997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	Gaara.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

Hidden Files and Directories

T1564.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Kazekage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Gaara.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

Hidden Files and Directories

T1564.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Gaara.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Kazekage.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Gaara.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Kazekage.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

UPX dump on OEP (original entry point) 54 IoCs

resource	yara_rule
behavioral1/memory/2884-0-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/files/0x0009000000015626-11.dat	UPX
behavioral1/files/0x0007000000015605-30.dat	UPX
behavioral1/memory/2884-31-0x00000000005D0000-0x00000000005FB000-memory.dmp	UPX
behavioral1/files/0x0009000000015b6f-54.dat	UPX
behavioral1/files/0x0009000000015626-50.dat	UPX
behavioral1/files/0x0008000000015c52-62.dat	UPX
behavioral1/files/0x0008000000015c3d-58.dat	UPX
behavioral1/files/0x000a000000015616-46.dat	UPX
behavioral1/memory/2612-77-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/2612-80-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/2472-93-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/files/0x0008000000015c52-110.dat	UPX
behavioral1/files/0x0008000000015c3d-106.dat	UPX
behavioral1/files/0x0009000000015b6f-102.dat	UPX
behavioral1/files/0x0009000000015626-98.dat	UPX
behavioral1/memory/1984-129-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/1188-131-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/2536-149-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/files/0x0008000000015c52-158.dat	UPX
behavioral1/files/0x0008000000015c3d-154.dat	UPX
behavioral1/files/0x0009000000015b6f-150.dat	UPX
behavioral1/memory/2884-171-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/1712-176-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/2272-185-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/2088-189-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/1436-199-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/2188-191-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/2188-190-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/2472-223-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/1916-233-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/1436-238-0x0000000000290000-0x00000000002BB000-memory.dmp	UPX
behavioral1/memory/2336-241-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/1056-249-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/1188-246-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/2536-263-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/1560-270-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/1628-281-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/1436-280-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/844-275-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/400-288-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/900-292-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/1056-303-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/3064-302-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/3064-297-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/1628-282-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/844-273-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/2092-266-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/files/0x0008000000015c52-245.dat	UPX
behavioral1/memory/1916-236-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/572-232-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/284-228-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/memory/284-227-0x0000000000400000-0x000000000042B000-memory.dmp	UPX
behavioral1/files/0x0002000000010f02-1037.dat	UPX

Disables RegEdit via registry modification 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Gaara.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Kazekage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	system32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	smss.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	smss.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	Kazekage.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	Kazekage.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	csrss.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	csrss.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	system32.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	Gaara.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	csrss.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	Kazekage.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe"	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del"	smss.exe

Executes dropped EXE 30 IoCs

pid	Process
2088	smss.exe
2612	smss.exe
2472	Gaara.exe
1984	smss.exe
1188	Gaara.exe
2536	csrss.exe
1712	smss.exe
2272	Gaara.exe
2188	csrss.exe
1436	Kazekage.exe
284	smss.exe
572	Gaara.exe
1916	csrss.exe
2336	Kazekage.exe
1056	system32.exe
2092	smss.exe
1560	Gaara.exe
844	csrss.exe
1628	Kazekage.exe
400	system32.exe
900	system32.exe
3064	Kazekage.exe
2840	system32.exe
1564	csrss.exe
884	Kazekage.exe
2312	system32.exe
1836	Gaara.exe
2960	csrss.exe
3028	Kazekage.exe
2152	system32.exe

