Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 18:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe
-
Size
148KB
-
MD5
0d09ae37e89a6005804515dac49b5d70
-
SHA1
b6cb8848086f586d95a8774f92307f577360c525
-
SHA256
2b1fcd17243f1bbb85e245c64eb729494b29f5b0de95d29c91283515b3ff8732
-
SHA512
c6f34d776404416dab09d0219da78fd31d15b715b210c14da4733c7370db0e985048cf10eb9b80dee44e1c47213028f5154d2a15e957254c2a855050d182a418
-
SSDEEP
1536:wJo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTV:Ex6AHjYzaFXg+w17jsgS/jHagQg19V
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Gaara.exe -
Executes dropped EXE 30 IoCs
pid Process 2540 smss.exe 308 smss.exe 1952 Gaara.exe 2948 smss.exe 2660 Gaara.exe 2472 csrss.exe 2788 smss.exe 1920 Gaara.exe 1484 csrss.exe 1392 Kazekage.exe 2412 smss.exe 1792 Gaara.exe 268 csrss.exe 336 Kazekage.exe 956 system32.exe 300 smss.exe 556 Gaara.exe 412 csrss.exe 1096 Kazekage.exe 2304 system32.exe 2208 system32.exe 1508 Kazekage.exe 1760 system32.exe 2884 csrss.exe 1356 Kazekage.exe 3044 system32.exe 820 Gaara.exe 1784 csrss.exe 884 Kazekage.exe 2256 system32.exe -
Loads dropped DLL 62 IoCs
pid Process 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2540 smss.exe 2540 smss.exe 308 smss.exe 2540 smss.exe 2540 smss.exe 1952 Gaara.exe 1952 Gaara.exe 1952 Gaara.exe 2948 smss.exe 2660 Gaara.exe 1952 Gaara.exe 1952 Gaara.exe 2472 csrss.exe 2472 csrss.exe 2788 smss.exe 2472 csrss.exe 1920 Gaara.exe 1484 csrss.exe 2472 csrss.exe 2472 csrss.exe 1392 Kazekage.exe 2412 smss.exe 1392 Kazekage.exe 1792 Gaara.exe 1392 Kazekage.exe 268 csrss.exe 1392 Kazekage.exe 1392 Kazekage.exe 1392 Kazekage.exe 1392 Kazekage.exe 956 system32.exe 300 smss.exe 956 system32.exe 556 Gaara.exe 956 system32.exe 412 csrss.exe 956 system32.exe 956 system32.exe 956 system32.exe 956 system32.exe 2472 csrss.exe 2472 csrss.exe 1952 Gaara.exe 1952 Gaara.exe 1952 Gaara.exe 1952 Gaara.exe 2540 smss.exe 2884 csrss.exe 2540 smss.exe 2540 smss.exe 2540 smss.exe 2540 smss.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 820 Gaara.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1784 csrss.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 16 - 5 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 16 - 5 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "16-5-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 16 - 5 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 16 - 5 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "16-5-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 16 - 5 - 2024\\smss.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 16 - 5 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 16 - 5 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 16 - 5 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "16-5-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "16-5-2024.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 16 - 5 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 16 - 5 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 16 - 5 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 16 - 5 - 2024\\Gaara.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "16-5-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "16-5-2024.exe" Kazekage.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification F:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\S:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\K: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\L: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\I: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\R: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\B: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\Z: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\P: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\T: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\M: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\A: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\G: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\X: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\S: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\L: smss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\O:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf csrss.exe File opened for modification D:\Autorun.inf smss.exe File opened for modification \??