3a4cfef0dd9bf37f93a93d978cc9c0a12fe4235d4d3e5507c7bf4777c5a33348

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	csrss.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

Hidden Files and Directories

T1564.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Gaara.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Kazekage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system32.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

Hidden Files and Directories

T1564.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Kazekage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Gaara.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Gaara.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Kazekage.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system32.exe

Disables RegEdit via registry modification 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Gaara.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Kazekage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	system32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4b62450e0d5c4baf54a6d2bf82640e18.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 23 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	Gaara.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	Kazekage.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	Gaara.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	Kazekage.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	system32.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	smss.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	smss.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	csrss.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	Gaara.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	smss.exe

Executes dropped EXE 30 IoCs

pid	Process
2864	smss.exe
2584	smss.exe
2648	Gaara.exe
600	ping.exe
2032	Gaara.exe
1368	csrss.exe
2808	smss.exe
1444	Gaara.exe
1080	csrss.exe
1592	Kazekage.exe
2196	smss.exe
2464	Gaara.exe
1736	csrss.exe
832	Kazekage.exe
2076	system32.exe
1056	smss.exe
960	Gaara.exe
1568	csrss.exe
940	Kazekage.exe
936	system32.exe
1916	system32.exe
1928	Kazekage.exe
1000	system32.exe
756	csrss.exe
2156	Kazekage.exe
1312	system32.exe
3012	ping.exe
868	conhost.exe
1772	Kazekage.exe
2108	system32.exe