Loads dropped DLL 62 IoCs

pid	Process
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2088	smss.exe
2088	smss.exe
2612	smss.exe
2088	smss.exe
2088	smss.exe
2472	Gaara.exe
2472	Gaara.exe
2472	Gaara.exe
1984	smss.exe
1188	Gaara.exe
2472	Gaara.exe
2472	Gaara.exe
2536	csrss.exe
2536	csrss.exe
1712	smss.exe
2536	csrss.exe
2272	Gaara.exe
2188	csrss.exe
2536	csrss.exe
2536	csrss.exe
1436	Kazekage.exe
284	smss.exe
1436	Kazekage.exe
572	Gaara.exe
1436	Kazekage.exe
1916	csrss.exe
1436	Kazekage.exe
1436	Kazekage.exe
1436	Kazekage.exe
1436	Kazekage.exe
1056	system32.exe
2092	smss.exe
1056	system32.exe
1560	Gaara.exe
1056	system32.exe
844	csrss.exe
1056	system32.exe
1056	system32.exe
1056	system32.exe
1056	system32.exe
2536	csrss.exe
2536	csrss.exe
2472	Gaara.exe
2472	Gaara.exe
2472	Gaara.exe
2472	Gaara.exe
2088	smss.exe
1564	csrss.exe
2088	smss.exe
2088	smss.exe
2088	smss.exe
2088	smss.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
1836	Gaara.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2960	csrss.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2884-0-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x0009000000015626-11.dat	upx
behavioral1/files/0x0007000000015605-30.dat	upx
behavioral1/memory/2884-31-0x00000000005D0000-0x00000000005FB000-memory.dmp	upx
behavioral1/files/0x0009000000015b6f-54.dat	upx
behavioral1/files/0x0009000000015626-50.dat	upx
behavioral1/files/0x0008000000015c52-62.dat	upx
behavioral1/files/0x0008000000015c3d-58.dat	upx
behavioral1/files/0x000a000000015616-46.dat	upx
behavioral1/memory/2612-77-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2612-80-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2472-93-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x0008000000015c52-110.dat	upx
behavioral1/files/0x0008000000015c3d-106.dat	upx
behavioral1/files/0x0009000000015b6f-102.dat	upx
behavioral1/files/0x0009000000015626-98.dat	upx
behavioral1/memory/1984-129-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1188-131-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2536-149-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x0008000000015c52-158.dat	upx
behavioral1/files/0x0008000000015c3d-154.dat	upx
behavioral1/files/0x0009000000015b6f-150.dat	upx
behavioral1/memory/2884-171-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1712-176-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2272-185-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2088-189-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1436-199-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2188-191-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2188-190-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2472-223-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1916-233-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1436-238-0x0000000000290000-0x00000000002BB000-memory.dmp	upx
behavioral1/memory/2336-241-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1056-249-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1188-246-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2536-263-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1560-270-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1628-281-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1436-280-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/844-275-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/400-288-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/900-292-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1056-303-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/3064-302-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/3064-297-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1628-282-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/844-273-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2092-266-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x0008000000015c52-245.dat	upx
behavioral1/memory/1916-236-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/572-232-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/284-228-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/284-227-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/files/0x0002000000010f02-1037.dat	upx

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 4 - 2024\\smss.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 4 - 2024\\Gaara.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-4-2024.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 4 - 2024\\Gaara.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 4 - 2024\\smss.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 4 - 2024\\Gaara.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 4 - 2024\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-4-2024.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 4 - 2024\\smss.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-4-2024.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 4 - 2024\\smss.exe"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 4 - 2024\\Gaara.exe"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-4-2024.exe"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-4-2024.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 4 - 2024\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-4-2024.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 4 - 2024\\Gaara.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 4 - 2024\\Gaara.exe"	Kazekage.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Gaara.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Kazekage.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	\??\H:\Desktop.ini	system32.exe
File opened for modification	\??\J:\Desktop.ini	system32.exe
File opened for modification	\??\I:\Desktop.ini	smss.exe
File opened for modification	\??\S:\Desktop.ini	system32.exe
File opened for modification	C:\Desktop.ini	csrss.exe
File opened for modification	\??\N:\Desktop.ini	csrss.exe
File opened for modification	\??\O:\Desktop.ini	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	\??\P:\Desktop.ini	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	\??\X:\Desktop.ini	system32.exe
File opened for modification	\??\N:\Desktop.ini	smss.exe
File opened for modification	\??\H:\Desktop.ini	Gaara.exe
File opened for modification	\??\N:\Desktop.ini	Kazekage.exe
File opened for modification	\??\E:\Desktop.ini	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	\??\K:\Desktop.ini	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	\??\L:\Desktop.ini	Gaara.exe
File opened for modification	\??\M:\Desktop.ini	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	\??\W:\Desktop.ini	system32.exe
File opened for modification	\??\O:\Desktop.ini	csrss.exe
File opened for modification	\??\S:\Desktop.ini	Kazekage.exe
File opened for modification	\??\S:\Desktop.ini	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	\??\T:\Desktop.ini	system32.exe
File opened for modification	\??\O:\Desktop.ini	smss.exe
File opened for modification	\??\V:\Desktop.ini	smss.exe
File opened for modification	F:\Desktop.ini	Gaara.exe
File opened for modification	\??\U:\Desktop.ini	Gaara.exe
File opened for modification	\??\P:\Desktop.ini	csrss.exe
File opened for modification	\??\M:\Desktop.ini	Kazekage.exe
File opened for modification	\??\E:\Desktop.ini	Kazekage.exe
File opened for modification	\??\J:\Desktop.ini	Kazekage.exe
File opened for modification	\??\U:\Desktop.ini	Kazekage.exe
File opened for modification	\??\Y:\Desktop.ini	Kazekage.exe
File opened for modification	\??\B:\Desktop.ini	Gaara.exe
File opened for modification	\??\Q:\Desktop.ini	csrss.exe
File opened for modification	\??\A:\Desktop.ini	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	\??\Y:\Desktop.ini	smss.exe
File opened for modification	\??\L:\Desktop.ini	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	\??\G:\Desktop.ini	system32.exe
File opened for modification	\??\Q:\Desktop.ini	Gaara.exe
File opened for modification	\??\R:\Desktop.ini	csrss.exe
File opened for modification	\??\T:\Desktop.ini	csrss.exe
File opened for modification	F:\Desktop.ini	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	\??\V:\Desktop.ini	Kazekage.exe
File opened for modification	\??\W:\Desktop.ini	Kazekage.exe
File opened for modification	\??\H:\Desktop.ini	smss.exe
File opened for modification	\??\V:\Desktop.ini	system32.exe
File opened for modification	\??\V:\Desktop.ini	Gaara.exe
File opened for modification	D:\Desktop.ini	csrss.exe
File opened for modification	\??\B:\Desktop.ini	Kazekage.exe
File opened for modification	C:\Desktop.ini	Kazekage.exe
File opened for modification	\??\Z:\Desktop.ini	system32.exe
File opened for modification	\??\X:\Desktop.ini	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	\??\A:\Desktop.ini	system32.exe
File opened for modification	\??\B:\Desktop.ini	system32.exe
File opened for modification	\??\A:\Desktop.ini	smss.exe
File opened for modification	\??\Z:\Desktop.ini	smss.exe
File opened for modification	\??\B:\Desktop.ini	csrss.exe
File opened for modification	\??\X:\Desktop.ini	csrss.exe
File opened for modification	\??\P:\Desktop.ini	system32.exe
File opened for modification	\??\U:\Desktop.ini	system32.exe
File opened for modification	\??\A:\Desktop.ini	Gaara.exe
File opened for modification	\??\X:\Desktop.ini	Kazekage.exe
File opened for modification	\??\J:\Desktop.ini	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	\??\W:\Desktop.ini	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	\??\M:\Desktop.ini	smss.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\Q:	Kazekage.exe
File opened (read-only)	\??\T:	Kazekage.exe
File opened (read-only)	\??\O:	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened (read-only)	\??\V:	Gaara.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\B:	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened (read-only)	\??\Y:	Gaara.exe
File opened (read-only)	\??\A:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\W:	Kazekage.exe
File opened (read-only)	\??\E:	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened (read-only)	\??\T:	system32.exe
File opened (read-only)	\??\L:	Gaara.exe
File opened (read-only)	\??\L:	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\H:	Kazekage.exe
File opened (read-only)	\??\X:	Kazekage.exe
File opened (read-only)	\??\R:	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\L:	Kazekage.exe
File opened (read-only)	\??\S:	Kazekage.exe
File opened (read-only)	\??\I:	system32.exe
File opened (read-only)	\??\P:	Gaara.exe
File opened (read-only)	\??\I:	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened (read-only)	\??\P:	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened (read-only)	\??\K:	system32.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\R:	Kazekage.exe
File opened (read-only)	\??\J:	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\Y:	system32.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\B:	system32.exe
File opened (read-only)	\??\O:	system32.exe
File opened (read-only)	\??\U:	Gaara.exe
File opened (read-only)	\??\S:	Gaara.exe
File opened (read-only)	\??\Z:	Gaara.exe
File opened (read-only)	\??\V:	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened (read-only)	\??\H:	system32.exe
File opened (read-only)	\??\M:	system32.exe
File opened (read-only)	\??\M:	Gaara.exe
File opened (read-only)	\??\G:	system32.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\X:	Gaara.exe
File opened (read-only)	\??\U:	Kazekage.exe
File opened (read-only)	\??\Q:	Gaara.exe
File opened (read-only)	\??\A:	Kazekage.exe
File opened (read-only)	\??\W:	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\X:	system32.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\T:	Gaara.exe
File opened (read-only)	\??\O:	Kazekage.exe
File opened (read-only)	\??\S:	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\E:	Kazekage.exe

Drops autorun.inf file 1 TTPs 64 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\R:\Autorun.inf	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File created	\??\I:\Autorun.inf	system32.exe
File created	D:\Autorun.inf	Kazekage.exe
File opened for modification	\??\S:\Autorun.inf	Kazekage.exe
File created	\??\S:\Autorun.inf	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	\??\V:\Autorun.inf	csrss.exe
File created	\??\B:\Autorun.inf	Kazekage.exe
File opened for modification	\??\K:\Autorun.inf	system32.exe
File opened for modification	\??\U:\Autorun.inf	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File created	\??\A:\Autorun.inf	csrss.exe
File created	\??\S:\Autorun.inf	system32.exe
File opened for modification	\??\R:\Autorun.inf	csrss.exe
File opened for modification	\??\T:\Autorun.inf	csrss.exe
File opened for modification	\??\M:\Autorun.inf	system32.exe
File created	\??\Q:\Autorun.inf	Kazekage.exe
File opened for modification	\??\B:\Autorun.inf	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Autorun.inf	Gaara.exe
File opened for modification	\??\N:\Autorun.inf	Gaara.exe
File created	\??\M:\Autorun.inf	csrss.exe
File created	D:\Autorun.inf	smss.exe
File created	\??\K:\Autorun.inf	smss.exe
File created	\??\L:\Autorun.inf	smss.exe
File opened for modification	\??\A:\Autorun.inf	system32.exe
File opened for modification	\??\Z:\Autorun.inf	Gaara.exe
File created	\??\S:\Autorun.inf	csrss.exe
File created	\??\Y:\Autorun.inf	Kazekage.exe
File opened for modification	D:\Autorun.inf	Gaara.exe
File opened for modification	F:\Autorun.inf	Kazekage.exe
File opened for modification	\??\I:\Autorun.inf	Kazekage.exe
File opened for modification	\??\L:\Autorun.inf	Kazekage.exe
File opened for modification	\??\U:\Autorun.inf	Kazekage.exe
File created	\??\W:\Autorun.inf	Kazekage.exe
File created	\??\E:\Autorun.inf	smss.exe
File opened for modification	\??\Y:\Autorun.inf	smss.exe
File opened for modification	\??\Q:\Autorun.inf	Gaara.exe
File created	\??\V:\Autorun.inf	system32.exe
File created	\??\R:\Autorun.inf	system32.exe
File opened for modification	\??\T:\Autorun.inf	smss.exe
File created	\??\B:\Autorun.inf	Gaara.exe
File created	\??\I:\Autorun.inf	Gaara.exe
File opened for modification	\??\E:\Autorun.inf	csrss.exe
File created	\??\H:\Autorun.inf	csrss.exe
File opened for modification	\??\U:\Autorun.inf	system32.exe
File created	\??\G:\Autorun.inf	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	\??\Z:\Autorun.inf	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	\??\O:\Autorun.inf	smss.exe
File opened for modification	\??\K:\Autorun.inf	Gaara.exe
File opened for modification	F:\Autorun.inf	system32.exe
File opened for modification	\??\W:\Autorun.inf	system32.exe
File created	\??\U:\Autorun.inf	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	\??\I:\Autorun.inf	smss.exe
File created	\??\Y:\Autorun.inf	smss.exe
File opened for modification	\??\M:\Autorun.inf	csrss.exe
File opened for modification	\??\Z:\Autorun.inf	smss.exe
File opened for modification	C:\Autorun.inf	system32.exe
File created	\??\W:\Autorun.inf	system32.exe
File opened for modification	\??\H:\Autorun.inf	Kazekage.exe
File opened for modification	\??\Y:\Autorun.inf	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File created	\??\M:\Autorun.inf	smss.exe
File created	\??\N:\Autorun.inf	smss.exe
File created	\??\W:\Autorun.inf	smss.exe
File opened for modification	\??\Z:\Autorun.inf	Kazekage.exe
File opened for modification	\??\Q:\Autorun.inf	csrss.exe
File created	\??\L:\Autorun.inf	Kazekage.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\9-4-2024.exe	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\9-4-2024.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\SysWOW64\9-4-2024.exe	system32.exe
File created	C:\Windows\SysWOW64\Desktop.ini	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\SysWOW64\	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\	csrss.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	system32.exe
File opened for modification	C:\Windows\SysWOW64\9-4-2024.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	Kazekage.exe
File created	C:\Windows\SysWOW64\9-4-2024.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	system32.exe
File opened for modification	C:\Windows\SysWOW64\9-4-2024.exe	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\9-4-2024.exe	csrss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	csrss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	Gaara.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	csrss.exe
File opened for modification	C:\Windows\SysWOW64\	Kazekage.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	smss.exe
File opened for modification	C:\Windows\SysWOW64\	smss.exe
File opened for modification	C:\Windows\SysWOW64\	system32.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Kazekage.exe

Sets desktop wallpaper using registry 2 TTPs 6 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	system32.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	csrss.exe
File opened for modification	C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\msvbvm60.dll	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File created	C:\Windows\Fonts\Admin 9 - 4 - 2024\msvbvm60.dll	smss.exe
File created	C:\Windows\WBEM\msvbvm60.dll	Kazekage.exe
File created	C:\Windows\WBEM\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\mscomctl.ocx	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\mscomctl.ocx	Gaara.exe
File opened for modification	C:\Windows\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File created	C:\Windows\msvbvm60.dll	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File created	C:\Windows\WBEM\msvbvm60.dll	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe	Gaara.exe
File created	C:\Windows\WBEM\msvbvm60.dll	Gaara.exe
File opened for modification	C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe	csrss.exe
File opened for modification	C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe	system32.exe
File opened for modification	C:\Windows\mscomctl.ocx	csrss.exe
File opened for modification	C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File created	C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	Gaara.exe
File created	C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe	csrss.exe
File opened for modification	C:\Windows\	smss.exe
File created	C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\system\mscoree.dll	csrss.exe
File opened for modification	C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe	csrss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\mscomctl.ocx	smss.exe
File opened for modification	C:\Windows\system\mscoree.dll	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe	Kazekage.exe
File opened for modification	C:\Windows\system\mscoree.dll	system32.exe
File created	C:\Windows\mscomctl.ocx	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\	system32.exe
File opened for modification	C:\Windows\mscomctl.ocx	Kazekage.exe
File created	C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File created	C:\Windows\system\msvbvm60.dll	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe	smss.exe
File opened for modification	C:\Windows\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\system\mscoree.dll	Gaara.exe
File created	C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe	Kazekage.exe
File created	C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe	smss.exe
File created	C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe	csrss.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	system32.exe
File opened for modification	C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe	system32.exe
File opened for modification	C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe	Gaara.exe
File opened for modification	C:\Windows\msvbvm60.dll	Gaara.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	csrss.exe
File opened for modification	C:\Windows\system\mscoree.dll	Kazekage.exe
File created	C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe	smss.exe
File opened for modification	C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe	smss.exe
File created	C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe	Gaara.exe
File created	C:\Windows\WBEM\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe	Kazekage.exe
File opened for modification	C:\Windows\	Kazekage.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File created	C:\Windows\Fonts\The Kazekage.jpg	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe	Gaara.exe
File opened for modification	C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe	csrss.exe
File created	C:\Windows\Fonts\Admin 9 - 4 - 2024\msvbvm60.dll	Kazekage.exe
File opened for modification	C:\Windows\	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
File opened for modification	C:\Windows\mscomctl.ocx	system32.exe

Modifies Control Panel 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "2"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Size = "72"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Size = "72"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "2"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "2"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "2"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "2"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	Kazekage.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop	Kazekage.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Size = "72"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee\Size = "72"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Screen Saver.Marquee	system32.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	Kazekage.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	Kazekage.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	system32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	smss.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	Kazekage.exe

Runs ping.exe 1 TTPs 36 IoCs

Remote System Discovery

T1018

pid	Process
2436	ping.exe
2980	ping.exe
1732	ping.exe
1872	ping.exe
2768	ping.exe
2308	ping.exe
2300	ping.exe
1760	ping.exe
2800	ping.exe
1804	ping.exe
1580	ping.exe
2932	ping.exe
2096	ping.exe
2872	ping.exe
2000	ping.exe
1744	ping.exe
1684	ping.exe
3052	ping.exe
2736	ping.exe
2744	ping.exe
1564	ping.exe
2500	ping.exe
2316	ping.exe
1668	ping.exe
2812	ping.exe
2080	ping.exe
2240	ping.exe
2368	ping.exe
1596	ping.exe
3048	ping.exe
784	ping.exe
2412	ping.exe
1860	ping.exe
2312	ping.exe
1992	ping.exe
536	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2472	Gaara.exe
2472	Gaara.exe
2472	Gaara.exe
2472	Gaara.exe
2472	Gaara.exe
2472	Gaara.exe
2472	Gaara.exe
2472	Gaara.exe
2472	Gaara.exe
2472	Gaara.exe
2472	Gaara.exe
2472	Gaara.exe
2536	csrss.exe
2536	csrss.exe
2536	csrss.exe
2536	csrss.exe
2536	csrss.exe
2536	csrss.exe
2536	csrss.exe
2536	csrss.exe
2536	csrss.exe
2536	csrss.exe
2536	csrss.exe
2536	csrss.exe
1436	Kazekage.exe
1436	Kazekage.exe
1436	Kazekage.exe
1436	Kazekage.exe
1436	Kazekage.exe
1436	Kazekage.exe
1436	Kazekage.exe
1436	Kazekage.exe
1436	Kazekage.exe
1436	Kazekage.exe
1436	Kazekage.exe
1436	Kazekage.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
1056	system32.exe
1056	system32.exe
1056	system32.exe
1056	system32.exe
1056	system32.exe
1056	system32.exe
1056	system32.exe
1056	system32.exe
1056	system32.exe
1056	system32.exe
1056	system32.exe
1056	system32.exe
2088	smss.exe
2088	smss.exe
2088	smss.exe
2088	smss.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
2088	smss.exe
2612	smss.exe
2472	Gaara.exe
1984	smss.exe
1188	Gaara.exe
2536	csrss.exe
1712	smss.exe
2272	Gaara.exe
2188	csrss.exe
1436	Kazekage.exe
284	smss.exe
572	Gaara.exe
1916	csrss.exe
2336	Kazekage.exe
1056	system32.exe
2092	smss.exe
1560	Gaara.exe
844	csrss.exe
1628	Kazekage.exe
400	system32.exe
900	system32.exe
3064	Kazekage.exe
2840	system32.exe
1564	csrss.exe
884	Kazekage.exe
2312	system32.exe
2960	csrss.exe
3028	Kazekage.exe
2152	system32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2088	2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe	28
PID 2884 wrote to memory of 2088	2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe	28
PID 2884 wrote to memory of 2088	2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe	28
PID 2884 wrote to memory of 2088	2884	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe	28
PID 2088 wrote to memory of 2612	2088	smss.exe	29
PID 2088 wrote to memory of 2612	2088	smss.exe	29
PID 2088 wrote to memory of 2612	2088	smss.exe	29
PID 2088 wrote to memory of 2612	2088	smss.exe	29
PID 2088 wrote to memory of 2472	2088	smss.exe	30
PID 2088 wrote to memory of 2472	2088	smss.exe	30
PID 2088 wrote to memory of 2472	2088	smss.exe	30
PID 2088 wrote to memory of 2472	2088	smss.exe	30
PID 2472 wrote to memory of 1984	2472	Gaara.exe	31
PID 2472 wrote to memory of 1984	2472	Gaara.exe	31
PID 2472 wrote to memory of 1984	2472	Gaara.exe	31
PID 2472 wrote to memory of 1984	2472	Gaara.exe	31
PID 2472 wrote to memory of 1188	2472	Gaara.exe	32
PID 2472 wrote to memory of 1188	2472	Gaara.exe	32
PID 2472 wrote to memory of 1188	2472	Gaara.exe	32
PID 2472 wrote to memory of 1188	2472	Gaara.exe	32
PID 2472 wrote to memory of 2536	2472	Gaara.exe	33
PID 2472 wrote to memory of 2536	2472	Gaara.exe	33
PID 2472 wrote to memory of 2536	2472	Gaara.exe	33
PID 2472 wrote to memory of 2536	2472	Gaara.exe	33
PID 2536 wrote to memory of 1712	2536	csrss.exe	34
PID 2536 wrote to memory of 1712	2536	csrss.exe	34
PID 2536 wrote to memory of 1712	2536	csrss.exe	34
PID 2536 wrote to memory of 1712	2536	csrss.exe	34
PID 2536 wrote to memory of 2272	2536	csrss.exe	35
PID 2536 wrote to memory of 2272	2536	csrss.exe	35
PID 2536 wrote to memory of 2272	2536	csrss.exe	35
PID 2536 wrote to memory of 2272	2536	csrss.exe	35
PID 2536 wrote to memory of 2188	2536	csrss.exe	36
PID 2536 wrote to memory of 2188	2536	csrss.exe	36
PID 2536 wrote to memory of 2188	2536	csrss.exe	36
PID 2536 wrote to memory of 2188	2536	csrss.exe	36
PID 2536 wrote to memory of 1436	2536	csrss.exe	37
PID 2536 wrote to memory of 1436	2536	csrss.exe	37
PID 2536 wrote to memory of 1436	2536	csrss.exe	37
PID 2536 wrote to memory of 1436	2536	csrss.exe	37
PID 1436 wrote to memory of 284	1436	Kazekage.exe	38
PID 1436 wrote to memory of 284	1436	Kazekage.exe	38
PID 1436 wrote to memory of 284	1436	Kazekage.exe	38
PID 1436 wrote to memory of 284	1436	Kazekage.exe	38
PID 1436 wrote to memory of 572	1436	Kazekage.exe	39
PID 1436 wrote to memory of 572	1436	Kazekage.exe	39
PID 1436 wrote to memory of 572	1436	Kazekage.exe	39
PID 1436 wrote to memory of 572	1436	Kazekage.exe	39
PID 1436 wrote to memory of 1916	1436	Kazekage.exe	40
PID 1436 wrote to memory of 1916	1436	Kazekage.exe	40
PID 1436 wrote to memory of 1916	1436	Kazekage.exe	40
PID 1436 wrote to memory of 1916	1436	Kazekage.exe	40
PID 1436 wrote to memory of 2336	1436	Kazekage.exe	41
PID 1436 wrote to memory of 2336	1436	Kazekage.exe	41
PID 1436 wrote to memory of 2336	1436	Kazekage.exe	41
PID 1436 wrote to memory of 2336	1436	Kazekage.exe	41
PID 1436 wrote to memory of 1056	1436	Kazekage.exe	42
PID 1436 wrote to memory of 1056	1436	Kazekage.exe	42
PID 1436 wrote to memory of 1056	1436	Kazekage.exe	42
PID 1436 wrote to memory of 1056	1436	Kazekage.exe	42
PID 1056 wrote to memory of 2092	1056	system32.exe	43
PID 1056 wrote to memory of 2092	1056	system32.exe	43
PID 1056 wrote to memory of 2092	1056	system32.exe	43
PID 1056 wrote to memory of 2092	1056	system32.exe	43

System policy modification 1 TTPs 12 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Gaara.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Kazekage.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	system32.exe

C:\Users\Admin\AppData\Local\Temp\997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe
"C:\Users\Admin\AppData\Local\Temp\997d9073490f99d3ab201aab5dc7c0ffa14fa018a003d24495477758c83539a4.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2884
- C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe
  "C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2088
- - C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe
    "C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2612
- - C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe
    "C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Drops file in Drivers directory
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Sets desktop wallpaper using registry
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2472
  - - C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1984
  - - C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1188
  - - C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Drops file in Drivers directory
      Sets file execution options in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops desktop.ini file(s)
      Enumerates connected drives
      Drops autorun.inf file
      Drops file in System32 directory
      Sets desktop wallpaper using registry
      Drops file in Windows directory
      Modifies Control Panel
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2536
    - - C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe
        
        "C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1712
    - - C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe
        
        "C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2272
    - - C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe
        
        "C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2188
    - - C:\Windows\SysWOW64\drivers\Kazekage.exe
        
        C:\Windows\system32\drivers\Kazekage.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Sets file execution options in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops desktop.ini file(s)
        Enumerates connected drives
        Drops autorun.inf file
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1436
      - C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe
        
        "C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:284
      - C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe
        
        "C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:572
      - C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe
        
        "C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1916
      - C:\Windows\SysWOW64\drivers\Kazekage.exe
        
        C:\Windows\system32\drivers\Kazekage.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2336
      - C:\Windows\SysWOW64\drivers\system32.exe
        
        C:\Windows\system32\drivers\system32.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Sets file execution options in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops desktop.ini file(s)
        Enumerates connected drives
        Drops autorun.inf file
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Windows directory
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1056
        
        C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe
        
        "C:\Windows\Fonts\Admin 9 - 4 - 2024\smss.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe
        
        "C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe
        
        "C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\drivers\Kazekage.exe
        
        C:\Windows\system32\drivers\Kazekage.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\drivers\system32.exe
        
        C:\Windows\system32\drivers\system32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:400
        
        C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.rasasayang.com.my 65500
        7⤵
        Runs ping.exe
        
        PID:2736
        
        C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.duniasex.com 65500
        7⤵
        Runs ping.exe
        
        PID:2500
        
        C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.rasasayang.com.my 65500
        7⤵
        Runs ping.exe
        
        PID:1744
        
        C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.duniasex.com 65500
        7⤵
        Runs ping.exe
        
        PID:1732
        
        C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.rasasayang.com.my 65500
        7⤵
        Runs ping.exe
        
        PID:2080
        
        C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.duniasex.com 65500
        7⤵
        Runs ping.exe
        
        PID:1668
      - C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.rasasayang.com.my 65500
        6⤵
        Runs ping.exe
        
        PID:1760
      - C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.duniasex.com 65500
        6⤵
        Runs ping.exe
        
        PID:1564
      - C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.rasasayang.com.my 65500
        6⤵
        Runs ping.exe
        
        PID:2000
      - C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.duniasex.com 65500
        6⤵
        Runs ping.exe
        
        PID:2800
      - C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.rasasayang.com.my 65500
        6⤵
        Runs ping.exe
        
        PID:2744
      - C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.duniasex.com 65500
        6⤵
        Runs ping.exe
        
        PID:536
    - - C:\Windows\SysWOW64\drivers\system32.exe
        
        C:\Windows\system32\drivers\system32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:900
    - - C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.rasasayang.com.my 65500
        5⤵
        Runs ping.exe
        
        PID:1684
    - - C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.duniasex.com 65500
        5⤵
        Runs ping.exe
        
        PID:1596
    - - C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.rasasayang.com.my 65500
        5⤵
        Runs ping.exe
        
        PID:2980
    - - C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.duniasex.com 65500
        5⤵
        Runs ping.exe
        
        PID:784
    - - C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.rasasayang.com.my 65500
        5⤵
        Runs ping.exe
        
        PID:1580
    - - C:\Windows\SysWOW64\ping.exe
        
        ping -a -l www.duniasex.com 65500
        5⤵
        Runs ping.exe
        
        PID:2312
  - - C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3064
  - - C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2840
  - - C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      4⤵
      Runs ping.exe
      PID:2812
  - - C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      4⤵
      Runs ping.exe
      PID:2368
  - - C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      4⤵
      Runs ping.exe
      PID:2872
  - - C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      4⤵
      Runs ping.exe
      PID:2436
  - - C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      4⤵
      Runs ping.exe
      PID:2316
  - - C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      4⤵
      Runs ping.exe
      PID:2768
- - C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe
    "C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1564
- - C:\Windows\SysWOW64\drivers\Kazekage.exe
    C:\Windows\system32\drivers\Kazekage.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:884
- - C:\Windows\SysWOW64\drivers\system32.exe
    C:\Windows\system32\drivers\system32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2312
- - C:\Windows\SysWOW64\ping.exe
    ping -a -l www.rasasayang.com.my 65500
    3⤵
    - Runs ping.exe
    PID:2240
- - C:\Windows\SysWOW64\ping.exe
    ping -a -l www.duniasex.com 65500
    3⤵
    - Runs ping.exe
    PID:2300
- - C:\Windows\SysWOW64\ping.exe
    ping -a -l www.rasasayang.com.my 65500
    3⤵
    - Runs ping.exe
    PID:3048
- - C:\Windows\SysWOW64\ping.exe
    ping -a -l www.duniasex.com 65500
    3⤵
    - Runs ping.exe
    PID:3052
- - C:\Windows\SysWOW64\ping.exe
    ping -a -l www.rasasayang.com.my 65500
    3⤵
    - Runs ping.exe
    PID:1872
- - C:\Windows\SysWOW64\ping.exe
    ping -a -l www.duniasex.com 65500
    3⤵
    - Runs ping.exe
    PID:1860
- C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe
  "C:\Windows\Fonts\Admin 9 - 4 - 2024\Gaara.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1836
- C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe
  "C:\Windows\Fonts\Admin 9 - 4 - 2024\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2960
- C:\Windows\SysWOW64\drivers\Kazekage.exe
  C:\Windows\system32\drivers\Kazekage.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3028
- C:\Windows\SysWOW64\drivers\system32.exe
  C:\Windows\system32\drivers\system32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2152
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:1992
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:2932
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:2096
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:2308
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.rasasayang.com.my 65500
  2⤵
  - Runs ping.exe
  PID:2412
- C:\Windows\SysWOW64\ping.exe
  ping -a -l www.duniasex.com 65500
  2⤵
  - Runs ping.exe
  PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry