Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/05/2024, 10:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ee24f786714000111146a1a260147745_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
ee24f786714000111146a1a260147745_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
ee24f786714000111146a1a260147745_NeikiAnalytics.exe
-
Size
145KB
-
MD5
ee24f786714000111146a1a260147745
-
SHA1
215aece16ee06eeac9ba46d39e6e23704c747fe2
-
SHA256
3a253fb4fcd87497dd4d8d4b2aaba8560b6d8457a38165a1eabd77c47fb37eef
-
SHA512
4e2d15e9998ab60cb835fd8bfb98ed56717c39c7c1455f5e9f3a393067513eded754cb2f0091c157c5f2be67d6e5848a4d37ee5d5b33df3beef1c9b6090ab57f
-
SSDEEP
1536:GJo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTV:mx6AHjYzaFXg+w17jsgS/jHagQg19V
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe File created C:\Windows\SysWOW64\drivers\system32.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe -
Executes dropped EXE 30 IoCs
pid Process 2524 smss.exe 2420 smss.exe 2912 Gaara.exe 348 smss.exe 1996 Gaara.exe 2040 csrss.exe 1228 smss.exe 296 Gaara.exe 2628 csrss.exe 2164 Kazekage.exe 1028 smss.exe 592 Gaara.exe 1484 csrss.exe 1680 Kazekage.exe 832 system32.exe 2844 smss.exe 1704 Gaara.exe 1248 csrss.exe 1540 Kazekage.exe 1928 system32.exe 1916 system32.exe 1888 Kazekage.exe 1452 system32.exe 1148 csrss.exe 628 Kazekage.exe 1420 system32.exe 332 Gaara.exe 2700 csrss.exe 1944 Kazekage.exe 1732 system32.exe -
Loads dropped DLL 64 IoCs
pid Process 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 2524 smss.exe 2524 smss.exe 2420 smss.exe 2524 smss.exe 2524 smss.exe 2912 Gaara.exe 2912 Gaara.exe 2912 Gaara.exe 348 smss.exe 2912 Gaara.exe 1996 Gaara.exe 2912 Gaara.exe 2912 Gaara.exe 2040 csrss.exe 2040 csrss.exe 2040 csrss.exe 1228 smss.exe 2040 csrss.exe 2040 csrss.exe 296 Gaara.exe 2040 csrss.exe 2628 csrss.exe 2040 csrss.exe 2040 csrss.exe 2164 Kazekage.exe 2164 Kazekage.exe 1028 smss.exe 2164 Kazekage.exe 2164 Kazekage.exe 592 Gaara.exe 2164 Kazekage.exe 2164 Kazekage.exe 1484 csrss.exe 2164 Kazekage.exe 2164 Kazekage.exe 2164 Kazekage.exe 2164 Kazekage.exe 832 system32.exe 2844 smss.exe 832 system32.exe 1704 Gaara.exe 832 system32.exe 1248 csrss.exe 832 system32.exe 832 system32.exe 832 system32.exe 832 system32.exe 2040 csrss.exe 2040 csrss.exe 2912 Gaara.exe 2912 Gaara.exe 2912 Gaara.exe 2912 Gaara.exe 2524 smss.exe 1148 csrss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 332 Gaara.exe 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 5 - 2024\\Gaara.exe" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-5-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 5 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-5-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-5-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 5 - 2024\\smss.exe" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-5-2024.exe" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 5 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-5-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 5 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 5 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 5 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 5 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 5 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-5-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 5 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 5 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 5 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\S:\Desktop.ini ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\Z:\Desktop.ini ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\Q:\Desktop.ini ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\M:\Desktop.ini ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\V:\Desktop.ini ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini system32.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\W: ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\E: ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened (read-only) \??\N: ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened (read-only) \??\S: ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\P: ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\K: ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened (read-only) \??\U: ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\M: ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\T: ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\Q: ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\B: csrss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\M:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf Gaara.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe File opened for modification C:\Autorun.inf csrss.exe File opened for modification F:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf system32.exe File opened for modification \??\G:\Autorun.inf ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\P:\Autorun.inf smss.exe File opened for modification \??\N:\Autorun.inf Gaara.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\X:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\N:\Autorun.inf ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\T:\Autorun.inf smss.exe File opened for modification \??\G:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf smss.exe File opened for modification D:\Autorun.inf smss.exe File created \??\J:\Autorun.inf Gaara.exe File created \??\K:\Autorun.inf Gaara.exe File opened for modification \??\U:\Autorun.inf Gaara.exe File opened for modification \??\T:\Autorun.inf system32.exe File opened for modification \??\M:\Autorun.inf system32.exe File opened for modification \??\Z:\Autorun.inf csrss.exe File created F:\Autorun.inf ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\J:\Autorun.inf ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\P:\Autorun.inf csrss.exe File created \??\K:\Autorun.inf Kazekage.exe File opened for modification \??\W:\Autorun.inf system32.exe File created \??\V:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf ee24f786714000111146a1a260147745_NeikiAnalytics.exe File created D:\Autorun.inf smss.exe File created \??\N:\Autorun.inf smss.exe File opened for modification \??\B:\Autorun.inf Gaara.exe File created \??\M:\Autorun.inf Gaara.exe File opened for modification F:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\W:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf Gaara.exe File opened for modification \??\H:\Autorun.inf Kazekage.exe File created \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File opened for modification \??\H:\Autorun.inf system32.exe File created \??\V:\Autorun.inf system32.exe File opened for modification \??\K:\Autorun.inf ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\J:\Autorun.inf smss.exe File created \??\J:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf csrss.exe File created \??\K:\Autorun.inf system32.exe File opened for modification \??\K:\Autorun.inf smss.exe File opened for modification \??\V:\Autorun.inf smss.exe File created \??\V:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf Kazekage.exe File created \??\U:\Autorun.inf smss.exe File created \??\L:\Autorun.inf Gaara.exe File opened for modification \??\I:\Autorun.inf Kazekage.exe File created \??\Z:\Autorun.inf ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification \??\A:\Autorun.inf smss.exe File opened for modification \??\I:\Autorun.inf smss.exe File created \??\H:\Autorun.inf system32.exe File opened for modification \??\L:\Autorun.inf system32.exe File opened for modification \??\G:\Autorun.inf smss.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File created C:\Windows\SysWOW64\Desktop.ini ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\20-5-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\ ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll ee24f786714000111146a1a260147745_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\20-5-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\20-5-2024.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\20-5-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\20-5-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File created C:\Windows\SysWOW64\20-5-2024.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\20-5-2024.exe csrss.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\system\msvbvm60.dll ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 20 - 5 - 2024\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\ Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 5 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File created C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File created C:\Windows\Fonts\The Kazekage.jpg ee24f786714000111146a1a260147745_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 20 - 5 - 2024\msvbvm60.dll ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\msvbvm60.dll ee24f786714000111146a1a260147745_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 20 - 5 - 2024\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\mscomctl.ocx ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe smss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ csrss.exe File created C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe File created C:\Windows\msvbvm60.dll ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe smss.exe File created C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\ ee24f786714000111146a1a260147745_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 20 - 5 - 2024\msvbvm60.dll ee24f786714000111146a1a260147745_NeikiAnalytics.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 20 - 5 - 2024\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 20 - 5 - 2024\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\WallpaperStyle = "2" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Size = "72" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop ee24f786714000111146a1a260147745_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Speed = "4" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop smss.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main ee24f786714000111146a1a260147745_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe -
Modifies registry class 48 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command ee24f786714000111146a1a260147745_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command ee24f786714000111146a1a260147745_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe -
Runs ping.exe 1 TTPs 32 IoCs
pid Process 2488 ping.exe 2976 ping.exe 628 ping.exe 1904 ping.exe 2256 ping.exe 2444 ping.exe 1720 ping.exe 2800 ping.exe 1048 ping.exe 2460 ping.exe 2888 ping.exe 1648 ping.exe 2280 ping.exe 2944 ping.exe 540 ping.exe 608 ping.exe 2660 ping.exe 592 ping.exe 2148 ping.exe 2360 ping.exe 2492 ping.exe 2544 ping.exe 1948 ping.exe 488 ping.exe 2332 ping.exe 1756 ping.exe 2004 ping.exe 2372 ping.exe 2924 ping.exe 1520 ping.exe 1572 ping.exe 1600 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2912 Gaara.exe 2912 Gaara.exe 2912 Gaara.exe 2912 Gaara.exe 2912 Gaara.exe 2912 Gaara.exe 2912 Gaara.exe 2912 Gaara.exe 2912 Gaara.exe 2912 Gaara.exe 2912 Gaara.exe 2912 Gaara.exe 2040 csrss.exe 2040 csrss.exe 2040 csrss.exe 2040 csrss.exe 2040 csrss.exe 2040 csrss.exe 2040 csrss.exe 2040 csrss.exe 2040 csrss.exe 2040 csrss.exe 2040 csrss.exe 2040 csrss.exe 832 system32.exe 832 system32.exe 832 system32.exe 832 system32.exe 832 system32.exe 832 system32.exe 832 system32.exe 832 system32.exe 832 system32.exe 832 system32.exe 832 system32.exe 832 system32.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe 2524 smss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 2524 smss.exe 2420 smss.exe 2912 Gaara.exe 348 smss.exe 1996 Gaara.exe 2040 csrss.exe 1228 smss.exe 296 Gaara.exe 2628 csrss.exe 2164 Kazekage.exe 1028 smss.exe 592 Gaara.exe 1484 csrss.exe 1680 Kazekage.exe 832 system32.exe 2844 smss.exe 1704 Gaara.exe 1248 csrss.exe 1540 Kazekage.exe 1928 system32.exe 1916 system32.exe 1888 Kazekage.exe 1452 system32.exe 1148 csrss.exe 628 Kazekage.exe 1420 system32.exe 332 Gaara.exe 2700 csrss.exe 1944 Kazekage.exe 1732 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2524 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 28 PID 2100 wrote to memory of 2524 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 28 PID 2100 wrote to memory of 2524 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 28 PID 2100 wrote to memory of 2524 2100 ee24f786714000111146a1a260147745_NeikiAnalytics.exe 28 PID 2524 wrote to memory of 2420 2524 smss.exe 29 PID 2524 wrote to memory of 2420 2524 smss.exe 29 PID 2524 wrote to memory of 2420 2524 smss.exe 29 PID 2524 wrote to memory of 2420 2524 smss.exe 29 PID 2524 wrote to memory of 2912 2524 smss.exe 30 PID 2524 wrote to memory of 2912 2524 smss.exe 30 PID 2524 wrote to memory of 2912 2524 smss.exe 30 PID 2524 wrote to memory of 2912 2524 smss.exe 30 PID 2912 wrote to memory of 348 2912 Gaara.exe 31 PID 2912 wrote to memory of 348 2912 Gaara.exe 31 PID 2912 wrote to memory of 348 2912 Gaara.exe 31 PID 2912 wrote to memory of 348 2912 Gaara.exe 31 PID 2912 wrote to memory of 1996 2912 Gaara.exe 32 PID 2912 wrote to memory of 1996 2912 Gaara.exe 32 PID 2912 wrote to memory of 1996 2912 Gaara.exe 32 PID 2912 wrote to memory of 1996 2912 Gaara.exe 32 PID 2912 wrote to memory of 2040 2912 Gaara.exe 33 PID 2912 wrote to memory of 2040 2912 Gaara.exe 33 PID 2912 wrote to memory of 2040 2912 Gaara.exe 33 PID 2912 wrote to memory of 2040 2912 Gaara.exe 33 PID 2040 wrote to memory of 1228 2040 csrss.exe 34 PID 2040 wrote to memory of 1228 2040 csrss.exe 34 PID 2040 wrote to memory of 1228 2040 csrss.exe 34 PID 2040 wrote to memory of 1228 2040 csrss.exe 34 PID 2040 wrote to memory of 296 2040 csrss.exe 35 PID 2040 wrote to memory of 296 2040 csrss.exe 35 PID 2040 wrote to memory of 296 2040 csrss.exe 35 PID 2040 wrote to memory of 296 2040 csrss.exe 35 PID 2040 wrote to memory of 2628 2040 csrss.exe 36 PID 2040 wrote to memory of 2628 2040 csrss.exe 36 PID 2040 wrote to memory of 2628 2040 csrss.exe 36 PID 2040 wrote to memory of 2628 2040 csrss.exe 36 PID 2040 wrote to memory of 2164 2040 csrss.exe 37 PID 2040 wrote to memory of 2164 2040 csrss.exe 37 PID 2040 wrote to memory of 2164 2040 csrss.exe 37 PID 2040 wrote to memory of 2164 2040 