Loads dropped DLL 61 IoCs

pid	Process
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
2864	smss.exe
2864	smss.exe
2584	smss.exe
2864	smss.exe
2864	smss.exe
2648	Gaara.exe
2648	Gaara.exe
600	ping.exe
2032	Gaara.exe
2648	Gaara.exe
2648	Gaara.exe
1368	csrss.exe
1368	csrss.exe
2808	smss.exe
1368	csrss.exe
1444	Gaara.exe
1080	csrss.exe
1368	csrss.exe
1368	csrss.exe
1592	Kazekage.exe
2196	smss.exe
1592	Kazekage.exe
2464	Gaara.exe
1592	Kazekage.exe
1736	csrss.exe
1592	Kazekage.exe
1592	Kazekage.exe
1592	Kazekage.exe
1592	Kazekage.exe
2076	system32.exe
1056	smss.exe
2076	system32.exe
960	Gaara.exe
2076	system32.exe
1568	csrss.exe
2076	system32.exe
2076	system32.exe
2076	system32.exe
2076	system32.exe
1368	csrss.exe
1368	csrss.exe
2648	Gaara.exe
2648	Gaara.exe
2648	Gaara.exe
2648	Gaara.exe
2864	smss.exe
756	csrss.exe
2864	smss.exe
2864	smss.exe
2864	smss.exe
2864	smss.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
3012	ping.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
868	conhost.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2240-0-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x000700000001495c-11.dat	upx
behavioral1/memory/2864-40-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2648-92-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/600-125-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/600-129-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2032-135-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2864-174-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2808-177-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2648-199-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2196-229-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1736-235-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1368-238-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/832-239-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2076-247-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1056-264-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/960-268-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1592-269-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1568-272-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/940-275-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2076-281-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1916-284-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1928-287-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1000-290-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2156-294-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2156-297-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1312-304-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/868-311-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1772-314-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2108-317-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/3012-307-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/756-293-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1368-280-0x0000000000300000-0x000000000032A000-memory.dmp	upx
behavioral1/memory/936-279-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/936-277-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/960-265-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/832-242-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1736-237-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2464-232-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2196-228-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1592-200-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1080-191-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1444-187-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2808-180-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1368-144-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2032-136-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2240-132-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2864-83-0x00000000003B0000-0x00000000003DA000-memory.dmp	upx
behavioral1/memory/2584-80-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2240-32-0x00000000025C0000-0x00000000025EA000-memory.dmp	upx
behavioral1/files/0x00070000000146b5-30.dat	upx
behavioral1/memory/2076-324-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1592-323-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1368-322-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2648-321-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2864-320-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2240-319-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2240-331-0x00000000025C0000-0x00000000025EA000-memory.dmp	upx
behavioral1/memory/2864-438-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2648-444-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2240-437-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1368-513-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 8 - 1 - 2024\\Gaara.exe"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "8-1-2024.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 8 - 1 - 2024\\smss.exe"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 8 - 1 - 2024\\Gaara.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "8-1-2024.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 8 - 1 - 2024\\Gaara.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 8 - 1 - 2024\\smss.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 8 - 1 - 2024\\Gaara.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 8 - 1 - 2024\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "8-1-2024.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 8 - 1 - 2024\\Gaara.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "8-1-2024.exe"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 8 - 1 - 2024\\smss.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 8 - 1 - 2024\\Gaara.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 8 - 1 - 2024\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "8-1-2024.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 8 - 1 - 2024\\smss.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "8-1-2024.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	system32.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Gaara.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Kazekage.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4b62450e0d5c4baf54a6d2bf82640e18.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	F:\Desktop.ini	smss.exe
