3a4cfef0dd9bf37f93a93d978cc9c0a12fe4235d4d3e5507c7bf4777c5a33348

Analysis

max time kernel
0s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2024 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b62450e0d5c4baf54a6d2bf82640e18.exe
Size

67KB
MD5

4b62450e0d5c4baf54a6d2bf82640e18
SHA1

c355bd0767be42aef88fbe4b33348ca767f9af11
SHA256

3a4cfef0dd9bf37f93a93d978cc9c0a12fe4235d4d3e5507c7bf4777c5a33348
SHA512

9036cd6b6225c268c30a68c659d52852159b3d0c7742bf664e7a7e76381a1fe45143832b1916f862034d03f18e04181973a207c3aa677ca42bb093afecadd897
SSDEEP

1536:k7OE59Vyzrc8K3WgFtKhJP+tcrVOXKzaJThZfaKhQiSEKNJJ:yV5998K3WQ8fjEXKgZfnhfxuJ

Score

8^/10

ransomware upx

Malware Config

Signatures

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	Gaara.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	Gaara.exe

Executes dropped EXE 4 IoCs

pid	Process
1588	smss.exe
2784	smss.exe
2000	Gaara.exe
396	Conhost.exe

Loads dropped DLL 4 IoCs

pid	Process
1588	smss.exe
2784	smss.exe
2000	Gaara.exe
396	Conhost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3812-0-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/files/0x0006000000023215-68.dat	upx
behavioral2/memory/2000-76-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2784-79-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2676-121-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/864-152-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/468-157-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/3812-166-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/1900-168-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/1652-191-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/files/0x0006000000023216-193.dat	upx
behavioral2/memory/4336-202-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/1080-206-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4352-213-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/files/0x000600000002321a-212.dat	upx
behavioral2/memory/2676-231-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/3016-234-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4504-237-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/3208-241-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/3208-246-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/1884-245-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/928-251-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/928-253-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4868-256-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4868-257-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2320-260-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4352-267-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/1236-266-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4556-270-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4556-271-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/1576-274-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/1976-277-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/388-280-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2140-283-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2984-286-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/1884-249-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/1900-244-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/1892-240-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4464-209-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/files/0x0006000000023219-205.dat	upx
behavioral2/memory/2000-201-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/files/0x0006000000023217-199.dat	upx
behavioral2/memory/1652-195-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4336-194-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/1588-188-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/3688-161-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/3688-156-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/files/0x000600000002321a-135.dat	upx
behavioral2/memory/1556-119-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/1556-113-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/396-112-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/files/0x000600000002321a-98.dat	upx
behavioral2/files/0x0006000000023219-91.dat	upx
behavioral2/files/0x0006000000023218-90.dat	upx
behavioral2/files/0x000600000002321a-57.dat	upx
behavioral2/files/0x0006000000023219-53.dat	upx
behavioral2/files/0x0006000000023218-49.dat	upx
behavioral2/files/0x0006000000023217-45.dat	upx
behavioral2/memory/1588-33-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/1588-288-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/3812-287-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2000-289-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4352-292-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/1900-291-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\8-1-2024.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\SysWOW64\8-1-2024.exe	smss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\8-1-2024.exe	Gaara.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Gaara.exe
File created	C:\Windows\SysWOW64\8-1-2024.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Gaara.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\msvbvm60.dll	smss.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe	Gaara.exe
File opened for modification	C:\Windows\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe	Gaara.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\msvbvm60.dll	Gaara.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	Gaara.exe
File created	C:\Windows\Fonts\The Kazekage.jpg	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe	smss.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe	smss.exe
File opened for modification	C:\Windows\system\mscoree.dll	smss.exe
File opened for modification	C:\Windows\system\mscoree.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\system\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\system\mscoree.dll	Gaara.exe
File opened for modification	C:\Windows\msvbvm60.dll	Gaara.exe
File created	C:\Windows\WBEM\msvbvm60.dll	Gaara.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe	smss.exe
File opened for modification	C:\Windows\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	Gaara.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe	Gaara.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe	Gaara.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\WBEM\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	smss.exe
File created	C:\Windows\WBEM\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\msvbvm60.dll	4b62450e0d5c4baf54a6d2bf82640e18.exe
File created	C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe	4b62450e0d5c4baf54a6d2bf82640e18.exe
File opened for modification	C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe	Gaara.exe

Modifies Control Panel 9 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\WallpaperStyle = "2"	4b62450e0d5c4baf54a6d2bf82640e18.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\WallpaperStyle = "2"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\WallpaperStyle = "2"	Gaara.exe

Runs ping.exe 1 TTPs 36 IoCs

Remote System Discovery

T1018

pid	Process
3772	ping.exe
1768	ping.exe
2872	ping.exe
3320	ping.exe
3000	ping.exe
2504	ping.exe
4696	ping.exe
344	ping.exe
2952	ping.exe
948	ping.exe
4540	ping.exe
4540	ping.exe
932	ping.exe
540	ping.exe
4824	ping.exe
3880	ping.exe
748	ping.exe
536	ping.exe
4720	ping.exe
3084	ping.exe
1832	ping.exe
4792	ping.exe
2368	ping.exe
1996	ping.exe
1164	ping.exe
1204	ping.exe
3512	ping.exe
3740	ping.exe
812	ping.exe
1612	ping.exe
1080	ping.exe
4724	ping.exe
3400	ping.exe
3480	ping.exe
4176	ping.exe
4804	ping.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3812	4b62450e0d5c4baf54a6d2bf82640e18.exe
1588	smss.exe
2784	smss.exe
2000	Gaara.exe
396	Conhost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 1588	3812	4b62450e0d5c4baf54a6d2bf82640e18.exe	56
PID 3812 wrote to memory of 1588	3812	4b62450e0d5c4baf54a6d2bf82640e18.exe	56
PID 3812 wrote to memory of 1588	3812	4b62450e0d5c4baf54a6d2bf82640e18.exe	56
PID 1588 wrote to memory of 2784	1588	smss.exe	55
PID 1588 wrote to memory of 2784	1588	smss.exe	55
PID 1588 wrote to memory of 2784	1588	smss.exe	55
PID 1588 wrote to memory of 2000	1588	smss.exe	54
PID 1588 wrote to memory of 2000	1588	smss.exe	54
PID 1588 wrote to memory of 2000	1588	smss.exe	54
PID 2000 wrote to memory of 396	2000	Gaara.exe	137
PID 2000 wrote to memory of 396	2000	Gaara.exe	137
PID 2000 wrote to memory of 396	2000	Gaara.exe	137

C:\Users\Admin\AppData\Local\Temp\4b62450e0d5c4baf54a6d2bf82640e18.exe
"C:\Users\Admin\AppData\Local\Temp\4b62450e0d5c4baf54a6d2bf82640e18.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe
  "C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe"
  2⤵
  PID:1976
- C:\Windows\SysWOW64\drivers\system32.exe
  C:\Windows\system32\drivers\system32.exe
  2⤵
  PID:2984
- C:\Windows\SysWOW64\drivers\Kazekage.exe
  C:\Windows\system32\drivers\Kazekage.exe
  2⤵
  PID:2140
- C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe
  "C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe"
  2⤵
  PID:388
- C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe
  "C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Windows directory
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\ping.exe
    ping -a -l www.duniasex.com 65500
    3⤵
    - Runs ping.exe
    PID:536
- - C:\Windows\SysWOW64\ping.exe
    ping -a -l www.rasasayang.com.my 65500
    3⤵
    - Runs ping.exe
    PID:3512
- - C:\Windows\SysWOW64\ping.exe
    ping -a -l www.duniasex.com 65500
    3⤵
    - Runs ping.exe
    PID:812
- - C:\Windows\SysWOW64\ping.exe
    ping -a -l www.rasasayang.com.my 65500
    3⤵
    - Runs ping.exe
    PID:4696
- - C:\Windows\SysWOW64\ping.exe
    ping -a -l www.duniasex.com 65500
    3⤵
    - Runs ping.exe
    PID:1612
- - C:\Windows\SysWOW64\ping.exe
    ping -a -l www.rasasayang.com.my 65500
    3⤵
    - Runs ping.exe
    PID:344
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:1996
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:1768
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:3400
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:2952
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:4824
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:3320

C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe"
1⤵
PID:3688

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
1⤵
PID:2320

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
1⤵
PID:1576

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
1⤵
PID:4556

C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe"
1⤵
PID:1236

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
1⤵
PID:4868

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
1⤵
PID:928

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
1⤵
PID:1884

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
1⤵
PID:3208

C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe"
1⤵
PID:1892

C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe"
1⤵
PID:4504

C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe"
1⤵
PID:3016

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
1⤵
PID:4352
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:1164
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:2872
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:4540
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:540
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:3000
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:4792

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
1⤵
PID:4464

C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe"
1⤵
PID:1080

C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe"
1⤵
PID:4336

C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe"
1⤵
PID:1652

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
1⤵
PID:1900
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:3772
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:3740
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:1832
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:932
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:1080
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:4804

C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe"
1⤵
PID:468

C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe"
1⤵
PID:864

C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\csrss.exe"
1⤵
PID:2676
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:4720
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:3084
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:948
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:4540
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:3880
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:3480

C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe"
1⤵
PID:1556

C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe"
1⤵
PID:396

C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\Gaara.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:4724
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:2368
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:1204
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:2504
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:748
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:4176

C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe
"C:\Windows\Fonts\Admin 8 - 1 - 2024\smss.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact