Analysis
-
max time kernel
86s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/05/2024, 21:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe
-
Size
148KB
-
MD5
0af008378c2571e67cc4ae7b903aa300
-
SHA1
357b7f5038366f44e3126fe518d9124b1a0d950d
-
SHA256
fbe333bc3f5376af88a3e9c016f82c1430cd3028437130e455078a9a2870249f
-
SHA512
05584ecfdb49b24719a82c3e21eb0bf0f71e452d1c45cdd96d5294e79dc7f0e8243da6acc9d68faf4a3f104bc2dca47c7a45166aa707ee214ab77dc8ea126c42
-
SSDEEP
1536:XJo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTV:5x6AHjYzaFXg+w17jsgS/jHagQg19V
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe -
Executes dropped EXE 30 IoCs
pid Process 2544 smss.exe 2960 smss.exe 2980 Gaara.exe 2844 smss.exe 2840 Gaara.exe 2100 csrss.exe 1720 smss.exe 1916 Gaara.exe 2324 csrss.exe 1900 Kazekage.exe 2312 smss.exe 1188 Gaara.exe 2160 csrss.exe 1784 Kazekage.exe 1960 system32.exe 1044 smss.exe 1944 Gaara.exe 1796 csrss.exe 1804 Kazekage.exe 1080 system32.exe 1160 system32.exe 2204 Kazekage.exe 2644 system32.exe 2372 csrss.exe 1724 Kazekage.exe 3000 system32.exe 1700 Gaara.exe 2892 csrss.exe 864 Kazekage.exe 2496 system32.exe -
Loads dropped DLL 60 IoCs
pid Process 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 2544 smss.exe 2960 smss.exe 2544 smss.exe 2544 smss.exe 2980 Gaara.exe 2980 Gaara.exe 2844 smss.exe 2840 Gaara.exe 2980 Gaara.exe 2980 Gaara.exe 2100 csrss.exe 2100 csrss.exe 1720 smss.exe 2100 csrss.exe 1916 Gaara.exe 2324 csrss.exe 2100 csrss.exe 2100 csrss.exe 1900 Kazekage.exe 2312 smss.exe 1900 Kazekage.exe 1188 Gaara.exe 1900 Kazekage.exe 2160 csrss.exe 1900 Kazekage.exe 1900 Kazekage.exe 1900 Kazekage.exe 1900 Kazekage.exe 1960 system32.exe 1044 smss.exe 1960 system32.exe 1944 Gaara.exe 1960 system32.exe 1796 csrss.exe 1960 system32.exe 1960 system32.exe 1960 system32.exe 1960 system32.exe 2100 csrss.exe 2100 csrss.exe 2980 Gaara.exe 2980 Gaara.exe 2980 Gaara.exe 2980 Gaara.exe 2544 smss.exe 2372 csrss.exe 2544 smss.exe 2544 smss.exe 2544 smss.exe 2544 smss.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 1700 Gaara.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 2892 csrss.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 28 - 5 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 28 - 5 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 28 - 5 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 28 - 5 - 2024\\Gaara.exe" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "28-5-2024.exe" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 28 - 5 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "28-5-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "28-5-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 28 - 5 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 28 - 5 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 28 - 5 - 2024\\smss.exe" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 28 - 5 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 28 - 5 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "28-5-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 28 - 5 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "28-5-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 28 - 5 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "28-5-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\S:\Desktop.ini 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\X:\Desktop.ini 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\I:\Desktop.ini 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\R:\Desktop.ini 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\M:\Desktop.ini 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: smss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\Y: 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\I: 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened (read-only) \??\X: 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\Q: 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\J: 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\S: 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\Y: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\H:\Autorun.inf smss.exe File opened for modification \??\O:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf smss.exe File opened for modification \??\A:\Autorun.inf Gaara.exe File created \??\E:\Autorun.inf Gaara.exe File created \??\B:\Autorun.inf system32.exe File opened for modification \??\G:\Autorun.inf system32.exe File opened for modification \??\O:\Autorun.inf 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\X:\Autorun.inf smss.exe File opened for modification \??\S:\Autorun.inf Gaara.exe File created \??\U:\Autorun.inf Gaara.exe File opened for modification \??\Q:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf system32.exe File opened for modification \??\W:\Autorun.inf smss.exe File opened for modification \??\G:\Autorun.inf Kazekage.exe File created \??\N:\Autorun.inf system32.exe File opened for modification \??\W:\Autorun.inf system32.exe File created \??\K:\Autorun.inf system32.exe File opened for modification \??\L:\Autorun.inf system32.exe File created D:\Autorun.inf smss.exe File created \??\B:\Autorun.inf Gaara.exe File opened for modification \??\Y:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf Kazekage.exe File created \??\S:\Autorun.inf Kazekage.exe File opened for modification \??\A:\Autorun.inf system32.exe File created D:\Autorun.inf 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File created \??\G:\Autorun.inf 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File created \??\P:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\V:\Autorun.inf 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File created \??\G:\Autorun.inf Gaara.exe File opened for modification \??\R:\Autorun.inf Gaara.exe File created \??\X:\Autorun.inf Gaara.exe File opened for modification \??\K:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf Gaara.exe File opened for modification \??\P:\Autorun.inf smss.exe File opened for modification F:\Autorun.inf Kazekage.exe File opened for modification \??\X:\Autorun.inf Kazekage.exe File opened for modification \??\U:\Autorun.inf system32.exe File created \??\X:\Autorun.inf smss.exe File opened for modification \??\X:\Autorun.inf Gaara.exe File created \??\S:\Autorun.inf csrss.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File created \??\X:\Autorun.inf system32.exe File opened for modification \??\K:\Autorun.inf 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\L:\Autorun.inf 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File created \??\N:\Autorun.inf 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\Y:\Autorun.inf 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\S:\Autorun.inf csrss.exe File opened for modification \??\A:\Autorun.inf Kazekage.exe File opened for modification \??\E:\Autorun.inf 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification \??\E:\Autorun.inf csrss.exe File opened for modification \??\G:\Autorun.inf Gaara.exe File created \??\T:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf Kazekage.exe File opened for modification \??\W:\Autorun.inf Kazekage.exe File opened for modification \??\Z:\Autorun.inf 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File created \??\M:\Autorun.inf 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File created \??\H:\Autorun.inf Kazekage.exe File created \??\J:\Autorun.inf Kazekage.exe File created \??\X:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf system32.exe File created \??\Z:\Autorun.inf system32.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File created C:\Windows\SysWOW64\28-5-2024.exe 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\28-5-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\ 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\28-5-2024.exe 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\28-5-2024.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\28-5-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\28-5-2024.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\28-5-2024.exe smss.exe File created C:\Windows\SysWOW64\Desktop.ini 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\system\msvbvm60.dll 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\mscomctl.ocx 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe smss.exe File created C:\Windows\Fonts\The Kazekage.jpg 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\system\mscoree.dll 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe system32.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File created C:\Windows\msvbvm60.dll 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\system\msvbvm60.dll 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\msvbvm60.dll system32.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\msvbvm60.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\ csrss.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\msvbvm60.dll 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe system32.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe smss.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\ smss.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\Fonts\Admin 28 - 5 - 2024\msvbvm60.dll 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe -
Modifies Control Panel 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Size = "72" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe -
Modifies registry class 48 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe -
Runs ping.exe 1 TTPs 28 IoCs
pid Process 2664 ping.exe 1524 ping.exe 2804 ping.exe 2456 ping.exe 2848 ping.exe 1968 ping.exe 292 ping.exe 1036 ping.exe 2224 ping.exe 1684 ping.exe 2680 ping.exe 2960 ping.exe 1056 ping.exe 1756 ping.exe 1948 ping.exe 2836 ping.exe 2588 ping.exe 1344 ping.exe 2304 ping.exe 1188 ping.exe 1480 ping.exe 2860 ping.exe 2908 ping.exe 2940 ping.exe 1964 ping.exe 524 ping.exe 1920 ping.exe 824 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1900 Kazekage.exe 1900 Kazekage.exe 1900 Kazekage.exe 1900 Kazekage.exe 1900 Kazekage.exe 1900 Kazekage.exe 1900 Kazekage.exe 1900 Kazekage.exe 1900 Kazekage.exe 1900 Kazekage.exe 1900 Kazekage.exe 1900 Kazekage.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 1960 system32.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 1960 system32.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 1960 system32.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 1960 system32.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 1960 system32.exe 1960 system32.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 1960 system32.exe 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 1960 system32.exe 1960 system32.exe 1960 system32.exe 1960 system32.exe 1960 system32.exe 2544 smss.exe 2544 smss.exe 2544 smss.exe 2544 smss.exe 2544 smss.exe 2544 smss.exe 2544 smss.exe 2544 smss.exe 2544 smss.exe 2544 smss.exe 2544 smss.exe 2544 smss.exe 2980 Gaara.exe 2980 Gaara.exe 2980 Gaara.exe 2980 Gaara.exe 2980 Gaara.exe 2980 Gaara.exe 2980 Gaara.exe 2980 Gaara.exe 2980 Gaara.exe 2980 Gaara.exe 2980 Gaara.exe 2980 Gaara.exe 2100 csrss.exe 2100 csrss.exe 2100 csrss.exe 2100 csrss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 2544 smss.exe 2960 smss.exe 2980 Gaara.exe 2844 smss.exe 2840 Gaara.exe 2100 csrss.exe 1720 smss.exe 1916 Gaara.exe 2324 csrss.exe 1900 Kazekage.exe 2312 smss.exe 1188 Gaara.exe 2160 csrss.exe 1784 Kazekage.exe 1960 system32.exe 1044 smss.exe 1944 Gaara.exe 1796 csrss.exe 1804 Kazekage.exe 1080 system32.exe 1160 system32.exe 2204 Kazekage.exe 2644 system32.exe 2372 csrss.exe 1724 Kazekage.exe 3000 system32.exe 1700 Gaara.exe 2892 csrss.exe 864 Kazekage.exe 2496 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3024 wrote to memory of 2544 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 28 PID 3024 wrote to memory of 2544 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 28 PID 3024 wrote to memory of 2544 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 28 PID 3024 wrote to memory of 2544 3024 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe 28 PID 2544 wrote to memory of 2960 2544 smss.exe 29 PID 2544 wrote to memory of 2960 2544 smss.exe 29 PID 2544 wrote to memory of 2960 2544 smss.exe 29 PID 2544 wrote to memory of 2960 2544 smss.exe 29 PID 2544 wrote to memory of 2980 2544 smss.exe 30 PID 2544 wrote to memory of 2980 2544 smss.exe 30 PID 2544 wrote to memory of 2980 2544 smss.exe 30 PID 2544 wrote to memory of 2980 2544 smss.exe 30 PID 2980 wrote to memory of 2844 2980 Gaara.exe 31 PID 2980 wrote to memory of 2844 2980 Gaara.exe 31 PID 2980 wrote to memory of 2844 2980 Gaara.exe 31 PID 2980 wrote to memory of 2844 2980 Gaara.exe 31 PID 2980 wrote to memory of 2840 2980 Gaara.exe 32 PID 2980 wrote to memory of 2840 2980 Gaara.exe 32 PID 2980 wrote to memory of 2840 2980 Gaara.exe 32 PID 2980 wrote to memory of 2840 2980 Gaara.exe 32 PID 2980 wrote to memory of 2100 2980 Gaara.exe 33 PID 2980 wrote to memory of 2100 2980 Gaara.exe 33 PID 2980 wrote to memory of 2100 2980 Gaara.exe 33 PID 2980 wrote to memory of 2100 2980 Gaara.exe 33 PID 2100 wrote to memory of 1720 2100 csrss.exe 34 PID 2100 wrote to memory of 1720 2100 csrss.exe 34 PID 2100 wrote to memory of 1720 2100 csrss.exe 34 PID 2100 wrote to memory of 1720 2100 csrss.exe 34 PID 2100 wrote to memory of 1916 2100 csrss.exe 35 PID 2100 wrote to memory of 1916 2100 csrss.exe 35 PID 2100 wrote to memory of 1916 2100 csrss.exe 35 PID 2100 wrote to memory of 1916 2100 csrss.exe 35 PID 2100 wrote to memory of 2324 2100 csrss.exe 36 PID 2100 wrote to memory of 2324 2100 csrss.exe 36 PID 2100 wrote to memory of 2324 2100 csrss.exe 36 PID 2100 wrote to memory of 2324 2100 csrss.exe 36 PID 2100 wrote to memory of 1900 2100 csrss.exe 37 PID 2100 wrote to memory of 1900 2100 csrss.exe 37 PID 2100 wrote to memory of 1900 2100 csrss.exe 37 PID 2100 wrote to memory of 1900 2100 csrss.exe 37 PID 1900 wrote to memory of 2312 1900 Kazekage.exe 38 PID 1900 wrote to memory of 2312 1900 Kazekage.exe 38 PID 1900 wrote to memory of 2312 1900 Kazekage.exe 38 PID 1900 wrote to memory of 2312 1900 Kazekage.exe 38 PID 1900 wrote to memory of 1188 1900 Kazekage.exe 39 PID 1900 wrote to memory of 1188 1900 Kazekage.exe 39 PID 1900 wrote to memory of 1188 1900 Kazekage.exe 39 PID 1900 wrote to memory of 1188 1900 Kazekage.exe 39 PID 1900 wrote to memory of 2160 1900 Kazekage.exe 40 PID 1900 wrote to memory of 2160 1900 Kazekage.exe 40 PID 1900 wrote to memory of 2160 1900 Kazekage.exe 40 PID 1900 wrote to memory of 2160 1900 Kazekage.exe 40 PID 1900 wrote to memory of 1784 1900 Kazekage.exe 41 PID 1900 wrote to memory of 1784 1900 Kazekage.exe 41 PID 1900 wrote to memory of 1784 1900 Kazekage.exe 41 PID 1900 wrote to memory of 1784 1900 Kazekage.exe 41 PID 1900 wrote to memory of 1960 1900 Kazekage.exe 42 PID 1900 wrote to memory of 1960 1900 Kazekage.exe 42 PID 1900 wrote to memory of 1960 1900 Kazekage.exe 42 PID 1900 wrote to memory of 1960 1900 Kazekage.exe 42 PID 1960 wrote to memory of 1044 1960 system32.exe 43 PID 1960 wrote to memory of 1044 1960 system32.exe 43 PID 1960 wrote to memory of 1044 1960 system32.exe 43 PID 1960 wrote to memory of 1044 1960 system32.exe 43 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0af008378c2571e67cc4ae7b903aa300_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3024 -
C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2544 -
C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2960
-
-
C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2980 -
C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2840
-
-
C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2100 -
C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1720
-
-
C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1916
-
-
C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2324
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1900 -
C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2312
-
-
C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1188
-
-
C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2160
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1784
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1960 -
C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1044
-
-
C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1944
-
-
C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1796
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1804
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1080
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:2224
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2940
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:2960
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:524
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:1480
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2804
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1056
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1036
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1948
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1756
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1160
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:1524
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:824
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:1344
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2908
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2204
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2644
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2664
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2680
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:1964
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2304
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:292
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1684
-
-
-
C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2372
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1724
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3000
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2836
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:2848
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1968
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:1188
-
-
-
C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1700
-
-
C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 28 - 5 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2892
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:864
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2496
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2456
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1920
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:2860
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD5101ae49119cf883afd7d4493f1a487fb
SHA1e36be79ad43fc9051fc2554506204e59ec0096af
SHA25627adc240bc402db94b217958bf2860b887e18a8c3dec2ef96dddf0104a6aa8b7
SHA5123f43b148e81960226e33ee6aa5dd754ef9d30636b24291ab84a855ad27c8ba2a4ee0dfc619932af566ee5aa47718f8693a6274aeb28f5c1f138feea96d648a28
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
148KB
MD50af008378c2571e67cc4ae7b903aa300
SHA1357b7f5038366f44e3126fe518d9124b1a0d950d
SHA256fbe333bc3f5376af88a3e9c016f82c1430cd3028437130e455078a9a2870249f
SHA51205584ecfdb49b24719a82c3e21eb0bf0f71e452d1c45cdd96d5294e79dc7f0e8243da6acc9d68faf4a3f104bc2dca47c7a45166aa707ee214ab77dc8ea126c42
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
148KB
MD51adaa718990a6b08785286494dd2fbb9
SHA137be99b9897a2b89c9d13283c0f2e4d6fb58478a
SHA256ef542b2d4f2339eb70cee6b90ea6fe992e40eb6d9da95d02bdfa25b0deea9c24
SHA512232e01b0569379f25ef2080390b97fd1e9c65d36fd3d3b5de0a63594cd32ada595b7365fec78d6e6389b6d1998a5c53767cb05b23da6f8247dfa7993bc114c7a
-
Filesize
148KB
MD5e23c36b6dd51052f31c1a025d44c981f
SHA164040901737e0f550215ef34b7fb520adc7afe5c
SHA25691c55f0adc36a9621ab9ab87246b74529eccfa54a6efbfdb880f188220b00ff9
SHA512e0c614343444d46e9370e5f18a73d95707dc1436fea6b3fd1ae9a97a5f66aca37813e9e1e91da08f24f276532e567ae3f3ef2a4ee61a052a04aba6a6ab3568b5
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
148KB
MD53e13c1c34610bd114ef8c857ebdbc87c
SHA12c390a65938535cf86a18778bde64ab23eb4b04a
SHA2563a071656c004c046934ec72a186edda0c9af5547b43964aed65478ff72268e33
SHA512f1875f6aec5a271cf2aae503c6b2eadc84389dc82b9264a401896f9c867fdb3e5138bac16da68c31038d13906654463d597dc74de4de2516b2925328152f9a44
-
Filesize
148KB
MD5ac9a289cbab8017129d8f197e0d45365
SHA1ff412b544457a882da194a9e6f43020bee9b025e
SHA2562acb36366a02a31d68ccee5fb994a0e9d3e10e86277e263b5d73f3378e40ee34
SHA5120ab27aa85bf794d946e81aae8c17a865ee9558a71746dc7abad828533d344026048b3c1132dc1e287fe2b9442b44820f6be241df61e59d0cf6ff0cb4bb24eba6
-
Filesize
148KB
MD56284d7cc834c3650ce9d78f58fbe3665
SHA1b46cf1033286837f701a6317a17a75e68e2a97ba
SHA25643f8d333cad956e8009867ea425b902857ade24e9c7cbd957b2f949658def251
SHA512d7e96626b53f025e725c3f7f269709ec7acdfe9b70dc59469b8e15cf18c023a1efb03ed3f16374156edcc87f0a0955e71b9852b448703f4225d4fa38ee1d85bb
-
Filesize
148KB
MD5a7fbecabcdf94508b903728262f7f707
SHA1e5f84645a010d5a25299dffa231fd94f72ae7851
SHA25683d3a8d7e0fced8c8601a681db7c4b298db8e0b3e3031c5fa224613fafa76c22
SHA5124dfe4ea362b6a5e83b9a9201455426a0fa888ae643f233cc47ca4249f95f99e9d156b82928d90c695bcbaecdad5ab8b28395bf2ca39f66ed32ec45acbb9d6a87
-
Filesize
148KB
MD51bbed5e59822b1d04280c8f7869fcc55
SHA1229473b4b31992d4b6ee8b2e3b03ff609e9ceafc
SHA2564f353bdf05134b8b7fb3dbe4ba74398fa2a6c5cbfde313fd85d94a9ab3b31b7c
SHA51239594288c001e924265233f13195b90bc22b4314d908b673301b73aba75b68d6bd46c5f0b7e0182f2ffd6f27912d8e0332c2c72cd03ce88bb864afa12a234207
-
Filesize
148KB
MD58d5aad34c6681fbd10663372978c0baf
SHA18dcd623c64f9b4d8c36781a6297f4e742c8c2d75
SHA2569ca1ac481365b0eb698bdadd1d0d5cc8ab17daa96afe9ef9778fe7ecb5d39364
SHA512950c150062a3e9e7cb2229d6dac0ac780839b6bdce816202d83cf2f6949c4d942a2ed9136572d7f10e02e061219d37835a1fc679ddbef3056c8823d31f2d2bbb
-
Filesize
148KB
MD541bcb0c197b154632a19c31a6a021b0e
SHA1e3f32a3c4e304b80f4573908f441d3685b030232
SHA256adaa5d47232f380c1d6be1590ac1e04fabdb0f352e94599b5e3b947ebaa89bff
SHA5123724342f86f0226dedd057301c3bcd7f377821aa180c6851ace74c7e99166a4a4f25638f6c1a06e4f163cfff9fe64495c8b2eb5c576039fedf7ef09e055a66ee
-
Filesize
148KB
MD57022a7171245818b3736f96517108f27
SHA16b6a3fc2f17e99b23662afb1febee3f66e5d72e5
SHA25649d7ba67a7406fd217429b5cacde0787f11de01cb998ab65fc40493da5e14a13
SHA51205322319a2ff7b55c49290721f024ad065f6a080c5df9c47e68c749b2d51c73145f3eaa2f6eee0eb01f73975f286b0ff97f1e86418a502dce49ee01b105b97cc
-
Filesize
148KB
MD5e56eabc6f1b7668221cd60f8100ae845
SHA10e927b8cec6f7984be14a3a2bfd0d979d95e3839
SHA25696333a390345bda5580c60c7a9ce4e4c7a16b9b73df22079d5f1151147bbf018
SHA512f5341c98692722c14328fbc3374ffff6dc2c2a90a6bf78c692e8db2fc984adac0f0d8f7bc364762dcc302b877d7858e1b72e3cfbc12a48ea2a357a1021cc1443
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
148KB
MD51176aad72eb9c71b6db4c714b6054e97
SHA1e16464cf10e7f0018f23ed2a803a6d4cb6d1b6ab
SHA2563bb2041d8fa7a2b1ec2973899a78be2cd9fef48bea5f2180799433c1a46fedc0
SHA51251e73c830e93795b723ee53c83d8a6a044ccd114857661c81aab4a190113f2c43f720dfe36fc9d88b0e2435d4df9f097b88e524e4274c96591668394f0d183b9
-
Filesize
148KB
MD59069fade9fe5242286e6a0d68ec6ddfb
SHA1abbe523cdf7a820e66797d95b9fb70c1bf522cda
SHA2565ff6b27d105e66a96e94ff877079c12e8bd833391df04a3e41c28b59ca043bbc
SHA51267f25bdf9fc63516c7a2cfb8eb211d9554f89f6cf3ed6dda2a5a2926fd2d2b1e959b01a72f99c3041346eba95eaa6ed2fc794883c1f5c39d1c8923343b10913a
-
Filesize
148KB
MD5a557903302b6b6ab46c5086c2cf4eb64
SHA19c12a70286aa40c2692933ceda9a34a26d3f0a9c
SHA2563f2b631e995f41d7856562819f621bbdb491ec6c991d891b1c19412c87113de5
SHA512e62655dded196dd2c34daa373dee0fc10c0cfcd2400b040e7d49f9d75131e315164aca5ceec1a0a575931647f66977ef54b924ce13970b774db755ba6232c476
-
Filesize
148KB
MD5e66c4b273a01a31517bc5550420cc38d
SHA14e84babe10c1ead69791ecdab58acaff9271f055
SHA256a86d6c4d67c2452d51052f12f4879ddfd6b1ed0d7572a0af1cd8a488ad4e8956
SHA512df1b22a8e0d8eb32600857c51d2c905ccdfb4e2c8a95253463f3d1b3dfa656a89d332346e51b0cecef0c1316e4a46302e4bddbaea4548d1d27734d9a17445658
-
Filesize
148KB
MD5ddf2a12cd08a70d2040bac7436c1b943
SHA1d8f3e9ee41273a431c297a7ed9e7248f10640c24
SHA2566ed2c9742af62e6ca1834d1bdf744baa4f508330407495abddc6bd9b2015098e
SHA5127d91f6b1e8c5e9f152110693fc4de660cd96ec9e15546576c3c4467c4e9d36020736951157e495327e968a7379706b0f736e67b52f5fb1ffcac3106d7cdcf1f6