File opened for modification	\??\H:\Desktop.ini	smss.exe
File opened for modification	\??\R:\Desktop.ini	smss.exe
File opened for modification	D:\Desktop.ini	csrss.exe
File opened for modification	\??\Q:\Desktop.ini	csrss.exe
File opened for modification	\??\X:\Desktop.ini	Kazekage.exe
File opened for modification	\??\S:\Desktop.ini	system32.exe
File opened for modification	\??\E:\Desktop.ini	csrss.exe
File opened for modification	D:\Desktop.ini	system32.exe
File opened for modification	\??\M:\Desktop.ini	system32.exe
File opened for modification	\??\Y:\Desktop.ini	system32.exe
File opened for modification	\??\A:\Desktop.ini	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	\??\S:\Desktop.ini	Gaara.exe
File opened for modification	C:\Desktop.ini	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	F:\Desktop.ini	Gaara.exe
File opened for modification	\??\Q:\Desktop.ini	Kazekage.exe
File opened for modification	\??\R:\Desktop.ini	Kazekage.exe
File opened for modification	\??\A:\Desktop.ini	system32.exe
File opened for modification	\??\O:\Desktop.ini	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	\??\V:\Desktop.ini	smss.exe
File opened for modification	\??\O:\Desktop.ini	Gaara.exe
File opened for modification	\??\L:\Desktop.ini	csrss.exe
File opened for modification	\??\M:\Desktop.ini	csrss.exe
File opened for modification	\??\O:\Desktop.ini	Kazekage.exe
File opened for modification	\??\W:\Desktop.ini	system32.exe
File opened for modification	\??\N:\Desktop.ini	csrss.exe
File opened for modification	\??\H:\Desktop.ini	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	\??\K:\Desktop.ini	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	\??\S:\Desktop.ini	smss.exe
File opened for modification	\??\H:\Desktop.ini	Gaara.exe
File opened for modification	\??\I:\Desktop.ini	Kazekage.exe
File opened for modification	C:\Desktop.ini	system32.exe
File opened for modification	\??\B:\Desktop.ini	smss.exe
File opened for modification	\??\A:\Desktop.ini	csrss.exe
File opened for modification	\??\O:\Desktop.ini	csrss.exe
File opened for modification	\??\K:\Desktop.ini	Kazekage.exe
File opened for modification	\??\T:\Desktop.ini	Kazekage.exe
File opened for modification	\??\T:\Desktop.ini	smss.exe
File opened for modification	C:\Desktop.ini	csrss.exe
File opened for modification	\??\R:\Desktop.ini	csrss.exe
File opened for modification	\??\Z:\Desktop.ini	csrss.exe
File opened for modification	\??\A:\Desktop.ini	Kazekage.exe
File opened for modification	\??\S:\Desktop.ini	Kazekage.exe
File opened for modification	\??\R:\Desktop.ini	system32.exe
File opened for modification	\??\G:\Desktop.ini	Gaara.exe
File opened for modification	\??\X:\Desktop.ini	Gaara.exe
File opened for modification	\??\J:\Desktop.ini	Kazekage.exe
File opened for modification	\??\N:\Desktop.ini	Kazekage.exe
File opened for modification	\??\P:\Desktop.ini	system32.exe
File opened for modification	\??\U:\Desktop.ini	system32.exe
File opened for modification	\??\J:\Desktop.ini	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	\??\N:\Desktop.ini	Gaara.exe
File opened for modification	\??\M:\Desktop.ini	Kazekage.exe
File opened for modification	\??\Z:\Desktop.ini	system32.exe
File opened for modification	\??\W:\Desktop.ini	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	\??\Z:\Desktop.ini	smss.exe
File opened for modification	\??\L:\Desktop.ini	Gaara.exe
File opened for modification	\??\P:\Desktop.ini	Gaara.exe
File opened for modification	\??\H:\Desktop.ini	csrss.exe
File opened for modification	\??\X:\Desktop.ini	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	\??\Z:\Desktop.ini	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	\??\G:\Desktop.ini	smss.exe
File opened for modification	\??\J:\Desktop.ini	smss.exe
File opened for modification	\??\J:\Desktop.ini	Gaara.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Gaara.exe
File opened (read-only)	\??\Y:	Gaara.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\B:	Kazekage.exe
File opened (read-only)	\??\Q:	Kazekage.exe
File opened (read-only)	\??\G:	Gaara.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\J:	Gaara.exe
File opened (read-only)	\??\L:	Gaara.exe
File opened (read-only)	\??\G:	Kazekage.exe
File opened (read-only)	\??\R:	Kazekage.exe
File opened (read-only)	\??\X:	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\R:	Gaara.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\K:	Kazekage.exe
File opened (read-only)	\??\G:	system32.exe
File opened (read-only)	\??\X:	system32.exe
File opened (read-only)	\??\W:	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened (read-only)	\??\U:	Gaara.exe
File opened (read-only)	\??\W:	Gaara.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\A:	Kazekage.exe
File opened (read-only)	\??\N:	system32.exe
File opened (read-only)	\??\W:	system32.exe
File opened (read-only)	\??\A:	Gaara.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\Q:	Gaara.exe
File opened (read-only)	\??\V:	Gaara.exe
File opened (read-only)	\??\H:	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened (read-only)	\??\N:	Gaara.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\J:	Kazekage.exe
File opened (read-only)	\??\B:	system32.exe
File opened (read-only)	\??\J:	system32.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\O:	Gaara.exe
File opened (read-only)	\??\Z:	system32.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\S:	Kazekage.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\S:	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\I:	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened (read-only)	\??\B:	Gaara.exe
File opened (read-only)	\??\K:	Gaara.exe
File opened (read-only)	\??\P:	Gaara.exe
File opened (read-only)	\??\P:	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened (read-only)	\??\L:	Kazekage.exe
File opened (read-only)	\??\T:	system32.exe
File opened (read-only)	\??\E:	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened (read-only)	\??\U:	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened (read-only)	\??\M:	Gaara.exe
File opened (read-only)	\??\S:	Gaara.exe
File opened (read-only)	\??\O:	Kazekage.exe
File opened (read-only)	\??\I:	system32.exe
File opened (read-only)	\??\R:	4b62450e0d5c4baf54a6d2bf82640e18.exe

Drops autorun.inf file 1 TTPs 64 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\X:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	\??\E:\Autorun.inf	smss.exe
File created	\??\S:\Autorun.inf	Gaara.exe
File opened for modification	\??\A:\Autorun.inf	csrss.exe
File opened for modification	\??\O:\Autorun.inf	csrss.exe
File opened for modification	\??\X:\Autorun.inf	csrss.exe
File opened for modification	\??\W:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	\??\Q:\Autorun.inf	smss.exe
File created	\??\M:\Autorun.inf	Gaara.exe
File opened for modification	\??\S:\Autorun.inf	smss.exe
File opened for modification	\??\X:\Autorun.inf	smss.exe
File created	\??\N:\Autorun.inf	Gaara.exe
File created	\??\V:\Autorun.inf	Gaara.exe
File opened for modification	\??\G:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	\??\J:\Autorun.inf	smss.exe
File created	F:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	\??\H:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	\??\O:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	\??\K:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	F:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	\??\S:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	\??\S:\Autorun.inf	smss.exe
File opened for modification	\??\Z:\Autorun.inf	smss.exe
File opened for modification	\??\W:\Autorun.inf	csrss.exe
File opened for modification	\??\Y:\Autorun.inf	csrss.exe
File opened for modification	\??\H:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	\??\Q:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	\??\G:\Autorun.inf	csrss.exe
File created	\??\Q:\Autorun.inf	csrss.exe
File created	\??\S:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	\??\H:\Autorun.inf	csrss.exe
File opened for modification	\??\U:\Autorun.inf	csrss.exe
File created	\??\U:\Autorun.inf	csrss.exe
File created	C:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	F:\Autorun.inf	Gaara.exe
File created	\??\E:\Autorun.inf	csrss.exe
File opened for modification	\??\M:\Autorun.inf	csrss.exe
File opened for modification	\??\N:\Autorun.inf	csrss.exe
File opened for modification	\??\R:\Autorun.inf	csrss.exe
File opened for modification	\??\M:\Autorun.inf	Gaara.exe
File created	\??\R:\Autorun.inf	Gaara.exe
File opened for modification	\??\S:\Autorun.inf	Gaara.exe
File created	\??\Z:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	\??\I:\Autorun.inf	smss.exe
File created	\??\L:\Autorun.inf	smss.exe
File created	\??\N:\Autorun.inf	smss.exe
File opened for modification	\??\J:\Autorun.inf	csrss.exe
File created	\??\L:\Autorun.inf	csrss.exe
File opened for modification	\??\L:\Autorun.inf	Gaara.exe
File created	\??\R:\Autorun.inf	csrss.exe
File created	\??\G:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	\??\K:\Autorun.inf	smss.exe
File created	\??\M:\Autorun.inf	smss.exe
File created	\??\O:\Autorun.inf	csrss.exe
File created	D:\Autorun.inf	Gaara.exe
File created	\??\J:\Autorun.inf	Gaara.exe
File opened for modification	\??\W:\Autorun.inf	Gaara.exe
File created	\??\T:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	\??\W:\Autorun.inf	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	D:\Autorun.inf	smss.exe
File created	\??\K:\Autorun.inf	csrss.exe
File created	\??\R:\Autorun.inf	smss.exe
File opened for modification	\??\K:\Autorun.inf	Gaara.exe
File opened for modification	\??\G:\Autorun.inf	csrss.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	csrss.exe
File opened for modification	C:\Windows\SysWOW64\8-1-2024.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\8-1-2024.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\SysWOW64\8-1-2024.exe	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	csrss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	smss.exe
File opened for modification	C:\Windows\SysWOW64\8-1-2024.exe	smss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	csrss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\SysWOW64\	smss.exe
File created	C:\Windows\SysWOW64\8-1-2024.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\SysWOW64\8-1-2024.exe	Gaara.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	csrss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\SysWOW64\Desktop.ini	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\SysWOW64\8-1-2024.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\SysWOW64\	Gaara.exe

Sets desktop wallpaper using registry 2 TTPs 6 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	system32.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	Gaara.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe	Kazekage.exe
File created	C:\Windows\WBEM\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\mscomctl.ocx	csrss.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe	Gaara.exe
File opened for modification	C:\Windows\mscomctl.ocx	Gaara.exe
File opened for modification	C:\Windows\system\mscoree.dll	smss.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe	smss.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\msvbvm60.dll	Gaara.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	csrss.exe
File opened for modification	C:\Windows\system\mscoree.dll	system32.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	Gaara.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe	Gaara.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe	csrss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	csrss.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe	Gaara.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe	system32.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe	csrss.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\msvbvm60.dll	Kazekage.exe
File opened for modification	C:\Windows\	Gaara.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe	Gaara.exe
File opened for modification	C:\Windows\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	Kazekage.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe	system32.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe	Gaara.exe
File created	C:\Windows\WBEM\msvbvm60.dll	Gaara.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	system32.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\Fonts\The Kazekage.jpg	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe	smss.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe	csrss.exe
File created	C:\Windows\mscomctl.ocx	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\system\mscoree.dll	csrss.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	Kazekage.exe
File opened for modification	C:\Windows\msvbvm60.dll	Kazekage.exe
File opened for modification	C:\Windows\	csrss.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\system\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe	csrss.exe
File created	C:\Windows\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	smss.exe
File created	C:\Windows\WBEM\msvbvm60.dll	csrss.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe	Kazekage.exe
File opened for modification	C:\Windows\mscomctl.ocx	smss.exe
File created	C:\Windows\WBEM\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\WBEM\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\system\mscoree.dll	Kazekage.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\	smss.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe	smss.exe
File opened for modification	C:\Windows\msvbvm60.dll	Gaara.exe
File opened for modification	C:\Windows\msvbvm60.dll	system32.exe

