Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 18:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe
-
Size
148KB
-
MD5
0d09ae37e89a6005804515dac49b5d70
-
SHA1
b6cb8848086f586d95a8774f92307f577360c525
-
SHA256
2b1fcd17243f1bbb85e245c64eb729494b29f5b0de95d29c91283515b3ff8732
-
SHA512
c6f34d776404416dab09d0219da78fd31d15b715b210c14da4733c7370db0e985048cf10eb9b80dee44e1c47213028f5154d2a15e957254c2a855050d182a418
-
SSDEEP
1536:wJo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTV:Ex6AHjYzaFXg+w17jsgS/jHagQg19V
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created C:\Windows\SysWOW64\drivers\system32.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe -
Executes dropped EXE 30 IoCs
pid Process 4156 smss.exe 4916 smss.exe 3984 Gaara.exe 2768 smss.exe 3664 Gaara.exe 4788 csrss.exe 3100 smss.exe 3640 Gaara.exe 3868 csrss.exe 3372 Kazekage.exe 4544 smss.exe 3052 Gaara.exe 1784 csrss.exe 4704 Kazekage.exe 4472 system32.exe 2088 smss.exe 3188 Gaara.exe 2832 csrss.exe 1596 Kazekage.exe 768 system32.exe 2228 system32.exe 4556 Kazekage.exe 1956 system32.exe 3152 csrss.exe 364 Kazekage.exe 2128 system32.exe 2632 Gaara.exe 1208 csrss.exe 3908 Kazekage.exe 4440 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 4156 smss.exe 4916 smss.exe 3984 Gaara.exe 2768 smss.exe 3664 Gaara.exe 4788 csrss.exe 3100 smss.exe 3640 Gaara.exe 3868 csrss.exe 4544 smss.exe 3052 Gaara.exe 1784 csrss.exe 2088 smss.exe 3188 Gaara.exe 2832 csrss.exe 3152 csrss.exe 2632 Gaara.exe 1208 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 16 - 5 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 16 - 5 - 2024\\smss.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 16 - 5 - 2024\\Gaara.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 16 - 5 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 16 - 5 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 16 - 5 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "16-5-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "16-5-2024.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "16-5-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 16 - 5 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 16 - 5 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 16 - 5 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 16 - 5 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "16-5-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "16-5-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 16 - 5 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 16 - 5 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "16-5-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\N:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\I:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: system32.exe File opened (read-only) \??\J: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\U: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\Z: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\I: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\O: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\P: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\E: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\L: 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\B: smss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\I:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe File created \??\H:\Autorun.inf smss.exe File created \??\M:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf system32.exe File opened for modification \??\L:\Autorun.inf Gaara.exe File created \??\V:\Autorun.inf smss.exe File created \??\W:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf Gaara.exe File created \??\P:\Autorun.inf Kazekage.exe File created \??\O:\Autorun.inf system32.exe File created \??\X:\Autorun.inf system32.exe File opened for modification \??\R:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created \??\M:\Autorun.inf system32.exe File opened for modification \??\G:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf smss.exe File opened for modification \??\A:\Autorun.inf system32.exe File opened for modification \??\E:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf Kazekage.exe File created \??\B:\Autorun.inf system32.exe File opened for modification \??\H:\Autorun.inf system32.exe File opened for modification \??\R:\Autorun.inf csrss.exe File opened for modification \??\U:\Autorun.inf smss.exe File opened for modification \??\Y:\Autorun.inf csrss.exe File created D:\Autorun.inf system32.exe File created \??