\B:\Autorun.inf Gaara.exe File created \??\Z:\Autorun.inf csrss.exe File opened for modification \??\Y:\Autorun.inf Kazekage.exe File opened for modification \??\K:\Autorun.inf system32.exe File opened for modification F:\Autorun.inf Gaara.exe File opened for modification \??\H:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf csrss.exe File opened for modification \??\H:\Autorun.inf Kazekage.exe File created \??\I:\Autorun.inf Kazekage.exe File opened for modification \??\X:\Autorun.inf smss.exe File opened for modification D:\Autorun.inf csrss.exe File created \??\T:\Autorun.inf smss.exe File opened for modification \??\X:\Autorun.inf Gaara.exe File created \??\I:\Autorun.inf csrss.exe File created \??\P:\Autorun.inf csrss.exe File opened for modification \??\R:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf Kazekage.exe File opened for modification \??\P:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\L:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf Kazekage.exe File created \??\V:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created \??\O:\Autorun.inf smss.exe File created \??\H:\Autorun.inf Gaara.exe File opened for modification \??\J:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf csrss.exe File created \??\O:\Autorun.inf Kazekage.exe File opened for modification \??\O:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created \??\T:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification D:\Autorun.inf system32.exe File created \??\S:\Autorun.inf system32.exe File opened for modification \??\R:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created \??\R:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification F:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File created \??\N:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created \??\O:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Autorun.inf smss.exe File created \??\M:\Autorun.inf smss.exe File opened for modification \??\U:\Autorun.inf csrss.exe File opened for modification \??\I:\Autorun.inf system32.exe File created \??\O:\Autorun.inf system32.exe File created \??\U:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created \??\U:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\S:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\M:\Autorun.inf Gaara.exe File created \??\V:\Autorun.inf csrss.exe File created \??\K:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf Kazekage.exe File created C:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\M:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\T:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\Z:\Autorun.inf smss.exe File opened for modification \??\E:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf Kazekage.exe File created \??\Z:\Autorun.inf Kazekage.exe File created \??\L:\Autorun.inf system32.exe File opened for modification \??\W:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created \??\W:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\16-5-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\ 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File created C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\16-5-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File created C:\Windows\SysWOW64\16-5-2024.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\16-5-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\16-5-2024.exe system32.exe File created C:\Windows\SysWOW64\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\16-5-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\16-5-2024.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\system\mscoree.dll 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\ 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created C:\Windows\system\msvbvm60.dll 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File created C:\Windows\mscomctl.ocx smss.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe system32.exe File created C:\Windows\Fonts\The Kazekage.jpg 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\mscomctl.ocx 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\msvbvm60.dll 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\msvbvm60.dll system32.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe smss.exe File created C:\Windows\msvbvm60.dll 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe system32.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Size = "72" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main system32.exe -
Modifies registry class 48 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 2168 ping.exe 2652 ping.exe 2840 ping.exe 1056 ping.exe 2340 ping.exe 2488 ping.exe 2788 ping.exe 2632 ping.exe 2416 ping.exe 2828 ping.exe 1512 ping.exe 1708 ping.exe 2564 ping.exe 2952 ping.exe 2940 ping.exe 1880 ping.exe 2064 ping.exe 2404 ping.exe 2400 ping.exe 2376 ping.exe 2464 ping.exe 2792 ping.exe 2896 ping.exe 564 ping.exe 784 ping.exe 2816 ping.exe 2476 ping.exe 556 ping.exe 2340 ping.exe 540 ping.exe 2816 ping.exe 2800 ping.exe 816 ping.exe 2964 ping.exe 1848 ping.exe 1956 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1952 Gaara.exe 1952 Gaara.exe 1952 Gaara.exe 1952 Gaara.exe 1952 Gaara.exe 1952 Gaara.exe 1952 Gaara.exe 1952 Gaara.exe 1952 Gaara.exe 1952 Gaara.exe 1952 Gaara.exe 1952 Gaara.exe 2472 csrss.exe 2472 csrss.exe 2472 csrss.exe 2472 csrss.exe 2472 csrss.exe 2472 csrss.exe 2472 csrss.exe 2472 csrss.exe 2472 csrss.exe 2472 csrss.exe 2472 csrss.exe 2472 csrss.exe 1392 Kazekage.exe 1392 Kazekage.exe 1392 Kazekage.exe 1392 Kazekage.exe 1392 Kazekage.exe 1392 Kazekage.exe 1392 Kazekage.exe 1392 Kazekage.exe 1392 Kazekage.exe 1392 Kazekage.exe 1392 Kazekage.exe 1392 Kazekage.exe 956 system32.exe 956 system32.exe 956 system32.exe 956 system32.exe 956 system32.exe 956 system32.exe 956 system32.exe 956 system32.exe 956 system32.exe 956 system32.exe 956 system32.exe 956 system32.exe 2540 smss.exe 2540 smss.exe 2540 smss.exe 2540 smss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 2540 smss.exe 308 smss.exe 1952 Gaara.exe 2948 smss.exe 2660 Gaara.exe 2472 csrss.exe 2788 smss.exe 1920 Gaara.exe 1484 csrss.exe 1392 Kazekage.exe 2412 smss.exe 1792 Gaara.exe 268 csrss.exe 336 Kazekage.exe 956 system32.exe 300 smss.exe 556 Gaara.exe 412 csrss.exe 1096 Kazekage.exe 2304 system32.exe 2208 system32.exe 1508 Kazekage.exe 1760 system32.exe 2884 csrss.exe 1356 Kazekage.exe 3044 system32.exe 820 Gaara.exe 1784 csrss.exe 884 Kazekage.exe 2256 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2540 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 28 PID 2352 wrote to memory of 2540 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 28 PID 2352 wrote to memory of 2540 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 28 PID 2352 wrote to memory of 2540 2352 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 28 PID 2540 wrote to memory of 308 2540 smss.exe 29 PID 2540 wrote to memory of 308 2540 smss.exe 29 PID 2540 wrote to memory of 308 2540 smss.exe 29 PID 2540 wrote to memory of 308 2540 smss.exe 29 PID 2540 wrote to memory of 1952 2540 smss.exe 30 PID 2540 wrote to memory of 1952 2540 smss.exe 30 PID 2540 wrote to memory of 1952 2540 smss.exe 30 PID 2540 wrote to memory of 1952 2540 smss.exe 30 PID 1952 wrote to memory of 2948 1952 Gaara.exe 31 PID 1952 wrote to memory of 2948 1952 Gaara.exe 31 PID 1952 wrote to memory of 2948 1952 Gaara.exe 31 PID 1952 wrote to memory of 2948 1952 Gaara.exe 31 PID 1952 wrote to memory of 2660 1952 Gaara.exe 32 PID 1952 wrote to memory