csrss.exe 37 PID 2164 wrote to memory of 1028 2164 Kazekage.exe 38 PID 2164 wrote to memory of 1028 2164 Kazekage.exe 38 PID 2164 wrote to memory of 1028 2164 Kazekage.exe 38 PID 2164 wrote to memory of 1028 2164 Kazekage.exe 38 PID 2164 wrote to memory of 592 2164 Kazekage.exe 39 PID 2164 wrote to memory of 592 2164 Kazekage.exe 39 PID 2164 wrote to memory of 592 2164 Kazekage.exe 39 PID 2164 wrote to memory of 592 2164 Kazekage.exe 39 PID 2164 wrote to memory of 1484 2164 Kazekage.exe 40 PID 2164 wrote to memory of 1484 2164 Kazekage.exe 40 PID 2164 wrote to memory of 1484 2164 Kazekage.exe 40 PID 2164 wrote to memory of 1484 2164 Kazekage.exe 40 PID 2164 wrote to memory of 1680 2164 Kazekage.exe 41 PID 2164 wrote to memory of 1680 2164 Kazekage.exe 41 PID 2164 wrote to memory of 1680 2164 Kazekage.exe 41 PID 2164 wrote to memory of 1680 2164 Kazekage.exe 41 PID 2164 wrote to memory of 832 2164 Kazekage.exe 42 PID 2164 wrote to memory of 832 2164 Kazekage.exe 42 PID 2164 wrote to memory of 832 2164 Kazekage.exe 42 PID 2164 wrote to memory of 832 2164 Kazekage.exe 42 PID 832 wrote to memory of 2844 832 system32.exe 43 PID 832 wrote to memory of 2844 832 system32.exe 43 PID 832 wrote to memory of 2844 832 system32.exe 43 PID 832 wrote to memory of 2844 832 system32.exe 43 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ee24f786714000111146a1a260147745_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee24f786714000111146a1a260147745_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ee24f786714000111146a1a260147745_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2100 -
C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524 -
C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2912 -
C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:348
-
-
C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1996
-
-
C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2040 -
C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1228
-
-
C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:296
-
-
C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2628
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2164 -
C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1028
-
-
C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:592
-
-
C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1484
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1680
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:832 -
C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1704
-
-
C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1248
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1540
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1928
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:1648
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2148
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:1048
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2944
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:540
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:488
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2372
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2444
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1916
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:1520
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:1572
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:628
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2660
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2488
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2280
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1888
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1452
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2888
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2460
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2976
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:608
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2924
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2492
-
-
-
C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1148
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:628
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1420
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1948
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2004
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1756
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2360
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:592
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:1904
-
-
-
C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:332
-
-
C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 5 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2700
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1944
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1732
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2332
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2544
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1600
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2256
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1720
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2800
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
145KB
MD5ee24f786714000111146a1a260147745
SHA1215aece16ee06eeac9ba46d39e6e23704c747fe2
SHA2563a253fb4fcd87497dd4d8d4b2aaba8560b6d8457a38165a1eabd77c47fb37eef
SHA5124e2d15e9998ab60cb835fd8bfb98ed56717c39c7c1455f5e9f3a393067513eded754cb2f0091c157c5f2be67d6e5848a4d37ee5d5b33df3beef1c9b6090ab57f
-
Filesize
145KB
MD5b8821b96a5da875c86905baba7f0a9e7
SHA1952af6c4562048c04326feda2aecb24c149af3bf
SHA256712c9dc7dba6f69e22a9bda9eb93d7a25a531d2884da88fcef36699d36d0744b
SHA512c991822a6f59ffda0123fead8ed658e09121caf1e5ba271e5fce7b3fe6ae13f2e8abf006ead7a59917e00b2380f2d92af2998c614c48cf0f860dc04bfff3b228
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
145KB
MD57ea5a31b819013f6e600ed874b6d78f4
SHA1abb0bfae23e548db90031f8ae014d0b2f2534b9b
SHA256bab0306de1472efc4453fa17a3a434c35043edab0d02553ae458d8281a1e0d3e
SHA5125d6e30e9cf12d002b86178a1bd1862475d17086261458ffd45f8cc71c3a8f9f50aa79d134c5399de5ecaf5d1c2d04148e50309e988459ff4895e828b98598325
-
Filesize
145KB
MD5f90b543b6918c35beabbac542e3642f4
SHA14e650e63741c2d159eda2c26cbfdf298126b3143
SHA256e3117cd212463afb27c207c674fa5dcdb140dbe1fc078f3f2ee6679a8993eede
SHA512f087aeeb010b3ef9eb202c608dda708dac1100695db6c4490e6d40122c7943c7460f5775c34836fdbbd64111042a3fbc334fe90694472ccbec67104156815a4b
-
Filesize
145KB
MD5a3af9230160fc7a91df09e89df9f30c0
SHA16c82f740a8ff003eb9688ff5c94eb77fbd9f287c
SHA256d081deb97d719d66aed82730b097f3341af25642f7db0703a61189f90a86965f
SHA51261f8743e7e20b4cef9ea30c7d04e4a884fe06c2b9cd48b1c53e59f502465d1bb665a93c6425b011656e3869f17a0b20fad21753368640dd6903b54572e1fc791
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
145KB
MD5ccb2c0dc36fffc5f46251e693d08600d
SHA1ebceec5fc1cc2f2b20b731de31583e77fd6f0fba
SHA256e15e5d1c9a5a8ada66f445d0977a9b1dd457a87b51252f640a9f0faf50f7de96
SHA512d53e939a2c17e9920f6398ef1f4d5fcd40667137b21e332c857a8a443ddbea759667243b22e58b97f0a0a1b3a69c0c05419924295fe91e4f468dd7a70e805a41
-
Filesize
145KB
MD54ae08a8490db06d1d138a2bb42315c14
SHA1f1dd81f88a00d73b4528041d256fae3beb18cc4c
SHA25656e94596c943dce19a5b4181344671ece71c79d8f36ac6ad1b24cb368768ece2
SHA51209e22234b91590b321092ef7da51645ad6575bd5871f0be79d5f5a53b7505001012e0cd58374f6f06cd95bea2d900e5084b1ce23872c1f96cb34cc547edc9ed6
-
Filesize
145KB
MD50989e77a3af74f39c14e2c918ef9d768
SHA150b9d176cdfa0a3cf0b3cb902dc86ae7a8c8e373
SHA256cd47ed80f1701926af0ff01adb44e9eba19ef3a8a7e9f3cc4706f12b6dba4072
SHA51233e89d0f7b9d24f2372448193c52c52d4f007d77ca20622682cae8c1b4afbba70ee4ac549a3735665c3aab901c074e1b10689b29ab279ee6d4f1b8a3f0ebe14f
-
Filesize
145KB
MD596b0491ee4f1b569ed9ba00251e85400
SHA1b59d54f51b003c73da482115dcaade5ef02f23c5
SHA256808fd887d6832b3aa3482da14c2d2ead1ad228b643868c3e6ceb3bed8d5684d1
SHA5129e62bfd70b25a5c1bf4a1c698cac9b87bc5923e4f8a2003468c2923a9104258778ed1a81c90fc1849534cd17e970ff8ef190c3471ca391c1b9f709facfb5c487
-
Filesize
145KB
MD5dbf97b8968dace49f2eee560929bb6d4
SHA109d995950bc8920ca0a44144b65995a04c4f8516
SHA25640c7589ef2eadf9109bc685df431b417db365a672dbb75b1f2a6aac453367955
SHA512df042592dd08efc8b7ef322a8239a546ac2d2b28af988d115e882f65dff4d929397e38a6e1d89f60b79af14859a2e2c93076cda7c0270fdad7c709f13d4d6e21
-
Filesize
145KB
MD553ead2b8e76ca1771dabdcff2b8861ac
SHA113dadd2a01cc6f4bb18ea6c5b4ab6c56529fca2c
SHA256d162e7382537469c3f56dbd54387422bce5ee3beb8b0c137543f5749b37f70a3
SHA512f1fcbcb34d08059fb06612716eec275f37f644c6c1ecd35194c42ec96dc6759873a369c1a51074201d88c427fe9567af288394d82410680bc1a965147ba72d72
-
Filesize
145KB
MD5d1a70130429628e7ad9c7cd96389d0cf
SHA157c7b83173ec0bec536a47b043eaed46d5842561
SHA2564bc701caaf89f955af5eafd1d17ccbcc4a0b5bbefbc1a4b0c2da512c0fd596b0
SHA5120e6f1342c520297c1ddfd18c24ba87cbe8a93538ca280615bdb8287477a0102b5db8415ce9c44a6e4e35b778d6ad093647e745c405665cf1547c3147f2f4a7a6
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
145KB
MD55b9b1a5b616fee3a491159670c3e247f
SHA130ceb5cb4b8b99d8d0991f6d99deb76cc3cb8e8d
SHA256ae853f9ec8fb6ab3b9f532badc3e9dd8071dc3b1e3df000896d941a102906fa6
SHA5120fc41ee68f92547751b42c0d652456a6c4eab1f4ad946f42a90f8c0b638f43513e03a8ec4c2937f4afe5a901ab037632f293d5e768d64f0093e40fdb7426fd48
-
Filesize
145KB
MD5835a747b0b664a1c25ba21a290a26c2c
SHA1da6b4ceb37f35f4f1ca401e29c7b0117194e0ac9
SHA256c51887c8b7fd9b1f44964156e0f2121321ba8a306010bc440867e64937cfcb73
SHA5120f49cb95b77d86f5cf9676e571bc6e8e35d203191bc8cf698c9f4e1579fffd7d90683e3a0a2f3b6f87605bb5b647828589dbeaceeca46568a657b0855f2c6351