\T:\Autorun.inf smss.exe File created \??\E:\Autorun.inf Gaara.exe File opened for modification C:\Autorun.inf csrss.exe File created \??\L:\Autorun.inf csrss.exe File created \??\O:\Autorun.inf Kazekage.exe File created \??\I:\Autorun.inf system32.exe File opened for modification \??\P:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created \??\R:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\V:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf smss.exe File created \??\E:\Autorun.inf csrss.exe File opened for modification F:\Autorun.inf csrss.exe File opened for modification \??\J:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf system32.exe File opened for modification \??\B:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\P:\Autorun.inf system32.exe File opened for modification \??\J:\Autorun.inf smss.exe File opened for modification \??\U:\Autorun.inf Gaara.exe File opened for modification \??\E:\Autorun.inf csrss.exe File opened for modification \??\K:\Autorun.inf csrss.exe File created \??\A:\Autorun.inf Kazekage.exe File opened for modification C:\Autorun.inf Kazekage.exe File opened for modification \??\R:\Autorun.inf Kazekage.exe File opened for modification \??\G:\Autorun.inf smss.exe File opened for modification \??\N:\Autorun.inf system32.exe File created \??\X:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification F:\Autorun.inf smss.exe File opened for modification \??\M:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf csrss.exe File opened for modification \??\I:\Autorun.inf Kazekage.exe File opened for modification \??\G:\Autorun.inf system32.exe File created F:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification \??\T:\Autorun.inf 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created \??\K:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf Kazekage.exe File opened for modification \??\H:\Autorun.inf Kazekage.exe File opened for modification D:\Autorun.inf system32.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File created C:\Windows\SysWOW64\16-5-2024.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created C:\Windows\SysWOW64\mscomctl.ocx 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\16-5-2024.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\16-5-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\16-5-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\ 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\16-5-2024.exe Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\16-5-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\16-5-2024.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\ smss.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe system32.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\ 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\msvbvm60.dll 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\msvbvm60.dll 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe smss.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\msvbvm60.dll 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\msvbvm60.dll 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\system\msvbvm60.dll 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee Gaara.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Size = "72" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\WallpaperStyle = "2" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 2060 ping.exe 1748 ping.exe 4892 ping.exe 2652 ping.exe 1772 ping.exe 2028 ping.exe 1544 ping.exe 2416 ping.exe 2408 ping.exe 2592 ping.exe 904 ping.exe 2524 ping.exe 5064 ping.exe 3144 ping.exe 2988 ping.exe 4872 ping.exe 4392 ping.exe 2760 ping.exe 2644 ping.exe 1200 ping.exe 4888 ping.exe 2028 ping.exe 1864 ping.exe 1196 ping.exe 2104 ping.exe 4556 ping.exe 2456 ping.exe 4920 ping.exe 2448 ping.exe 4596 ping.exe 2088 ping.exe 3068 ping.exe 1184 ping.exe 4532 ping.exe 540 ping.exe 3868 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 4156 smss.exe 3984 Gaara.exe 3984 Gaara.exe 3984 Gaara.exe 3984 Gaara.exe 3984 Gaara.exe 3984 Gaara.exe 3984 Gaara.exe 3984 Gaara.exe 3984 Gaara.exe 3984 Gaara.exe 3984 Gaara.exe 3984 Gaara.exe 3984 Gaara.exe 3984 Gaara.exe 3984 Gaara.exe 3984 Gaara.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 4156 smss.exe 4916 smss.exe 3984 Gaara.exe 2768 smss.exe 3664 Gaara.exe 4788 csrss.exe 3100 smss.exe 3640 Gaara.exe 3868 csrss.exe 3372 Kazekage.exe 4544 smss.exe 3052 Gaara.exe 1784 csrss.exe 4704 Kazekage.exe 4472 system32.exe 2088 smss.exe 3188 Gaara.exe 2832 csrss.exe 1596 Kazekage.exe 768 system32.exe 2228 system32.exe 4556 Kazekage.exe 1956 system32.exe 3152 csrss.exe 364 Kazekage.exe 2128 system32.exe 2632 Gaara.exe 1208 csrss.exe 3908 Kazekage.exe 4440 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1820 wrote to memory of 4156 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 86 PID 1820 wrote to memory of 4156 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 86 PID 1820 wrote to memory of 4156 1820 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe 86 PID 4156 wrote to memory of 4916 4156 smss.exe 87 PID 4156 wrote to memory of 4916 4156 smss.exe 87 PID 4156 wrote to memory of 4916 4156 smss.exe 87 PID 4156 wrote to memory of 3984 4156 smss.exe 88 PID 4156 wrote to memory of 3984 4156 smss.exe 88 PID 4156 wrote to memory of 3984 4156 smss.exe 88 PID 3984 wrote to memory of 2768 3984 Gaara.exe 89 PID 3984 wrote to memory of 2768 3984 Gaara.exe 89 PID 3984 wrote to memory of 2768 3984 Gaara.exe 89 PID 3984 wrote to memory of 3664 3984 Gaara.exe 91 PID 3984 wrote to memory of 3664 3984 Gaara.exe 91 PID 3984 wrote to memory of 3664 3984 Gaara.exe 91 PID 3984 wrote to memory of 4788 3984 Gaara.exe 93 PID 3984 wrote to memory of 4788 3984 Gaara.exe 93 PID 3984 wrote to memory of 4788 3984 Gaara.exe 93 PID 4788 wrote to memory of 3100 4788 csrss.exe 95 PID 4788 wrote to memory of 3100 4788 csrss.exe 95 PID 4788 wrote to memory of 3100 4788 csrss.exe 95 PID 4788 wrote to memory of 3640 4788 csrss.exe 96 PID 4788 wrote to memory of 3640 4788 csrss.exe 96 PID 4788 wrote to memory of 3640 4788 csrss.exe 96 PID 4788 wrote to memory of 3868 4788 csrss.exe 97 PID 4788 wrote to memory of 3868 4788 csrss.exe 97 PID 4788 wrote to memory of 3868 4788 csrss.exe 97 PID 4788 wrote to memory of 3372 4788 csrss.exe 98 PID 4788 wrote to memory of 3372 4788 csrss.exe 98 PID 4788 wrote to memory of 3372 4788 csrss.exe 98 PID 3372 wrote to memory of 4544 3372 Kazekage.exe 99 PID 3372 wrote to memory of 4544 3372 Kazekage.exe 99 PID 3372 wrote to memory of 4544 3372 Kazekage.exe 99 PID 3372 wrote to memory of 3052 3372 Kazekage.exe 100 PID 3372 wrote to memory of 3052 3372 Kazekage.exe 100 PID 3372 wrote to memory of 3052 3372 Kazekage.exe 100 PID 3372 wrote to memory of 1784 3372 Kazekage.exe 101 PID 3372 wrote to memory of 1784 3372 Kazekage.exe 101 PID 3372 wrote to memory of 1784 3372 Kazekage.exe 101 PID 3372 wrote to memory of 4704 3372 Kazekage.exe 103 PID 3372 wrote to memory of 4704 3372 Kazekage.exe 103 PID 3372 wrote to memory of 4704 3372 Kazekage.exe 103 PID 3372 wrote to memory of 4472 3372 Kazekage.exe 104 PID 3372 wrote to memory of 4472 3372 Kazekage.exe 104 PID 3372 wrote to memory of 4472 3372 Kazekage.exe 104 PID 4472 wrote to memory of 2088 4472 system32.exe 105 PID 4472 wrote to memory of 2088 4472 system32.exe 105 PID 4472 wrote to memory of 2088 4472 system32.exe 105 PID 4472 wrote to memory of 3188 4472 system32.exe 106 PID 4472 wrote to memory of 3188 4472 system32.exe 106 PID 4472 wrote to memory of 3188 4472 system32.exe 106 PID 4472 wrote to memory of 2832 4472 system32.exe 107 PID 4472 wrote to memory of 2832 4472 system32.exe 107 PID 4472 wrote to memory of 2832 4472 system32.exe 107 PID 4472 wrote to memory of 1596 4472 system32.exe 108 PID 4472 wrote to memory of 1596 4472 system32.exe 108 PID 4472 wrote to memory of 1596 4472 system32.exe 108 PID 4472 wrote to memory of 768 4472 system32.exe 109 PID 4472 wrote to memory of 768 4472 system32.exe 109 PID 4472 wrote to memory of 768 4472 system32.exe 109 PID 4788 wrote to memory of 2228 4788 csrss.exe 110 PID 4788 wrote to memory of 2228 4788 csrss.exe 110 PID 4788 wrote to memory of 2228 4788 csrss.exe 110 PID 3984 wrote to memory of 4556 3984 Gaara.exe 111 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0d09ae37e89a6005804515dac49b5d70_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1820 -
C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4156 -
C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4916
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3984 -
C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3664
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4788 -
C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3100
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3640
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3868
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3372 -
C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4544
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3052
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1784
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4704
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4472 -
C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2088
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3188
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2832
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1596
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:768
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:2416
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2456
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:2104
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:1200
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:4392
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2592
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:4892
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2028
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:3144
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2644
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2028
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:540
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2228
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2524
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:904
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:1196
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:1184
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2448
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:4872
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4556
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1956
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2760
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2088
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:4596
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1772
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:4920
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2988
-
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3152
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:364
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2128
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2060
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:1748
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:5064
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:1864
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:4556
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:4888
-
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2632
-
-
C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 16 - 5 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1208
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3908
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4440
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3868
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1544
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2652
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:3068
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:4532
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2408
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
148KB
MD55cc251626c8399a007283c7eac6f9407
SHA1ea48db11d3f083bb40a78e1dd503fca5b8608580
SHA256c503d348bcf9ba36afa533ea5396bcfddb98890bd42b2e3985974490fe4c0fc7
SHA512485f8c7d78c7c0512576d3e87491f0e86bdf5bd293813b4d304c358f11c50627159fc88d132bbc1f8b0a7e3cc0e07a1b8898b9a9ab6bd97a56a11c63b5d142e8
-
Filesize
148KB
MD514592fda8d4f7b68cfbfa6e4dc993657
SHA1ab732aeed5700c53474bea7ab7f9f6c86c183372
SHA2564cc96c74f888777611c8ac13a826699531a9facb7ecc513e927b61b8d89c387b
SHA51238bd436559c3bd8b7dc9170bb2256d97bade7baf03385ce20afd8577ed3b5a375c45063ccc55de9e1fe5461a9b44397ecc5a285c3071818b935e466e74444256
-
Filesize
148KB
MD54d7b211b280f726e1b140f429ef29ae2
SHA1e74ec50d2562ec62af8164df01fb87ba87dc2bef
SHA256dd2de1d9133415399248a4f0dd36826a005cdd602375f93823807cbd4e6dcaec
SHA512e232a0edc429382e3bab2a81fb82d0e57671d182b8ae30f1aa40cf933ec6c915dfe6abdbb49b7d7e2f3f37f2ecc00b89915e5bceaadb3403aea2e1cafbb72163
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
148KB
MD5b8b78a87574ed1c5bf5fa699f159e284
SHA10993a6b7ac075532b0d33d0c634ebcd11cb134b5
SHA2563fa4bb648fcff1b7553f72fde9b6c8a6b0c42e9971756848aa7ac990ec456b3e
SHA5122a42315ea30e9960dfe41cae2fff3c3d97474d783e765c79f9e3a4a7940e026fde0ac4c63ef57e1305965766764cfcc3eaff9229d5d2031c3df358e5db3a7a56
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
1.1MB
MD54c11fe4fac79b0b47fd44a85bda4633b
SHA19ee62c2f99ea75da171b0d95c2100ba341d82fe4
SHA256c7b92824fce021a63d13b8bee0a2c9f05dc50387fc5af8d6f019ac48fe960c41
SHA5129a0bca7096c40d6bad9d0fb33e990306e16c3991454dec0031e18f435da88ce7f2d46c0754707da788d3d01712021afaaf37293bd3d6fd2f2bcbc3aef7d776ab
-
Filesize
1.2MB
MD5cf797c1c8d6924150a9952b875fc06f4
SHA11a8ae4881144bd6a4ac4572749646ad677ccef48
SHA256595081af12897aa9e142301d135724a2eb82532e6a1553350bb0528b64cd68ff
SHA51219e4bdf64459a900e5d78951d75139d2c08988c5a86ca62039c96310555848a04cddcb4422f0e3da9d601aa9f5b8d9ccdc9616966b328be600fd2a403d229d5e
-
Filesize
148KB
MD50d09ae37e89a6005804515dac49b5d70
SHA1b6cb8848086f586d95a8774f92307f577360c525
SHA2562b1fcd17243f1bbb85e245c64eb729494b29f5b0de95d29c91283515b3ff8732
SHA512c6f34d776404416dab09d0219da78fd31d15b715b210c14da4733c7370db0e985048cf10eb9b80dee44e1c47213028f5154d2a15e957254c2a855050d182a418
-
Filesize
148KB
MD5356063492f47232553bcf52257036f12
SHA18de1609a5004458cab290d47cb9ffa5b1ab1a8b1
SHA256f9c2f38dd2c416aa64e03e4b864f667a1c1d24e1cd537700d87b68f496ad413e
SHA5120f4c84c0299cbd96ffe316f8dd11e10a05947b095fab32cf06dec61086054e5fb712abeb600eddd0357d74670d46fac9e1e560b88565cad7bb8f32a11c73515e
-
Filesize
148KB
MD5b07e9317e7d2f04a98ac6c9f693d0c11
SHA1d8b2048b597b38a21b59675abbf226c0f8b5a30b
SHA256e04c0615b3bb1fc02f4e5b41a8866954e42a4b1d284277cf78424c80d94549ff
SHA51258ff93b591e3e9f2884db6955046a8159052965a37d2bd2bc5144ed1fa2d72e8df890a575666f3ee341179c9893f14858d155ea41afab2919dcfd5c8143b3a15
-
Filesize
148KB
MD5c54b8dcfdf1b84b9ad70d2ec0da328bb
SHA16415469a37b7cb2b1e29762259fc1030b23ebfcc
SHA256e24828c05cb5f8c6589d191799a9be7de662cb639eaf1f3782c38a83d6b764cf
SHA512245ab691c8d8a9a8cd420c610de6ae4337b060f0d0c6fa5c2f67058922179eefbce2772bfc6a8dd164a05ea4b43fd02c54d45c9d332e3921733f21970fe178fe
-
Filesize
148KB
MD5ce6f2b1c3c48ed7e540eec2ed3f79921
SHA1ab93c7a442b752c7dea1b33b18102a9d1ada0ebb
SHA256ce3498303ae4e53ab27d8af2c51c53f54feb41db0e9e085edd63c274ad629783
SHA5128980d51a424c158cd043674c41b94e8854d9a852a3a64da92505ac0d3c9bc1ea49bb9fe6a1032551ac3b9e644d3f64d089def9c7581ad2a3a132b515d37fe79c
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
148KB
MD5dc01cf994a26499611681abb0579d533
SHA1b26a57cc582ef468ff08353a3aef51644767a168
SHA2562fb3d930268adce2a06c37145d86a11ae81e683ab275ad5dc475ae216f5f1545
SHA51253fcacac94c71ec8a41242bd9880b1223c47dde96a72496142458f89a15da57020898f22b877a8799090026bcc6b918270377b7b8125c41a0dcab9f8f1bc46ad
-
Filesize
148KB
MD59c10e710a8fecd6db430b9672cab8950
SHA17ac49a64f8c0219866e24a8a235ff434055037cb
SHA2560ef4b8277674b88ed3a1d1602392e8e877d2313c69f4c777d6d5e8614a467dda
SHA5124647f9a45b805d3e71bbec446bfe2996f82cd78bf6b54a506f25a55986da6ebad31df0e77b0c39b9a9150186fde139141fb83f7bd3f1c229d87164120fc3187a
-
Filesize
148KB
MD5ad210588fa64971c996a465ebb1cedbd
SHA1ffae9faf4f9b6136237191fb81204f8dca8d9ccd
SHA256b0deca04378d40529e19c0e49c60edc88e96cf274924625ede1ba819761d2249
SHA512edd25c4771af79ca0db4ae0af4e63ef0ab1403b82bbcaeed745208bc593b727c2c284d0d643201f5f7d149efbcb629e5021b6dc2d0f766d9055a703053dc0dd8
-
Filesize
148KB
MD5d43c463b28848b04392a18e44f4fdfb0
SHA181f7415b85896bf86bea747f078587ce50d7056c
SHA256da66435676faef3e6fe99efa8f90fffd263370eae1c710322c32911562557dff
SHA512f4f5aac0b5575fe2c67bfab05fbcbf605204ddc7615f21a437d2331f6231e9560eadf08ec5f19358e67100d9a082aed6c75e058ea7dac44c263d282a9417e198
-
Filesize
148KB
MD56d2531a535460702e3c75f043417f42f
SHA15403bf8c5b419c1d19056e26bda3c1cca056ec15
SHA256d95b78552038696f6edec1082d1d68092ce07007f4951c61e11fcba5104db27f
SHA512ea7f9c84ba49b5c07237b7117f9ea5b12cd21d5daeccc7dfd7436c8a0e39ccc01c720df9e50263b313c842511ed8c51adcdf629c974fde9769d903b645e13b8a
-
Filesize
148KB
MD5c320f67c963271c0eb81f5de015e69ca
SHA1d500e32502eaf0200b206707f82613b42b907548
SHA2565c0ec841c68c9b22b8563c171c8d4f86b1fe4dd0253f087aacb4e149263acdae
SHA512f27d8c779e28970ae7a927b5bd2782e800cd19565b60808c95dc11b9340d1fc7690a8a39338d3e19196459872caea05f80edb18456da393251cccdd5acd73ab8
-
Filesize
148KB
MD5040818ca00f130ef9455d10365beef7b
SHA16efed4bf6cb0e9f71802530e21d586d15a360ecb
SHA2569c5414c7d20ff4654e1f3ec599d515e5c9f0baf67a1e775d6e406fde0a0b6f5d
SHA51234cc699cbffce9a25c860e00f05c7459a3364102e466bccfe662177eb1ace371ad8c5cb7e59beed8edf8de62f9878415ffc5de1f216954f3baecd58d04db9415
-
Filesize
148KB
MD5d136d07a7e5a026a071310456c6718a6
SHA16d8e89de9f62056c114a13baf32e5a537d5bfd42
SHA256cd9162820a06281c2067a3efc6608e548e415444ddbfb9533b62eadf930ba3a9
SHA512f039042e12596cb3de6733bcb1d940031abc7f74a849843f49504a4a339303e63adf6f0783dc210d53a7309bad88ba0fae1ae61d83efbf8257128badb12d7d37