of 2660 1952 Gaara.exe 32 PID 1952 wrote to memory of 2660 1952 Gaara.exe 32 PID 1952 wrote to memory of 2660 1952 Gaara.exe 32 PID 1952 wrote to memory of 2472 1952 Gaara.exe 33 PID 1952 wrote to memory of 2472 1952 Gaara.exe 33 PID 1952 wrote to memory of 2472 1952 Gaara.exe 33 PID 1952 wrote to memory of 2472 1952 Gaara.exe 33 PID 2472 wrote to memory of 2788 2472 csrss.exe 34 PID 2472 wrote to memory of 2788 2472 csrss.exe 34 PID 2472 wrote to memory of 2788 2472 csrss.exe 34 PID 2472 wrote to memory of 2788 2472 csrss.exe 34 PID 2472 wrote to memory of 1920 2472 csrss.exe 35 PID 2472 wrote to memory of 1920 2472 csrss.exe 35 PID 2472 wrote to memory of 1920 2472 csrss.exe 35 PID 2472 wrote to memory of 1920 2472 csrss.exe 35 PID 2472 wrote to memory of 1484 2472 csrss.exe 36 PID 2472 wrote to memory of 1484 2472 csrss.exe 36 PID 2472 wrote to memory of 1484 2472 csrss.exe 36 PID 2472 wrote to memory of 1484 2472 csrss.exe 36 PID 2472 wrote to memory of 1392 2472 csrss.exe 37 PID 2472 wrote to memory of 1392 2472 csrss.exe 37 PID 2472 wrote to memory of 1392 2472 csrss.exe 37 PID 2472 wrote to memory of 1392 2472 csrss.exe 37 PID 1392 wrote to memory of 2412 1392 Kazekage.exe 38 PID 1392 wrote to memory of 2412 1392 Kazekage.exe 38 PID 1392 wrote to memory of 2412 1392 Kazekage.exe 38 PID 1392 wrote to memory of 2412 1392 Kazekage.exe 38 PID 1392 wrote to memory of 1792 1392 Kazekage.exe 39 PID 1392 wrote to memory of 1792 1392 Kazekage.exe 39 PID 1392 wrote to memory of 1792 1392 Kazekage.exe 39 PID 1392 wrote to memory of 1792 1392 Kazekage.exe 39 PID 1392 wrote to memory of 268 1392 Kazekage.exe 40 PID 1392 wrote to memory of 268 1392 Kazekage.exe 40 PID 1392 wrote to memory of 268 1392 Kazekage.exe 40 PID 1392 wrote to memory of 268 1392 Kazekage.exe 40 PID 1392 wrote to memory of 336 1392 Kazekage.exe 41 PID 1392 wrote to memory of 336 1392 Kazekage.exe 41 PID 1392 wrote to memory of 336 1392 Kazekage.exe 41 PID 1392 wrote to memory of 336 1392 Kazekage.exe 41 PID 1392 wrote to memory of 956 1392 Kazekage.exe 42 PID 1392 wrote to memory of 956 1392 Kazekage.exe 42 PID 1392 wrote to memory of 956 1392 Kazekage.exe 42 PID 1392 wrote to memory of 956 1392 Kazekage.exe 42 PID 956 wrote to memory of 300 956 system32.exe 43 PID 956 wrote to memory of 300 956 system32.exe 43 PID 956 wrote to memory of 300 956 system32.exe 43 PID 956 wrote to memory of 300 956 system32.exe 43 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2352 -
C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2540 -
C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:308
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1952 -
C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2948
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2660
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2472 -
C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2788
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1920
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1484
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1392 -
C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2412
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1792
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:268
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:336
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:956 -
C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:300
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:556
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:412
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1096
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2304
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:1056
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:1848
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:2564
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2064
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:1956
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2816
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2340
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1880
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2464
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2952
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2828
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2400
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2208
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2800
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:556
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:1708
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:816
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2404
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2340
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1508
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1760
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2652
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2840
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2416
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1512
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:564
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2940
-
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1356
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3044
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2476
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2488
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2816
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:540
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2896
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:784
-
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:820
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1784
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:884
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2256
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2376
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2168
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2788
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2632
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2792
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2964
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD536d22e867d84e93ce345c4e6ac108744
SHA1ba34ed7f8c9f978d40c18f16f8133354ffe8b847
SHA256bfc747e31bcf46f67d24830103e029f73b79acacf80558390ef43858bead2a8d
SHA512e22e0862b64d22cdf55c936941bff83c7448c445a8d1185a941df008b5530705a6a8aea20d2a3b1c9185c05deeebfc78ca20f8323712ccc917d337e5638798f1
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
148KB
MD5425b7202ca32b09afeb13683bdf637ff
SHA16d959b5cfee4f9dd44d9af1c52b1c53a9c579d5a
SHA256163bf0f3c98a67a9211993856bafe06b2e38ad63ec3cd90dc4a07e45a677cac6
SHA512424f3a7ddc0ae89fb1392e64440051c52bbc9f158c7dc9c4b87c9a5a3a810af377df0bb5eeeb3216bd2ad08580399828894f237dd53ad4301cb72bd43626a324
-
Filesize
148KB
MD57e97f17dbcb00783083be20902baa747
SHA15a4e8597733bf6b1a98cf2d6f0c328117e64c64d
SHA2568ece36c9f0704fcd852b3f0c1952b4c1c12c89631eb5873562d38040f7e02d57
SHA512317d759e4c86bca92813caa1b8166faebe71e85d224661b7537293014c81d5d362f6c60150015e92a8dd5310fb6aea9cac20de45622f8ee714504e1f7a86cf81
-
Filesize
148KB
MD5baf71282d48f84645ccafd899493918a
SHA14f41f21da51a4f9c003172079ab2b2029ab811f7
SHA2560887c583308ab731df5be155e0df4d2b4b7801bbeced4bd6d596f1d477a30c74
SHA512738bb0653ec0333fbb74b637038131eac0c85868911626a68b7779871ea3c0bc54a5900c5588da493ae115dd76644ae69b04b3dbdf88aef1bf655afa11af8fa2
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
148KB
MD5a8077bcf7faf3bc500fbc911faeba848
SHA101dd07e1c54f466e812ce9cb3d68fdffeba4102c
SHA2569e871aac492de38d2cecd8b701936c54934bcf9781f7c7acfc6a2506c9d9a09e
SHA51205f223a9d1f2e64bc1ee2a58bdf77fdbc3fbee7d09778381d0aaac11541c955f320715219aef73cb2e8d02264a69ee25164682be97b694a9fd6fed3f81f6683a
-
Filesize
148KB
MD50d09ae37e89a6005804515dac49b5d70
SHA1b6cb8848086f586d95a8774f92307f577360c525
SHA2562b1fcd17243f1bbb85e245c64eb729494b29f5b0de95d29c91283515b3ff8732
SHA512c6f34d776404416dab09d0219da78fd31d15b715b210c14da4733c7370db0e985048cf10eb9b80dee44e1c47213028f5154d2a15e957254c2a855050d182a418
-
Filesize
148KB
MD58f505165a5a2fbbfacd6ffb99bb9d45d
SHA1a07617fe62b65e93633983ddfc924f03e2a014b8
SHA2561d4a97f7e6f8a7c19e644159ee29f8449eb5ef54d58d9f249a7bc2bdb631bf75
SHA512a02ef9b6333f99e31523cd9c146513cc6bcf659b3ef3ff2173628333a66b8f24a91c3cb7a645d827f212c8b22755495ba4ad97fd7c2138b2473e7570d6813319
-
Filesize
148KB
MD5c54b8dcfdf1b84b9ad70d2ec0da328bb
SHA16415469a37b7cb2b1e29762259fc1030b23ebfcc
SHA256e24828c05cb5f8c6589d191799a9be7de662cb639eaf1f3782c38a83d6b764cf
SHA512245ab691c8d8a9a8cd420c610de6ae4337b060f0d0c6fa5c2f67058922179eefbce2772bfc6a8dd164a05ea4b43fd02c54d45c9d332e3921733f21970fe178fe
-
Filesize
148KB
MD5332a385d8e38533279ac8054634e6820
SHA1e11964c6aae3633cd2c0901e98f7196b2b32aeb3
SHA2560823c0958f4b7fb74f527a8cadb4115c0ad88896736403e1bcb649bef3e9719e
SHA51208bf8064f76dcd5f4081ec6f0e49879a7d7bbac7c2ad140a52eeb33acbb81e40d809d4472fe317cdacca4b87949aee20ab8ca8e8dd84eafcbef781954345317e
-
Filesize
148KB
MD557fd8beddc5c8d5543fe9d190c0b1f61
SHA13327da330dfbb18f72404c5da3db9413c76cebed
SHA2561b949d1ff09359ef805b5d6a3f19662f9026922709cd9f804a87826db3d9ff78
SHA51271b6f5e3a526e99c87e8d450662668399bc4d1ae6b04f0fdd8a1c8ff482612fa21a524805da5616a3c176758a0db881be9b7a303ba3aae89f1650fef37eb42f9
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
148KB
MD5b9a998b7277734d6e99fe46b9a34800c
SHA1a7c9b5e8a4bc989bbed339d64aa9daa4ac4a53fb
SHA25605fb146e2ae87b8ef4ae9acb28808b1fd8508b47bdf3870537ab575c4883fb6c
SHA5129195f6c20bb091d69f0a6062af6cbeed0e3fd4c534a378ccfd3328c3523d06bebaf849c289a5ddeb97d016b412d125f8f913cd5a692e3b3893670c359b5577d5
-
Filesize
148KB
MD59c10e710a8fecd6db430b9672cab8950
SHA17ac49a64f8c0219866e24a8a235ff434055037cb
SHA2560ef4b8277674b88ed3a1d1602392e8e877d2313c69f4c777d6d5e8614a467dda
SHA5124647f9a45b805d3e71bbec446bfe2996f82cd78bf6b54a506f25a55986da6ebad31df0e77b0c39b9a9150186fde139141fb83f7bd3f1c229d87164120fc3187a
-
Filesize
148KB
MD531089ac6f9ae4fed245b9cfe08e3f3a9
SHA1cb9ce5ac09cb8f2a2496e803fae7d950a684974e
SHA256131b0adae7075207ddc1f417517c2e7a8a1bd94268e53d36c96371791eebd0cb
SHA512160d6837049a49df939fa03ca7cee88d3afd11bf2625c754940267246048c255e3cb34033c9ff7e468d2767faf6ace75777867007003109700c7ebf4ea392d40
-
Filesize
148KB
MD5ec3e6f4662381b7689245440f6223380
SHA1dd22de55ea6668f5e9fa7f3617fb6db038a8ee0d
SHA2563f3e3c51cbf941eaa4a2ab40177a94ff6ac657925ec0031ca3586cacaf0508ff
SHA512f409b9d17a449dadf0bb679d3c695625bb4e1e33e2b2cbab2d15654e91aa516b86bb4e4d2466fabb12011f653c51d93473a948b536ede885d2f696d03f65d3b2
-
Filesize
148KB
MD5c320f67c963271c0eb81f5de015e69ca
SHA1d500e32502eaf0200b206707f82613b42b907548
SHA2565c0ec841c68c9b22b8563c171c8d4f86b1fe4dd0253f087aacb4e149263acdae
SHA512f27d8c779e28970ae7a927b5bd2782e800cd19565b60808c95dc11b9340d1fc7690a8a39338d3e19196459872caea05f80edb18456da393251cccdd5acd73ab8
-
Filesize
148KB
MD5844ead4bdf43127c2b1f1e9bb3c6a7ac
SHA1a75856b48e98a20b9c8b3bf79f3e52f6f228d612
SHA2562cf6786db93e6dadad411df2389dc39047d859bb720ea1963b0aaa0641aa778f
SHA512332bae98b2ed263d225772e9b415de8aa5436f57bd4c0586c121d9f8a721c3872a2ac03a51b1ced736773a7fe9f070cce9ceb7c617e55953497638bd413a1377
-
Filesize
148KB
MD5e2a2d0a31943fd502823f1d9d2c78589
SHA1d13ec1cfae22f632aa3f1436b55850ea10e7a643
SHA25658759eeff535f384f3d1a0f1305bdc1ee8071e69950b26e49087f9f4769b85d8
SHA512bf359a1871ae9ad2989d660ee95423975c754957a38daadde40ebade70cd96ed3bda22532a7860589b0b4e0239ee6e12b0d60c1f81f9b6a5b2be0bbe2f389b63
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
148KB
MD50b2e4e52894da9461b1a8a80acfa38ec
SHA1376b72107d359e69176ef328cb7fe5defdc38e66
SHA2563ffe92936055e8bca2053ec4db1cb2e37018683d09426ad0580470143d656c24
SHA51252902c4d863d3b87bd16926332a6131c27c59cb4b5acd5ebf7ae969a09e538df84cb3fb47ffea14a5da670daf9cd560881649d231736a0c95987c248bba561fb
