Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
80s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 16:13
Behavioral task
behavioral1
Sample
84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe
-
Size
236KB
-
MD5
84d77513ffcc3a3de1ee70285a5a2210
-
SHA1
fd0d2ab4d05c67862c3122ccb81541f2d44db19d
-
SHA256
1d32beb2738933a0b21de3f776b04452b2a555d3435b998bb9020e395467cef9
-
SHA512
5f0b6d7c1df05983b545c78b03a00eda154cdb7489b72959681a25d8b33d3cda35cf0286d4e3a9bec695c65c3bb4e52a51d45c72aaf0ec872cce4562bbf58cdd
-
SSDEEP
3072:INx6AHjYzaFXg+w17jsgS/jHagQg19Vw+Hkaxu:INxzYzaFXi17jkw+E
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 23 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe -
Executes dropped EXE 30 IoCs
pid Process 2640 smss.exe 2456 smss.exe 2460 Gaara.exe 1876 smss.exe 2004 Gaara.exe 2648 csrss.exe 1264 smss.exe 2044 Gaara.exe 2252 csrss.exe 1796 Kazekage.exe 324 smss.exe 528 Gaara.exe 2588 csrss.exe 2088 Kazekage.exe 1132 system32.exe 1388 smss.exe 2384 Gaara.exe 1160 csrss.exe 1352 Kazekage.exe 1856 system32.exe 2128 system32.exe 2024 Kazekage.exe 1524 system32.exe 2880 csrss.exe 2908 Kazekage.exe 1520 system32.exe 2996 Gaara.exe 2312 csrss.exe 2828 Kazekage.exe 2940 system32.exe -
Loads dropped DLL 61 IoCs
pid Process 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 2640 smss.exe 2640 smss.exe 2456 smss.exe 2640 smss.exe 2640 smss.exe 2460 Gaara.exe 2460 Gaara.exe 1876 smss.exe 2004 Gaara.exe 2460 Gaara.exe 2460 Gaara.exe 2648 csrss.exe 2648 csrss.exe 1264 smss.exe 2648 csrss.exe 2044 Gaara.exe 2252 csrss.exe 2648 csrss.exe 2648 csrss.exe 1796 Kazekage.exe 324 smss.exe 1796 Kazekage.exe 528 Gaara.exe 1796 Kazekage.exe 2588 csrss.exe 1796 Kazekage.exe 1796 Kazekage.exe 1796 Kazekage.exe 1796 Kazekage.exe 1132 system32.exe 1388 smss.exe 1132 system32.exe 2384 Gaara.exe 1132 system32.exe 1160 csrss.exe 1132 system32.exe 1132 system32.exe 1132 system32.exe 1132 system32.exe 2648 csrss.exe 2648 csrss.exe 2460 Gaara.exe 2460 Gaara.exe 2460 Gaara.exe 2460 Gaara.exe 2640 smss.exe 2880 csrss.exe 2640 smss.exe 2640 smss.exe 2640 smss.exe 2640 smss.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 2996 Gaara.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 2312 csrss.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe -
resource yara_rule behavioral1/memory/1624-0-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x0008000000015db4-30.dat upx behavioral1/memory/2640-39-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x0006000000018b15-64.dat upx behavioral1/files/0x0006000000018ae8-60.dat upx behavioral1/files/0x0007000000016b5e-56.dat upx behavioral1/memory/2456-80-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x0007000000015e02-81.dat upx behavioral1/memory/2460-90-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1876-126-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2640-83-0x00000000004B0000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2004-131-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x0009000000015e5b-132.dat upx behavioral1/memory/2648-143-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2460-142-0x0000000000510000-0x000000000054B000-memory.dmp upx behavioral1/memory/2640-171-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1624-134-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1264-178-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2044-183-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x0006000000018ae8-187.dat upx behavioral1/memory/1796-198-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2460-195-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/324-223-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/324-224-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2648-228-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/528-227-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2588-232-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2088-236-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1132-243-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x0006000000018b15-240.dat upx behavioral1/memory/1388-255-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1388-258-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2384-261-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2648-189-0x00000000003B0000-0x00000000003EB000-memory.dmp upx behavioral1/memory/2252-186-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1796-266-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1160-264-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1132-271-0x0000000000540000-0x000000000057B000-memory.dmp upx behavioral1/memory/1352-270-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2128-276-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1856-274-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1132-280-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2128-279-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1524-288-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2908-294-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2908-295-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1520-300-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2828-310-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2940-314-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2312-306-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2996-305-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x0005000000019377-329.dat upx -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 5 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 5 - 2024\\Gaara.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 5 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-5-2024.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 5 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-5-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 5 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-5-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 5 - 2024\\smss.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 5 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-5-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-5-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 5 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 5 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "9-5-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 5 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 9 - 5 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 9 - 5 - 2024\\smss.exe" Gaara.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\A:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\U:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\Z:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\J:\Desktop.ini smss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\W: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\B: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\G: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\I: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\S: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\M: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\Y: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\K: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\O: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\L: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\U: 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\E: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\L:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\A:\Autorun.inf smss.exe File created \??\Q:\Autorun.inf smss.exe File created \??\M:\Autorun.inf csrss.exe File opened for modification \??\W:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf system32.exe File opened for modification \??\P:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\B:\Autorun.inf smss.exe File created \??\I:\Autorun.inf smss.exe File created \??\R:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File created \??\V:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf system32.exe File opened for modification \??\O:\Autorun.inf smss.exe File created \??\W:\Autorun.inf smss.exe File created \??\S:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf csrss.exe File opened for modification \??\U:\Autorun.inf csrss.exe File opened for modification \??\S:\Autorun.inf Gaara.exe File opened for modification \??\J:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf smss.exe File created \??\O:\Autorun.inf smss.exe File created \??\I:\Autorun.inf Gaara.exe File opened for modification \??\G:\Autorun.inf csrss.exe File opened for modification \??\R:\Autorun.inf csrss.exe File created \??\P:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\Z:\Autorun.inf smss.exe File opened for modification C:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf smss.exe File created D:\Autorun.inf Gaara.exe File created \??\J:\Autorun.inf csrss.exe File created \??\T:\Autorun.inf system32.exe File created \??\E:\Autorun.inf smss.exe File opened for modification \??\B:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf system32.exe File created \??\A:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf system32.exe File opened for modification \??\L:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\Q:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\G:\Autorun.inf Gaara.exe File opened for modification \??\K:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf system32.exe File opened for modification F:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created \??\Z:\Autorun.inf smss.exe File created \??\P:\Autorun.inf Gaara.exe File created \??\O:\Autorun.inf csrss.exe File created D:\Autorun.inf system32.exe File opened for modification \??\J:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf Gaara.exe File created \??\G:\Autorun.inf csrss.exe File opened for modification \??\X:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf system32.exe File created \??\M:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\W:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created \??\X:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification \??\I:\Autorun.inf Gaara.exe File opened for modification \??\S:\Autorun.inf 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification F:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf smss.exe File opened for modification \??\V:\Autorun.inf csrss.exe -
Drops file in System32 directory 34 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\9-5-2024.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\9-5-2024.exe Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\9-5-2024.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\9-5-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\9-5-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\9-5-2024.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\9-5-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\ smss.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\The Kazekage.jpg 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created C:\Windows\WBEM\msvbvm60.dll 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe system32.exe File opened for modification C:\Windows\ csrss.exe File created C:\Windows\msvbvm60.dll 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\system\msvbvm60.dll 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\ 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\msvbvm60.dll 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\msvbvm60.dll 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\system\msvbvm60.dll 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main system32.exe -
Modifies registry class 48 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 2112 ping.exe 1996 ping.exe 968 ping.exe 2768 ping.exe 748 ping.exe 1768 ping.exe 2812 ping.exe 2376 ping.exe 528 ping.exe 1500 ping.exe 1644 ping.exe 2072 ping.exe 1516 ping.exe 2828 ping.exe 1516 ping.exe 2024 ping.exe 648 ping.exe 1248 ping.exe 1628 ping.exe 2856 ping.exe 2508 ping.exe 1804 ping.exe 2080 ping.exe 1604 ping.exe 2532 ping.exe 2632 ping.exe 948 ping.exe 2456 ping.exe 2020 ping.exe 2436 ping.exe 2268 ping.exe 1672 ping.exe 2732 ping.exe 1780 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2460 Gaara.exe 2460 Gaara.exe 2460 Gaara.exe 2460 Gaara.exe 2460 Gaara.exe 2460 Gaara.exe 2460 Gaara.exe 2460 Gaara.exe 2460 Gaara.exe 2460 Gaara.exe 2460 Gaara.exe 2460 Gaara.exe 2648 csrss.exe 2648 csrss.exe 2648 csrss.exe 2648 csrss.exe 2648 csrss.exe 2648 csrss.exe 2648 csrss.exe 2648 csrss.exe 2648 csrss.exe 2648 csrss.exe 2648 csrss.exe 2648 csrss.exe 1796 Kazekage.exe 1796 Kazekage.exe 1796 Kazekage.exe 1796 Kazekage.exe 1796 Kazekage.exe 1796 Kazekage.exe 1796 Kazekage.exe 1796 Kazekage.exe 1796 Kazekage.exe 1796 Kazekage.exe 1796 Kazekage.exe 1796 Kazekage.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 1132 system32.exe 1132 system32.exe 1132 system32.exe 1132 system32.exe 1132 system32.exe 1132 system32.exe 1132 system32.exe 1132 system32.exe 1132 system32.exe 1132 system32.exe 1132 system32.exe 1132 system32.exe 2640 smss.exe 2640 smss.exe 2640 smss.exe 2640 smss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 2640 smss.exe 2456 smss.exe 2460 Gaara.exe 1876 smss.exe 2004 Gaara.exe 2648 csrss.exe 1264 smss.exe 2044 Gaara.exe 2252 csrss.exe 1796 Kazekage.exe 324 smss.exe 528 Gaara.exe 2588 csrss.exe 2088 Kazekage.exe 1132 system32.exe 1388 smss.exe 2384 Gaara.exe 1160 csrss.exe 1352 Kazekage.exe 1856 system32.exe 2128 system32.exe 2024 Kazekage.exe 1524 system32.exe 2880 csrss.exe 2908 Kazekage.exe 1520 system32.exe 2996 Gaara.exe 2312 csrss.exe 2828 Kazekage.exe 2940 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1624 wrote to memory of 2640 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 28 PID 1624 wrote to memory of 2640 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 28 PID 1624 wrote to memory of 2640 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 28 PID 1624 wrote to memory of 2640 1624 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe 28 PID 2640 wrote to memory of 2456 2640 smss.exe 29 PID 2640 wrote to memory of 2456 2640 smss.exe 29 PID 2640 wrote to memory of 2456 2640 smss.exe 29 PID 2640 wrote to memory of 2456 2640 smss.exe 29 PID 2640 wrote to memory of 2460 2640 smss.exe 30 PID 2640 wrote to memory of 2460 2640 smss.exe 30 PID 2640 wrote to memory of 2460 2640 smss.exe 30 PID 2640 wrote to memory of 2460 2640 smss.exe 30 PID 2460 wrote to memory of 1876 2460 Gaara.exe 31 PID 2460 wrote to memory of 1876 2460 Gaara.exe 31 PID 2460 wrote to memory of 1876 2460 Gaara.exe 31 PID 2460 wrote to memory of 1876 2460 Gaara.exe 31 PID 2460 wrote to memory of 2004 2460 Gaara.exe 32 PID 2460 wrote to memory of 2004 2460 Gaara.exe 32 PID 2460 wrote to memory of 2004 2460 Gaara.exe 32 PID 2460 wrote to memory of 2004 2460 Gaara.exe 32 PID 2460 wrote to memory of 2648 2460 Gaara.exe 33 PID 2460 wrote to memory of 2648 2460 Gaara.exe 33 PID 2460 wrote to memory of 2648 2460 Gaara.exe 33 PID 2460 wrote to memory of 2648 2460 Gaara.exe 33 PID 2648 wrote to memory of 1264 2648 csrss.exe 34 PID 2648 wrote to memory of 1264 2648 csrss.exe 34 PID 2648 wrote to memory of 1264 2648 csrss.exe 34 PID 2648 wrote to memory of 1264 2648 csrss.exe 34 PID 2648 wrote to memory of 2044 2648 csrss.exe 35 PID 2648 wrote to memory of 2044 2648 csrss.exe 35 PID 2648 wrote to memory of 2044 2648 csrss.exe 35 PID 2648 wrote to memory of 2044 2648 csrss.exe 35 PID 2648 wrote to memory of 2252 2648 csrss.exe 36 PID 2648 wrote to memory of 2252 2648 csrss.exe 36 PID 2648 wrote to memory of 2252 2648 csrss.exe 36 PID 2648 wrote to memory of 2252 2648 csrss.exe 36 PID 2648 wrote to memory of 1796 2648 csrss.exe 37 PID 2648 wrote to memory of 1796 2648 csrss.exe 37 PID 2648 wrote to memory of 1796 2648 csrss.exe 37 PID 2648 wrote to memory of 1796 2648 csrss.exe 37 PID 1796 wrote to memory of 324 1796 Kazekage.exe 38 PID 1796 wrote to memory of 324 1796 Kazekage.exe 38 PID 1796 wrote to memory of 324 1796 Kazekage.exe 38 PID 1796 wrote to memory of 324 1796 Kazekage.exe 38 PID 1796 wrote to memory of 528 1796 Kazekage.exe 39 PID 1796 wrote to memory of 528 1796 Kazekage.exe 39 PID 1796 wrote to memory of 528 1796 Kazekage.exe 39 PID 1796 wrote to memory of 528 1796 Kazekage.exe 39 PID 1796 wrote to memory of 2588 1796 Kazekage.exe 40 PID 1796 wrote to memory of 2588 1796 Kazekage.exe 40 PID 1796 wrote to memory of 2588 1796 Kazekage.exe 40 PID 1796 wrote to memory of 2588 1796 Kazekage.exe 40 PID 1796 wrote to memory of 2088 1796 Kazekage.exe 41 PID 1796 wrote to memory of 2088 1796 Kazekage.exe 41 PID 1796 wrote to memory of 2088 1796 Kazekage.exe 41 PID 1796 wrote to memory of 2088 1796 Kazekage.exe 41 PID 1796 wrote to memory of 1132 1796 Kazekage.exe 42 PID 1796 wrote to memory of 1132 1796 Kazekage.exe 42 PID 1796 wrote to memory of 1132 1796 Kazekage.exe 42 PID 1796 wrote to memory of 1132 1796 Kazekage.exe 42 PID 1132 wrote to memory of 1388 1132 system32.exe 43 PID 1132 wrote to memory of 1388 1132 system32.exe 43 PID 1132 wrote to memory of 1388 1132 system32.exe 43 PID 1132 wrote to memory of 1388 1132 system32.exe 43 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1624 -
C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2640 -
C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2456
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2460 -
C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1876
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2004
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2648 -
C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1264
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2044
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2252
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1796 -
C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:324
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:528
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2588
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2088
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1132 -
C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1388
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2384
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1160
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1352
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1856
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:948
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:1516
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:1516
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2024
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:1780
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:1644
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2828
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2768
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2436
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2532
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2128
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2812
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2112
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2020
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:968
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:1604
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:1500
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2024
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1524
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:1672
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1768
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:1996
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2508
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:1248
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1628
-
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2880
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2908
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1520
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2732
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2632
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1804
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2376
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2080
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:528
-
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2996
-
-
C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2312
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2828
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2940
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2072
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2268
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2456
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2856
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:648
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:748
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
236KB
MD584d77513ffcc3a3de1ee70285a5a2210
SHA1fd0d2ab4d05c67862c3122ccb81541f2d44db19d
SHA2561d32beb2738933a0b21de3f776b04452b2a555d3435b998bb9020e395467cef9
SHA5125f0b6d7c1df05983b545c78b03a00eda154cdb7489b72959681a25d8b33d3cda35cf0286d4e3a9bec695c65c3bb4e52a51d45c72aaf0ec872cce4562bbf58cdd
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
236KB
MD58f073bc2c1210a6845149c6a5e1eb9a5
SHA1176a82ac43f88ec120c9782cc1775c2390e8d093
SHA256d7d4bdf73782bf9b3580a8138c664e11b310960c05a21280f68d833ecb5ea84c
SHA51284a512ea4f19ff05a2b8e38a4a0c842ed2803c531c78958a6545ad011f23f10362e664ff19f945c6dd04efa62e607aed6f49991ebf6f8a3e98eb0538317a4a98
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
236KB
MD5a6678c6d12624eda01835e3fe7087d54
SHA1139207dd479f120b81cbad313d39082a21c129e1
SHA2569ec2acd58d5e30de16b99d636c267756f981845cf5a942f06158ef62779634ed
SHA512e13410a7d2b51471702b0b4ba39ff65521a05922026ea404e65d6f53388e1242ff91244aee6195df133e1f962e9087378dbb3b86d5e5651e570803eed7c9512c
-
Filesize
236KB
MD524e9e8667e802b1938ebfb70b3a6c980
SHA10d1e20727c5c00862367649a24153013c3b5b223
SHA256df4571784d1509b0c76d23a37038a25c6dcc290a48a7f3a95f895b86ca6abe9e
SHA5126ec7a4c67692e622d017a07f1dbb705b3e6190a80d3fef2affc597f14fb7d0c9b24349c425fb343dc65e5213ca9642e81d14aff5afcafe36465258d73a5db35a
-
Filesize
236KB
MD50cec3977a178b132f560013dc2ee58cc
SHA14dc43750ac059143d1d26cea2bf6fb31d2c0f702
SHA2565b2b260d7d529b8bd79183812ba171594ccad5ffbb52869d3f0dd391e02d2db7
SHA512b593152ee0fd4c05e0e34ef4c141b57b3c4277e5888413dcf6b4384d971699dc21789730678fbe13624b2681880f36338f0637d5713a4ce6592e347333de8c74
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
236KB
MD5e2699572f18dc325f74f1ea9defa45ad
SHA135f9c44c0bfcd00d0e090c0fadf74b076fbd73f4
SHA25607c689a47511f53541c36bae3d3308d858378e44d04a0ab7e6f5cc307209f28b
SHA512c0df8f9c693624e0bf284fc0f7877d1958339b4a6e67a19ac1b93cd28c6eeeca212ec756998dbb453473a65cf32d86be3445586a2b44b249802915cdf1ed42f4
-
Filesize
236KB
MD5dc989c9b11f7e98454b0118b2c56c763
SHA1afc56e3630086f4d20f9b7b5179fb048dd87516b
SHA256e4c4e53c2f7276853182e72b2723a3403cae7e45f5ec538d7e1ba0b2ed22914a
SHA5128f4dbc8ee835b5f684bbccde837c6d36bdf071928358899a78232d1735416088dde2d74f552445e2f9647b9a57cbbf370ab0e90f9d0e140eccc39c14d22f16ae
-
Filesize
236KB
MD59f81a34c59427605abea4e17658e0e32
SHA18243826994b35991ebb9093a7cb7f7b9476d3e49
SHA2568d4fd42f71b361127b5869b419dbf16e86c712b8e74f5c04a4bc5f96a00b5e75
SHA5124b9cf20db87d25ed3d642c3d7f5cabb9c1650a792643f8cd2443f84084ffd4eb6472405bf0446b2aa65f5a0f9a63a9c58387fbca933222cc77f8fb7dc38bf190
-
Filesize
236KB
MD59865d69358acaf5683133e45fd4ff907
SHA107c1d64c92387d5dc4770121c150303fda4f0ebc
SHA2565041f8d6471a70f2b87748ee3f59603158b4a56c691ef1189e1f13400561799d
SHA512bfb340918adaa1843bb6051579bad2314d151c5a8941106a1c9fbaefdd2cb37bc5224c2e369b141128a98cfb0e1169cda5b2c09d551e4b3d63f179e3f7643a6a
