | tcp | |
| US | 72.24.80.223:25700 | tcp | |
| US | 71.94.132.40:25700 | tcp | |
| US | 66.25.14.205:25700 | tcp | |
| US | 76.170.33.158:25700 | tcp | |
| US | 68.58.177.138:25700 | tcp | |
| US | 76.19.227.125:25700 | tcp | |
| US | 68.37.242.117:25700 | tcp | |
| US | 96.42.218.190:25700 | tcp | |
| US | 67.248.218.233:25700 | tcp | |
| US | 24.211.101.86:25700 | tcp | |
| US | 67.165.43.31:25700 | tcp | |
| CA | 50.92.182.239:25700 | tcp | |
| US | 69.245.186.178:25700 | tcp | |
| US | 67.165.49.219:25700 | tcp | |
| US | 138.236.22.72:25700 | tcp | |
| US | 50.80.239.21:25700 | tcp | |
| US | 174.97.24.141:25700 | tcp | |
| US | 184.59.204.68:25700 | tcp | |
| US | 75.187.148.62:25700 | tcp | |
| US | 68.47.67.107:25700 | tcp | |
| US | 68.192.100.193:25700 | tcp | |
| US | 75.65.245.83:25700 | tcp | |
| US | 76.235.164.101:25700 | tcp | |
| JP | 212.50.232.253:25700 | tcp | |
| US | 70.119.34.246:25700 | tcp | |
| US | 71.197.149.224:25700 | tcp | |
| US | 67.10.199.179:25700 | tcp | |
| US | 71.94.223.29:25700 | tcp | |
| US | 98.198.243.160:25700 | tcp | |
| KZ | 84.240.207.226:25700 | tcp | |
| US | 67.175.63.86:25700 | tcp | |
| US | 67.85.223.123:25700 | tcp | |
| US | 72.179.41.196:25700 | tcp | |
| US | 24.125.159.74:25700 | tcp | |
| DK | 86.52.83.19:25700 | tcp | |
| US | 98.203.129.141:25700 | tcp | |
| US | 98.233.79.149:25700 | tcp | |
| CA | 184.160.183.192:25700 | tcp | |
| US | 71.71.238.247:25700 | tcp | |
| US | 24.234.85.173:25700 | tcp | |
| US | 75.204.205.69:25700 | tcp | |
| US | 184.77.179.71:25700 | tcp | |
| US | 69.249.229.104:25700 | tcp | |
| US | 152.23.18.236:25700 | tcp | |
| US | 98.157.152.68:25700 | tcp | |
| US | 68.47.164.166:25700 | tcp | |
| US | 75.111.197.142:25700 | tcp | |
| US | 68.184.60.76:25700 | tcp | |
| US | 50.80.19.135:25700 | tcp | |
| US | 98.210.205.21:25700 | tcp | |
| US | 98.101.150.126:25700 | tcp | |
| US | 69.116.108.230:25700 | tcp | |
| US | 173.171.137.173:25700 | tcp | |
| US | 68.36.33.67:25700 | tcp | |
| US | 68.226.130.43:25700 | tcp | |
| US | 24.196.160.171:25700 | tcp | |
| US | 50.27.227.131:25700 | tcp | |
| US | 68.185.158.188:25700 | tcp | |
| US | 128.123.194.154:25700 | tcp | |
| US | 71.236.247.96:25700 | tcp | |
| US | 76.187.28.55:25700 | tcp | |
| US | 24.208.178.3:25700 | tcp | |
| US | 68.59.201.247:25700 | tcp | |
| US | 69.122.91.56:25700 | tcp | |
| US | 67.168.54.19:25700 | tcp | |
| US | 76.173.92.227:25700 | tcp | |
| US | 69.125.67.98:25700 | tcp | |
| US | 72.152.174.83:25700 | tcp | |
| US | 98.176.177.6:25700 | tcp | |
| US | 130.85.240.102:25700 | tcp | |
| CA | 130.63.255.0:25700 | tcp | |
| US | 76.121.76.247:25700 | tcp | |
| US | 71.86.96.214:25700 | tcp | |
| US | 24.0.60.42:25700 | tcp | |
| US | 24.18.125.203:25700 | tcp | |
| US | 66.190.220.48:25700 | tcp | |
| US | 75.215.249.54:25700 | tcp | |
| US | 24.250.49.21:25700 | tcp | |
| US | 74.197.218.66:25700 | tcp | |
| NL | 77.61.97.222:25700 | tcp | |
| IT | 82.58.102.106:25700 | tcp | |
| US | 69.245.229.50:25700 | tcp | |
| US | 97.100.183.111:25700 | tcp | |
| CA | 174.112.136.166:25700 | tcp | |
| US | 66.87.2.138:25700 | tcp | |
| US | 174.98.236.183:25700 | tcp | |
| NO | 84.202.167.107:25700 | tcp | |
| US | 50.34.38.185:25700 | tcp | |
| US | 74.90.93.55:25700 | tcp | |
| US | 71.29.65.234:25700 | tcp | |
| GB | 87.117.229.99:25700 | tcp | |
| US | 74.161.129.240:25700 | tcp | |
| US | 184.57.174.203:25700 | tcp | |
| US | 68.186.141.82:25700 | tcp | |
| US | 67.184.24.170:25700 | tcp | |
| US | 75.65.211.210:25700 | tcp | |
| US | 184.12.12.84:25700 | tcp | |
| US | 76.169.207.19:25700 | tcp | |
| US | 66.87.0.164:25700 | tcp | |
| US | 71.234.40.56:25700 | tcp | |
| US | 74.90.118.14:25700 | tcp | |
| US | 174.70.47.116:25700 | tcp | |
| GB | 94.196.72.79:25700 | tcp | |
| US | 24.33.142.77:25700 | tcp | |
| US | 71.225.241.71:25700 | tcp | |
| US | 67.162.64.31:25700 | tcp | |
| US | 67.80.121.65:25700 | tcp | |
| US | 74.60.0.54:25700 | tcp | |
| US | 98.246.97.168:25700 | tcp | |
| US | 76.114.218.172:25700 | tcp | |
| US | 50.113.176.190:25700 | tcp | |
| US | 173.17.139.147:25700 | tcp | |
| US | 98.198.30.69:25700 | tcp | |
| US | 74.180.50.149:25700 | tcp | |
| US | 24.63.97.60:25700 | tcp | |
| US | 66.30.203.111:25700 | tcp | |
| US | 67.181.194.146:25700 | tcp | |
| ES | 77.210.93.83:25700 | tcp | |
| US | 24.119.155.195:25700 | tcp | |
| US | 98.198.219.107:25700 | tcp | |
| US | 68.200.23.168:25700 | tcp | |
| US | 69.211.231.214:25700 | tcp | |
| US | 68.190.19.217:25700 | tcp | |
| SE | 46.239.106.150:25700 | tcp | |
| US | 74.254.247.222:25700 | tcp | |
| US | 98.236.169.124:25700 | tcp | |
| US | 24.1.145.150:25700 | tcp | |
| US | 174.100.141.19:25700 | tcp | |
| US | 24.10.115.156:25700 | tcp | |
| US | 96.63.248.120:25700 | tcp | |
| US | 72.211.190.153:25700 | tcp | |
| US | 74.61.114.66:25700 | tcp | |
| US | 72.187.48.225:25700 | tcp | |
| RU | 91.79.124.198:25700 | tcp | |
| BG | 62.73.111.196:25700 | tcp | |
| US | 173.218.48.197:25700 | tcp | |
| US | 72.135.111.85:25700 | tcp | |
| US | 70.119.197.66:25700 | tcp | |
| US | 71.87.243.75:25700 | tcp | |
| DE | 109.193.51.84:25700 | tcp | |
| US | 24.179.78.232:25700 | tcp | |
| US | 174.102.72.32:25700 | tcp |
Files
\Users\Admin\d3s3Jf2gX6.exe
| MD5 | b3c7427a9509d61a373b377e668c8ddd |
| SHA1 | 80b7a9d3fea90879ac10e4cbbd70968aaf8f46d3 |
| SHA256 | b24dacfe819e4b8e04e3d1ae5a82ffda05ce5c870c0ce530f723c29c76fe5a28 |
| SHA512 | 616411ce4b75b80bba9bb901848f9814624deb89a941d4f13b2bc66b63a2eab230354f320a61610bb9166d368a77a3036068f3a7c76d0d0078e71b653e10c7fe |
\Users\Admin\yaaupot.exe
| MD5 | df3b05884d68c74c7011f225bf3a5da7 |
| SHA1 | 7e08c8b383259ae44d97514ba3d5791287eca03d |
| SHA256 | d2c6b9c0f7dcd70e8941dd359b5f7c8fc26999101537e44668932aa387e56b3f |
| SHA512 | 572ee79aeb2f34852e5705ae62a7c33e213fa3fd5b7d47758b23bfda75685af436068cfbe3850563826e30a12d5018fd16bebce71288bc929bab8a4e988e78de |
\Users\Admin\ayhost.exe
| MD5 | 8ccbe4f27f9710f3e7f75e1d1de57e49 |
| SHA1 | 272e95e476477cd4a1715ee0bcf32318e0351718 |
| SHA256 | 3d36ee15c25b2308f8552e121d885c26b46b4e7fc6dbb41a684bec53e0ae3b5d |
| SHA512 | 334f56b5158839f521513aff9de334536c86da633bf1a3b78592529275457973ed67fd55a54bef8f88ce918c2863c365cababfbd0ef888a27272906e281105d0 |
memory/2496-36-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2496-44-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2492-51-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2496-50-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2496-49-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2496-48-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2496-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2496-40-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2496-38-0x0000000000400000-0x000000000040E000-memory.dmp
\Users\Admin\bahost.exe
| MD5 | 57d06744cbe8d579531f5704827605c1 |
| SHA1 | 222404c29087c7481127d5616e209e8a8946b110 |
| SHA256 | 42c00828ea0ca557e2f50c49ebc24d3e2ffbd207ad6128e002ee9487be0e7f1a |
| SHA512 | 1d22108dbca3e6566a14e687077cfca481adf2eb4d6a214e49c2242f4aa3701f1a31037993f3ba78c41f9242666b2b0b1424f983ee660eae2e89b3c492d93093 |
memory/848-68-0x00000000008A0000-0x00000000008E0000-memory.dmp
memory/848-67-0x00000000008A0000-0x00000000008E0000-memory.dmp
memory/848-63-0x00000000008A0000-0x00000000008E0000-memory.dmp
memory/848-59-0x00000000008A0000-0x00000000008E0000-memory.dmp
memory/848-69-0x00000000008A0000-0x00000000008E0000-memory.dmp
memory/848-71-0x00000000008A0000-0x00000000008E0000-memory.dmp
memory/1192-80-0x0000000002510000-0x0000000002516000-memory.dmp
memory/1192-76-0x0000000002510000-0x0000000002516000-memory.dmp
memory/1192-72-0x0000000002510000-0x0000000002516000-memory.dmp
C:\Windows\system32\consrv.dll
| MD5 | 4d7cde615a0f534bd5e359951829554b |
| SHA1 | c885d00d9000f2a5dbc78f6193a052b36f4fe968 |
| SHA256 | 414fdf9bdcae5136c1295d6d24740c50a484acd81f1f7d0fb5d5c138607cb80a |
| SHA512 | 33d632f9fbb694440a1ca568c90518784278efd1dc9ee2b57028149d56ebe1f7346d5b59dcfafee2eeaa10091dda05f48958e909d6bfc891e037ae1cfbd048d4 |
memory/336-86-0x0000000000EA0000-0x0000000000EB2000-memory.dmp
memory/848-90-0x0000000000400000-0x0000000000446000-memory.dmp
\Users\Admin\djhost.exe
| MD5 | af152804736fe7af65e4b49633a2d185 |
| SHA1 | 3c2ecabfbdca7b4bfed2fbaae7cfeabe9d439d35 |
| SHA256 | 45b8430d8053f791bfcd0033ae2cdfed2b253a0f6835395055345058ab18c40e |
| SHA512 | 749461feaacada8ddec990df90ae5f580fb9b6b0bad680015a7067d66ecd785822bb50223dc734d29016cb29dfa98c9efa08d53b99dc0e0fe26193ff12742cd6 |
\Users\Admin\ekhost.exe
| MD5 | 046275674448c41615014cf770ee4f53 |
| SHA1 | 4f51eb674e199d6b901aaffb55c4aeafb94acfb3 |
| SHA256 | 3c561abc78eb200f46286b30765a2f6bf6b6bc9c6f433b327955d2e0ef6aaa6f |
| SHA512 | db35c805e516209d0ee02e182711360ea2a49f7de5c79a01fe448beb673abe83ac638cf1c0b04c4e45f608fad490cdd5f8d2bd99aa0c0c679fb3fc9a77bbe0e2 |
\Windows\assembly\GAC_32\Desktop.ini
| MD5 | 878f9b6da85cb98fcbdf6abd1730a32f |
| SHA1 | 343007e658ea541f4680b4edf4513e69e1cc18a6 |
| SHA256 | 75b5a460ed6f47fca8ec1bcd8a11b22f24fb33de4d5f307b851ad20c7f831b7d |
| SHA512 | 5425844e34ad5e717b08830020526f5c9465f654f3e9e29967b2983d5cb8dc225be2b89cd29a8e4cc99fcfc99e05556f66eefa0539283ab4569e603413a37293 |
C:\Users\Admin\calc.exe
| MD5 | e381b04abf596ed1573154cd41f418dc |
| SHA1 | 2ad1df7bebf1e4c0715adbf76c8c14b9162edf2e |
| SHA256 | 02b08664fcc196f15ff0e33e7ed43e9e78af7b564e3f7c5388dd7d0267905fe6 |
| SHA512 | 44307e60bdc804b3abe710a21e2268960dcc9d29671cf8ce723e40721b6b38ae338c49cd1b9cfd4fa8fa4f644cc80414baeb70f136f39f73833f8373f8180858 |
\Windows\assembly\GAC_64\Desktop.ini
| MD5 | 9d7ec1e355ac35cbe6991721ef5ae3b8 |
| SHA1 | c35a00bd35c6e4a7516b93947be08ead966347e8 |
| SHA256 | 68a3cec42215323100398a8eb2cbb37da7d58fe0fa9c6312e954e0f50a95ca98 |
| SHA512 | b7c4be28d8e179974672205a50e72fa1ec9e2e8170b3b8ee763e1751a3397c35afec7a72c88f0a79a8566749b2af1ff054660a96c3a6d6508c545d316a035dc0 |
memory/336-133-0x0000000000EA0000-0x0000000000EB2000-memory.dmp
memory/852-139-0x0000000000460000-0x000000000046B000-memory.dmp
memory/852-136-0x0000000000460000-0x000000000046B000-memory.dmp
memory/852-143-0x0000000000460000-0x000000000046B000-memory.dmp
\??\globalroot\systemroot\assembly\temp\@
| MD5 | bb7950e23de4cc1a030aff96408f61c3 |
| SHA1 | 551d347d2673a40e899a970b5edcbd21317008db |
| SHA256 | 76155df2ff750895145b43ad644e1bca83412be569cfd2a21c23a04a06f2245e |
| SHA512 | 65bdbab46aec19adbff9c3c756e78ba446cb6c479dbf08f8a30a6d59b781a7409f2a6249ff8962aad861929ad71a097cc0138deceaca44be90490abd365fdb25 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 01:40
Reported
2024-07-04 01:43
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
48s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\ekhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
| N/A | N/A | C:\Users\Admin\ayhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\seaiqur.exe | N/A |
| N/A | N/A | C:\Users\Admin\ayhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bahost.exe | N/A |
| N/A | N/A | C:\Users\Admin\djhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\ekhost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /l" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /F" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /a" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /Y" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /w" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /e" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /N" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /T" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /G" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /b" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /Q" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /H" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /r" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /d" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /E" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /J" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /K" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /O" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /S" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /j" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /y" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /i" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /t" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /v" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /o" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /h" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /W" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /x" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /V" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /k" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /M" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /c" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /p" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /m" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /R" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /A" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /f" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /U" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /n" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /B" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /Z" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /I" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /p" | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /q" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /s" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /z" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /u" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /X" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /C" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /D" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /g" | C:\Users\Admin\seaiqur.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seaiqur = "C:\\Users\\Admin\\seaiqur.exe /P" | C:\Users\Admin\seaiqur.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2588 set thread context of 2764 | N/A | C:\Users\Admin\ayhost.exe | C:\Users\Admin\ayhost.exe |
| PID 820 set thread context of 400 | N/A | C:\Users\Admin\bahost.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\bahost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe | N/A |
| N/A | N/A | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
| N/A | N/A | C:\Users\Admin\seaiqur.exe | N/A |
| N/A | N/A | C:\Users\Admin\djhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\ekhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe
"C:\Users\Admin\AppData\Local\Temp\1d8cf8997c79b9d5b0dabbcf698ff8ad.exe"
C:\Users\Admin\d3s3Jf2gX6.exe
C:\Users\Admin\d3s3Jf2gX6.exe
C:\Users\Admin\seaiqur.exe
"C:\Users\Admin\seaiqur.exe"
C:\Users\Admin\ayhost.exe
C:\Users\Admin\ayhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del d3s3Jf2gX6.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\ayhost.exe
ayhost.exe
C:\Users\Admin\bahost.exe
C:\Users\Admin\bahost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\djhost.exe
C:\Users\Admin\djhost.exe
C:\Users\Admin\ekhost.exe
C:\Users\Admin\ekhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 1d8cf8997c79b9d5b0dabbcf698ff8ad.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del ekhost.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp |
Files
C:\Users\Admin\d3s3Jf2gX6.exe
| MD5 | b3c7427a9509d61a373b377e668c8ddd |
| SHA1 | 80b7a9d3fea90879ac10e4cbbd70968aaf8f46d3 |
| SHA256 | b24dacfe819e4b8e04e3d1ae5a82ffda05ce5c870c0ce530f723c29c76fe5a28 |
| SHA512 | 616411ce4b75b80bba9bb901848f9814624deb89a941d4f13b2bc66b63a2eab230354f320a61610bb9166d368a77a3036068f3a7c76d0d0078e71b653e10c7fe |
C:\Users\Admin\seaiqur.exe
| MD5 | 7bed818c5b5615e5ca44cd59dae9e2a9 |
| SHA1 | 294a4af5716255a28e7f3f4aa6e18996a059d36b |
| SHA256 | 3923552b946d8e96dc01664ebe43143746d91026ebac3c1eccb1bbc12911de4c |
| SHA512 | 5e3709ff9f5d8f5a858e28a8423e6be037b41bc4089bd779cfb84cdf2ff4f915703ac333a37698eea186bd9c14d047eac6d8b9bee345c355fba4bf2e4e4be549 |
C:\Users\Admin\ayhost.exe
| MD5 | 8ccbe4f27f9710f3e7f75e1d1de57e49 |
| SHA1 | 272e95e476477cd4a1715ee0bcf32318e0351718 |
| SHA256 | 3d36ee15c25b2308f8552e121d885c26b46b4e7fc6dbb41a684bec53e0ae3b5d |
| SHA512 | 334f56b5158839f521513aff9de334536c86da633bf1a3b78592529275457973ed67fd55a54bef8f88ce918c2863c365cababfbd0ef888a27272906e281105d0 |
memory/2764-46-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2764-45-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2588-49-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2764-51-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2764-53-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2764-52-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\bahost.exe
| MD5 | 57d06744cbe8d579531f5704827605c1 |
| SHA1 | 222404c29087c7481127d5616e209e8a8946b110 |
| SHA256 | 42c00828ea0ca557e2f50c49ebc24d3e2ffbd207ad6128e002ee9487be0e7f1a |
| SHA512 | 1d22108dbca3e6566a14e687077cfca481adf2eb4d6a214e49c2242f4aa3701f1a31037993f3ba78c41f9242666b2b0b1424f983ee660eae2e89b3c492d93093 |
memory/820-58-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Users\Admin\djhost.exe
| MD5 | af152804736fe7af65e4b49633a2d185 |
| SHA1 | 3c2ecabfbdca7b4bfed2fbaae7cfeabe9d439d35 |
| SHA256 | 45b8430d8053f791bfcd0033ae2cdfed2b253a0f6835395055345058ab18c40e |
| SHA512 | 749461feaacada8ddec990df90ae5f580fb9b6b0bad680015a7067d66ecd785822bb50223dc734d29016cb29dfa98c9efa08d53b99dc0e0fe26193ff12742cd6 |
C:\Users\Admin\ekhost.exe
| MD5 | 046275674448c41615014cf770ee4f53 |
| SHA1 | 4f51eb674e199d6b901aaffb55c4aeafb94acfb3 |
| SHA256 | 3c561abc78eb200f46286b30765a2f6bf6b6bc9c6f433b327955d2e0ef6aaa6f |
| SHA512 | db35c805e516209d0ee02e182711360ea2a49f7de5c79a01fe448beb673abe83ac638cf1c0b04c4e45f608fad490cdd5f8d2bd99aa0c0c679fb3fc9a77bbe0e2 |