Modifies Control Panel 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Size = "72"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	system32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\WallpaperStyle = "2"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Size = "72"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	Gaara.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\WallpaperStyle = "2"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Size = "72"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\WallpaperStyle = "2"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\WallpaperStyle = "2"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\WallpaperStyle = "2"	system32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	Kazekage.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	system32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Size = "72"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	system32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	Gaara.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	csrss.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	Kazekage.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	Kazekage.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	system32.exe

Runs ping.exe 1 TTPs 28 IoCs

Remote System Discovery

T1018

pid	Process
2044	ping.exe
1972	ping.exe
2252	ping.exe
1108	ping.exe
540	ping.exe
2100	ping.exe
2440	ping.exe
1096	ping.exe
2424	ping.exe
1440	ping.exe
1016	ping.exe
1076	ping.exe
2948	ping.exe
1536	ping.exe
2344	ping.exe
2672	ping.exe
2676	ping.exe
1596	ping.exe
2536	ping.exe
2588	ping.exe
600	ping.exe
2760	ping.exe
1080	ping.exe
3052	ping.exe
1828	ping.exe
476	ping.exe
1752	ping.exe
3012	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2076	system32.exe
1592	Kazekage.exe
2076	system32.exe
1592	Kazekage.exe
2076	system32.exe
1592	Kazekage.exe
2076	system32.exe
1592	Kazekage.exe
2076	system32.exe
1592	Kazekage.exe
1592	Kazekage.exe
2076	system32.exe
2076	system32.exe
1592	Kazekage.exe
1592	Kazekage.exe
2076	system32.exe
1592	Kazekage.exe
2076	system32.exe
1592	Kazekage.exe
1592	Kazekage.exe
2076	system32.exe
1592	Kazekage.exe
2076	system32.exe
2076	system32.exe
1368	csrss.exe
1368	csrss.exe
1368	csrss.exe
2648	Gaara.exe
1368	csrss.exe
1368	csrss.exe
2648	Gaara.exe
1368	csrss.exe
2648	Gaara.exe
1368	csrss.exe
1368	csrss.exe
2648	Gaara.exe
2648	Gaara.exe
1368	csrss.exe
2648	Gaara.exe
1368	csrss.exe
2648	Gaara.exe
1368	csrss.exe
2648	Gaara.exe
1368	csrss.exe
2648	Gaara.exe
2648	Gaara.exe
2648	Gaara.exe
2648	Gaara.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
2864	smss.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
2864	smss.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
2864	smss.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
2864	smss.exe
2864	smss.exe
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
2240	4b62450e0d5c4baf54a6d2bf82640e18.exe
2864	smss.exe
2584	smss.exe
2648	Gaara.exe
600	ping.exe
2032	Gaara.exe
1368	csrss.exe
2808	smss.exe
1444	Gaara.exe
1080	csrss.exe
1592	Kazekage.exe
2196	smss.exe
2464	Gaara.exe
1736	csrss.exe
832	Kazekage.exe
2076	system32.exe
1056	smss.exe
960	Gaara.exe
1568	csrss.exe
940	Kazekage.exe
936	system32.exe
1916	system32.exe
1928	Kazekage.exe
1000	system32.exe
756	csrss.exe
2156	Kazekage.exe
1312	system32.exe
3012	ping.exe
868	conhost.exe
1772	Kazekage.exe
2108	system32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2864	2240	4b62450e0d5c4baf54a6d2bf82640e18.exe	48
PID 2240 wrote to memory of 2864	2240	4b62450e0d5c4baf54a6d2bf82640e18.exe	48
PID 2240 wrote to memory of 2864	2240	4b62450e0d5c4baf54a6d2bf82640e18.exe	48
PID 2240 wrote to memory of 2864	2240	4b62450e0d5c4baf54a6d2bf82640e18.exe	48
PID 2864 wrote to memory of 2584	2864	smss.exe	47
PID 2864 wrote to memory of 2584	2864	smss.exe	47
PID 2864 wrote to memory of 2584	2864	smss.exe	47
PID 2864 wrote to memory of 2584	2864	smss.exe	47
PID 2864 wrote to memory of 2648	2864	smss.exe	46
PID 2864 wrote to memory of 2648	2864	smss.exe	46
PID 2864 wrote to memory of 2648	2864	smss.exe	46
PID 2864 wrote to memory of 2648	2864	smss.exe	46
PID 2648 wrote to memory of 600	2648	Gaara.exe	63
PID 2648 wrote to memory of 600	2648	Gaara.exe	63
PID 2648 wrote to memory of 600	2648	Gaara.exe	63
PID 2648 wrote to memory of 600	2648	Gaara.exe	63
PID 2648 wrote to memory of 2032	2648	Gaara.exe	44
PID 2648 wrote to memory of 2032	2648	Gaara.exe	44
PID 2648 wrote to memory of 2032	2648	Gaara.exe	44
PID 2648 wrote to memory of 2032	2648	Gaara.exe	44
PID 2648 wrote to memory of 1368	2648	Gaara.exe	43
PID 2648 wrote to memory of 1368	2648	Gaara.exe	43
PID 2648 wrote to memory of 1368	2648	Gaara.exe	43
PID 2648 wrote to memory of 1368	2648	Gaara.exe	43
PID 1368 wrote to memory of 2808	1368	csrss.exe	42
PID 1368 wrote to memory of 2808	1368	csrss.exe	42
PID 1368 wrote to memory of 2808	1368	csrss.exe	42
PID 1368 wrote to memory of 2808	1368	csrss.exe	42
PID 1368 wrote to memory of 1444	1368	csrss.exe	41
PID 1368 wrote to memory of 1444	1368	csrss.exe	41
PID 1368 wrote to memory of 1444	1368	csrss.exe	41
PID 1368 wrote to memory of 1444	1368	csrss.exe	41
PID 1368 wrote to memory of 1080	1368	csrss.exe	40
PID 1368 wrote to memory of 1080	1368	csrss.exe	40
PID 1368 wrote to memory of 1080	1368	csrss.exe	40
PID 1368 wrote to memory of 1080	1368	csrss.exe	40
PID 1368 wrote to memory of 1592	1368	csrss.exe	39
PID 1368 wrote to memory of 1592	1368	csrss.exe	39
PID 1368 wrote to memory of 1592	1368	csrss.exe	39
PID 1368 wrote to memory of 1592	1368	csrss.exe	39
PID 1592 wrote to memory of 2196	1592	Kazekage.exe	38
PID 1592 wrote to memory of 2196	1592	Kazekage.exe	38
PID 1592 wrote to memory of 2196	1592	Kazekage.exe	38
PID 1592 wrote to memory of 2196	1592	Kazekage.exe	38
PID 1592 wrote to memory of 2464	1592	Kazekage.exe	37
PID 1592 wrote to memory of 2464	1592	Kazekage.exe	37
PID 1592 wrote to memory of 2464	1592	Kazekage.exe	37
PID 1592 wrote to memory of 2464	1592	Kazekage.exe	37
PID 1592 wrote to memory of 1736	1592	Kazekage.exe	36
PID 1592 wrote to memory of 1736	1592	Kazekage.exe	36
PID 1592 wrote to memory of 1736	1592	Kazekage.exe	36
PID 1592 wrote to memory of 1736	1592	Kazekage.exe	36
PID 1592 wrote to memory of 832	1592	Kazekage.exe	35
PID 1592 wrote to memory of 832	1592	Kazekage.exe	35
PID 1592 wrote to memory of 832	1592	Kazekage.exe	35
PID 1592 wrote to memory of 832	1592	Kazekage.exe	35
PID 1592 wrote to memory of 2076	1592	Kazekage.exe	34
PID 1592 wrote to memory of 2076	1592	Kazekage.exe	34
PID 1592 wrote to memory of 2076	1592	Kazekage.exe	34
PID 1592 wrote to memory of 2076	1592	Kazekage.exe	34
PID 2076 wrote to memory of 1056	2076	system32.exe	33
PID 2076 wrote to memory of 1056	2076	system32.exe	33
PID 2076 wrote to memory of 1056	2076	system32.exe	33
PID 2076 wrote to memory of 1056	2076	system32.exe	33

System policy modification 1 TTPs 12 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Kazekage.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Gaara.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

C:\Users\Admin\AppData\Local\Temp\4b62450e0d5c4baf54a6d2bf82640e18.exe
"C:\Users\Admin\AppData\Local\Temp\4b62450e0d5c4baf54a6d2bf82640e18.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2240
- C:\Windows\SysWOW64\drivers\system32.exe
  C:\Windows\system32\drivers\system32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2108
- C:\Windows\SysWOW64\drivers\Kazekage.exe
  C:\Windows\system32\drivers\Kazekage.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1772
- C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe
  "C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe"
  2⤵
  PID:868
- C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe
  "C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe"
  2⤵
  PID:3012
- C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe
  "C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2864
- - C:\Windows\SysWOW64\ping.exe
    ping -a -l www.duniasex.com 65500
    3⤵
    - Runs ping.exe
    PID:1440
- - C:\Windows\SysWOW64\ping.exe
    ping -a -l www.rasasayang.com.my 65500
    3⤵
    - Runs ping.exe
    PID:1596
- - C:\Windows\SysWOW64\ping.exe
    ping -a -l www.rasasayang.com.my 65500
    3⤵
    - Runs ping.exe
    PID:2252
- - C:\Windows\SysWOW64\ping.exe
    ping -a -l www.duniasex.com 65500
    3⤵
    - Runs ping.exe
    PID:2536
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:1096
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Runs ping.exe
  - Suspicious use of SetWindowsHookEx
  PID:600
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:2760
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:1016
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:2440
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:1972

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1312

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2156

C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:756

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1916

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:936

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:940

C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:960

C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1056

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2076
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:2948
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:2672
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:2044
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:1752

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:832

C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2464

C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2196

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1592
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:1828
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:2100
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:2676
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:476

C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1368
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:3052
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Runs ping.exe
  - Suspicious use of SetWindowsHookEx
  PID:3012
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:1076
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:540
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:2588
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:1080

C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe"
1⤵
PID:600

C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2648
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:1536
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:2344
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:2424
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:1108

C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "388075812159036114-1751460445917817022-309343870336559399-1359962182-1074611936"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry