Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 20:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe
Resource
win7-20240221-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe
-
Size
148KB
-
MD5
4e16157e70437e950eb4b1137af5777d
-
SHA1
0ef6e1ebfabf172f6f594c463a42fa8123c36fba
-
SHA256
349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c
-
SHA512
44b7eebb7d22fce31499678cb30feeae7843a8a241da5dab9a1044ea9bfc919155f4bf929341c45d52b461fa6c9e35d0afd1e6fdcb7a262fef024d7cd0a6df03
-
SSDEEP
1536:jJo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTV:Nx6AHjYzaFXg+w17jsgS/jHagQg19V
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\system32.exe 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe -
Executes dropped EXE 30 IoCs
pid Process 2604 smss.exe 3372 smss.exe 4084 Gaara.exe 3736 smss.exe 1392 Gaara.exe 3768 csrss.exe 2252 smss.exe 2988 Gaara.exe 2844 csrss.exe 3144 Kazekage.exe 2280 smss.exe 4752 Gaara.exe 1572 csrss.exe 5072 Kazekage.exe 4168 system32.exe 1220 smss.exe 4868 Gaara.exe 2648 csrss.exe 3220 Kazekage.exe 4520 system32.exe 1580 system32.exe 2916 Kazekage.exe 1452 system32.exe 2904 csrss.exe 3308 Kazekage.exe 3360 system32.exe 396 Gaara.exe 4196 csrss.exe 1624 Kazekage.exe 1504 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 2604 smss.exe 3372 smss.exe 4084 Gaara.exe 3736 smss.exe 1392 Gaara.exe 3768 csrss.exe 2252 smss.exe 2988 Gaara.exe 2844 csrss.exe 2280 smss.exe 4752 Gaara.exe 1572 csrss.exe 1220 smss.exe 4868 Gaara.exe 2648 csrss.exe 2904 csrss.exe 396 Gaara.exe 4196 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2024\\smss.exe" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2024.exe" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2024\\Gaara.exe" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\Q:\Desktop.ini 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\I:\Desktop.ini 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\V:\Desktop.ini 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\E:\Desktop.ini smss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\R: 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened (read-only) \??\U: 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\M: 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\W: 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\I: 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened (read-only) \??\Y: 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\A: 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened (read-only) \??\K: 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\O: smss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\L:\Autorun.inf system32.exe File opened for modification \??\L:\Autorun.inf smss.exe File opened for modification \??\P:\Autorun.inf Gaara.exe File opened for modification \??\R:\Autorun.inf csrss.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf csrss.exe File opened for modification \??\S:\Autorun.inf Kazekage.exe File opened for modification \??\Z:\Autorun.inf csrss.exe File opened for modification \??\G:\Autorun.inf smss.exe File created \??\H:\Autorun.inf smss.exe File opened for modification \??\G:\Autorun.inf Gaara.exe File created \??\Q:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\Y:\Autorun.inf 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\L:\Autorun.inf Gaara.exe File opened for modification \??\J:\Autorun.inf csrss.exe File opened for modification \??\V:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf system32.exe File created \??\Z:\Autorun.inf system32.exe File created \??\J:\Autorun.inf 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\B:\Autorun.inf smss.exe File created \??\R:\Autorun.inf smss.exe File opened for modification \??\X:\Autorun.inf smss.exe File opened for modification \??\N:\Autorun.inf 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File created \??\B:\Autorun.inf Kazekage.exe File created \??\E:\Autorun.inf Kazekage.exe File created \??\X:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf smss.exe File opened for modification \??\T:\Autorun.inf Gaara.exe File created \??\H:\Autorun.inf system32.exe File created \??\X:\Autorun.inf system32.exe File created \??\N:\Autorun.inf smss.exe File opened for modification \??\O:\Autorun.inf smss.exe File created \??\U:\Autorun.inf smss.exe File created \??\Y:\Autorun.inf smss.exe File created \??\Y:\Autorun.inf Gaara.exe File opened for modification F:\Autorun.inf csrss.exe File created \??\T:\Autorun.inf csrss.exe File opened for modification \??\E:\Autorun.inf csrss.exe File opened for modification \??\I:\Autorun.inf system32.exe File opened for modification \??\L:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File created \??\B:\Autorun.inf smss.exe File created \??\T:\Autorun.inf smss.exe File opened for modification \??\A:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\I:\Autorun.inf Gaara.exe File created \??\K:\Autorun.inf Gaara.exe File created \??\I:\Autorun.inf Kazekage.exe File created \??\G:\Autorun.inf 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File created \??\K:\Autorun.inf Kazekage.exe File opened for modification \??\R:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf system32.exe File opened for modification \??\M:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf csrss.exe File opened for modification \??\O:\Autorun.inf csrss.exe File created \??\R:\Autorun.inf 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification \??\J:\Autorun.inf smss.exe File created \??\H:\Autorun.inf Gaara.exe File created \??\J:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf system32.exe File created \??\O:\Autorun.inf 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\29-5-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\SysWOW64\29-5-2024.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\29-5-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\29-5-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\ 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File created C:\Windows\SysWOW64\Desktop.ini 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File created C:\Windows\SysWOW64\mscomctl.ocx 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File created C:\Windows\SysWOW64\29-5-2024.exe 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\29-5-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\29-5-2024.exe 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File created C:\Windows\mscomctl.ocx 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\mscomctl.ocx 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\msvbvm60.dll 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2024\msvbvm60.dll 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\system\mscoree.dll 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File created C:\Windows\msvbvm60.dll 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File created C:\Windows\system\msvbvm60.dll 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe system32.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\msvbvm60.dll 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Size = "72" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop system32.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallpaperStyle = "2" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main smss.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe -
Runs ping.exe 1 TTPs 30 IoCs
pid Process 3192 ping.exe 1224 ping.exe 2016 ping.exe 5100 ping.exe 5004 ping.exe 4472 ping.exe 1548 ping.exe 1628 ping.exe 1160 ping.exe 4608 ping.exe 3496 ping.exe 892 ping.exe 3308 ping.exe 4036 ping.exe 3372 ping.exe 1176 ping.exe 1160 ping.exe 752 ping.exe 4504 ping.exe 3376 ping.exe 1548 ping.exe 5052 ping.exe 4108 ping.exe 3272 ping.exe 1920 ping.exe 2692 ping.exe 3092 ping.exe 2444 ping.exe 3212 ping.exe 1624 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 4084 Gaara.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3768 csrss.exe 3144 Kazekage.exe 3144 Kazekage.exe 3144 Kazekage.exe 3144 Kazekage.exe 3144 Kazekage.exe 3144 Kazekage.exe 3144 Kazekage.exe 3144 Kazekage.exe 3144 Kazekage.exe 3144 Kazekage.exe 3144 Kazekage.exe 3144 Kazekage.exe 3144 Kazekage.exe 3144 Kazekage.exe 3144 Kazekage.exe 3144 Kazekage.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 1400 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe 2604 smss.exe 3372 smss.exe 4084 Gaara.exe 3736 smss.exe 1392 Gaara.exe 3768 csrss.exe 2252 smss.exe 2988 Gaara.exe 2844 csrss.exe 3144 Kazekage.exe 2280 smss.exe 4752 Gaara.exe 1572 csrss.exe 5072 Kazekage.exe 4168 system32.exe 1220 smss.exe 4868 Gaara.exe 2648 csrss.exe 3220 Kazekage.exe 4520 system32.exe 1580 system32.exe 2916 Kazekage.exe 1452 system32.exe 2904 csrss.exe 3308 Kazekage.exe 3360 system32.exe 396 Gaara.exe 4196 csrss.exe 1624 Kazekage.exe 1504 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1400 wrote to memory of 2604 1400 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe 83 PID 1400 wrote to memory of 2604 1400 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe 83 PID 1400 wrote to memory of 2604 1400 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe 83 PID 2604 wrote to memory of 3372 2604 smss.exe 84 PID 2604 wrote to memory of 3372 2604 smss.exe 84 PID 2604 wrote to memory of 3372 2604 smss.exe 84 PID 2604 wrote to memory of 4084 2604 smss.exe 86 PID 2604 wrote to memory of 4084 2604 smss.exe 86 PID 2604 wrote to memory of 4084 2604 smss.exe 86 PID 4084 wrote to memory of 3736 4084 Gaara.exe 89 PID 4084 wrote to memory of 3736 4084 Gaara.exe 89 PID 4084 wrote to memory of 3736 4084 Gaara.exe 89 PID 4084 wrote to memory of 1392 4084 Gaara.exe 90 PID 4084 wrote to memory of 1392 4084 Gaara.exe 90 PID 4084 wrote to memory of 1392 4084 Gaara.exe 90 PID 4084 wrote to memory of 3768 4084 Gaara.exe 91 PID 4084 wrote to memory of 3768 4084 Gaara.exe 91 PID 4084 wrote to memory of 3768 4084 Gaara.exe 91 PID 3768 wrote to memory of 2252 3768 csrss.exe 92 PID 3768 wrote to memory of 2252 3768 csrss.exe 92 PID 3768 wrote to memory of 2252 3768 csrss.exe 92 PID 3768 wrote to memory of 2988 3768 csrss.exe 93 PID 3768 wrote to memory of 2988 3768 csrss.exe 93 PID 3768 wrote to memory of 2988 3768 csrss.exe 93 PID 3768 wrote to memory of 2844 3768 csrss.exe 94 PID 3768 wrote to memory of 2844 3768 csrss.exe 94 PID 3768 wrote to memory of 2844 3768 csrss.exe 94 PID 3768 wrote to memory of 3144 3768 csrss.exe 95 PID 3768 wrote to memory of 3144 3768 csrss.exe 95 PID 3768 wrote to memory of 3144 3768 csrss.exe 95 PID 3144 wrote to memory of 2280 3144 Kazekage.exe 96 PID 3144 wrote to memory of 2280 3144 Kazekage.exe 96 PID 3144 wrote to memory of 2280 3144 Kazekage.exe 96 PID 3144 wrote to memory of 4752 3144 Kazekage.exe 97 PID 3144 wrote to memory of 4752 3144 Kazekage.exe 97 PID 3144 wrote to memory of 4752 3144 Kazekage.exe 97 PID 3144 wrote to memory of 1572 3144 Kazekage.exe 98 PID 3144 wrote to memory of 1572 3144 Kazekage.exe 98 PID 3144 wrote to memory of 1572 3144 Kazekage.exe 98 PID 3144 wrote to memory of 5072 3144 Kazekage.exe 99 PID 3144 wrote to memory of 5072 3144 Kazekage.exe 99 PID 3144 wrote to memory of 5072 3144 Kazekage.exe 99 PID 3144 wrote to memory of 4168 3144 Kazekage.exe 100 PID 3144 wrote to memory of 4168 3144 Kazekage.exe 100 PID 3144 wrote to memory of 4168 3144 Kazekage.exe 100 PID 4168 wrote to memory of 1220 4168 system32.exe 101 PID 4168 wrote to memory of 1220 4168 system32.exe 101 PID 4168 wrote to memory of 1220 4168 system32.exe 101 PID 4168 wrote to memory of 4868 4168 system32.exe 102 PID 4168 wrote to memory of 4868 4168 system32.exe 102 PID 4168 wrote to memory of 4868 4168 system32.exe 102 PID 4168 wrote to memory of 2648 4168 system32.exe 103 PID 4168 wrote to memory of 2648 4168 system32.exe 103 PID 4168 wrote to memory of 2648 4168 system32.exe 103 PID 4168 wrote to memory of 3220 4168 system32.exe 104 PID 4168 wrote to memory of 3220 4168 system32.exe 104 PID 4168 wrote to memory of 3220 4168 system32.exe 104 PID 4168 wrote to memory of 4520 4168 system32.exe 105 PID 4168 wrote to memory of 4520 4168 system32.exe 105 PID 4168 wrote to memory of 4520 4168 system32.exe 105 PID 3768 wrote to memory of 1580 3768 csrss.exe 106 PID 3768 wrote to memory of 1580 3768 csrss.exe 106 PID 3768 wrote to memory of 1580 3768 csrss.exe 106 PID 4084 wrote to memory of 2916 4084 Gaara.exe 107 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe"C:\Users\Admin\AppData\Local\Temp\349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1400 -
C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2604 -
C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3372
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4084 -
C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3736
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1392
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3768 -
C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2252
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2988
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3144 -
C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2280
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4752
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1572
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5072
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4168 -
C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1220
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4868
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2648
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3220
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4520
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:2016
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:5100
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:3192
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:4608
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1224
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1920
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:4472
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:1624
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1580
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:4504
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2444
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:3212
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:3372
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:1628
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:5052
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2916
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1452
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:4108
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:3272
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2692
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:5004
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:1548
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1160
-
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2904
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3308
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3360
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1160
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:752
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:892
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:3496
-
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:396
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4196
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1624
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1504
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:3308
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:4036
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1548
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:3376
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1176
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:3092
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
148KB
MD5e7227fe1e934295f9cff905888f1e321
SHA1c7526749d9bc47906ea029525e53882defdf8fe7
SHA256af2377630e0288a66be1f527a2a347fb4c419fb10b3d38f546285be5709db0e0
SHA512cd6d1395914652ab92f529c65a6b8234020125ca1ca2c1de7dd679965f5efb72c54991e76218ec4c42fcdfc434e648c88039231bd8780f208a313603d6e85714
-
Filesize
148KB
MD5cb36b6c3957ba68adf18c5ea91e01606
SHA18985eb673f3888f967d515fbd26f3807e81c4020
SHA2560c8d57cf80a2d4e21b46444cdbba1c6838487e6e79807f246ef4df69cf71cafc
SHA512ef24ddd2d55d44ae5103ff7a644b9c44d835064c537ba533eca09b51cf5411f3dcc4a5923b8ee5d49922cbfb93224b43175ea3e298022d9b60d01a02102e49eb
-
Filesize
148KB
MD57bbd7604920f5e8485812b7b7f7aa888
SHA103483dfef5c65386f797a065cbb07a12e606d2ae
SHA256ebda3d61af52b276db8b34fec3557b3dec09b3aa353702b646d832a022fea422
SHA512ee043e44d711008339cf80e5118e76cc1aabd37ab7006e6a9b99526e3e285a07b4b806ab89bf599679627251256c143b5ff15ae260679c6ef7ba3fd61879f9d3
-
Filesize
148KB
MD5f9c394d47949f4ccc5abe636f5aff815
SHA1277b55b63f17d1d4181abf78cc475ad74582dd03
SHA256675395d4dc2d3ff62b8e32b264cd93cb9a50592b7567700e65e168f46ff86576
SHA51291230d18e7d36d7a2def9c409ffb34fb0a799b42d66a8e445fe32f23567305e418f3a166222b2e567fb5371bca6a6955f67a8577c159e9a8239af15b20d53c6c
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
148KB
MD58c7abda9682a08f61b5feb5271ed8eed
SHA1e416c7f3d7a478bb1ac6bc63ec1a1a56b11d2326
SHA256e3b26e75414b551d3fa77d0dadcf57ef937440596ee5339aeaebd2d46994aa1f
SHA51284b491460f4442c1d975c068f53baf7447fca07bacb77857a5f0b2e7c952e48cbbc7e6a61128bb2fcb27da916264f4c071adffb8936a89a9c593f4b0176ec4a0
-
Filesize
148KB
MD523d42f4b74eca1193be21574dac226ec
SHA1e74ff8baf4e40f29aba0f91e3987a75fa8e35d48
SHA25638abee2def3b1c42ff29af15f32ec99646420fd004e03de119fb9da0d2f1b339
SHA51257ab9532bec693b911009c3b905ff186c2b2d5d5998baa60d03a25629b8fb9a3b7ef1ff098af979fe9cd7bf5a8e20ce41f06dde33dfa4aef52741a410f1dd2da
-
Filesize
148KB
MD59f02ae35262afbd32d68c7086db4c22a
SHA18ba4ee4acc533d5d245a467db604ab0d43f5bd5b
SHA2563bf48d8c9fa0306bef431e6105090f214287aa1842ad3733aea3646b8259cbe3
SHA512a3375fba2d90657df3b743dc2c4046f4d962f1ffc95ee6577aec769416dab9a46e6e1cbc98a1a2470c2657b2346c145919d720288ee12e6d633a5255afafe651
-
Filesize
148KB
MD5f656ab7e32e047fcbf93cc1d87209dc2
SHA1e5734ba7a00130a56b12a4559e69c644725ae0c8
SHA256d3d98f33974c2ab13ae7b76a503bd7a678b6fe9a0c07826853160d4d38800c80
SHA512c45eaafcb543a5b5278af854784f637757fa1798986c9964981bf8a6cbe9e259dbf5256627f8148f3aa573cca7b9f3825281419183932fe2fd3c0735c1dcb278
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
148KB
MD5897e6e2c265164ee3579a3570c8d2c6c
SHA1ead47cd287574274866b6b809cc1c667f8a8f4da
SHA25612c3a3cbd446326ace463d04887eb6c3f2d2df19e3bf7840307b67f1e4dbb4f9
SHA512a2c754c100ec950db7df5596455424ab0dc57a1dbdb20697f36306883cee93ab896cb2a8458d01feb203df0dcd9084195a47e7d1da22913be87329dd7ef80b01
-
Filesize
148KB
MD5a63acabac108a9a447cf2755dac66de6
SHA131786dbbe547ba82de236460024398a31b9dafc9
SHA256868bb284799f3b81bd080b15e5ba15e2cb23b19619c7248581f667b36d4d7680
SHA512d6e6a246c67034a81654d66210fe50cc0fa7a3ec4b22cb0b50124535ae384b9e9716968a5ce8e9b5de9c84983c48b12c44521944c2452fdf31146dc4c0d8ede4
-
Filesize
148KB
MD56c2680e8c5536380c72f0d8f5e5517aa
SHA1b0bdaf2f03bba52f19721b5dda02cf081f86afd5
SHA25685a114fc75a8d780af8b53723c8d0aa9ad05ae58273b8c115f8f2ad85969e031
SHA51229b9aabc465074904c8bbbb720ddd3b33b6d4b56ae7271046386adb3a7eb4e0656395dcf8d3a8a021516e06baf3b0155b746daa81a0e972bbf57bcd3e4bc3ee3
-
Filesize
148KB
MD578eac3c335819ef1f241122f9039569b
SHA13c07d50f86d7ad3306c3049d874168f00fe66d68
SHA2561ac60c316969abf8e0f375f97f7c889cc0d8caed1e2fc5910abcff99eb0dcd55
SHA51253eec9ab71b020443b9ca52ec8ea6bfc7b0c58b42ac573fb690969b42bbb15855f3b5ad86534402ec1663ce11a029686028665cb3a5825c205c5f3d885282759
-
Filesize
148KB
MD5e60a747845ad8174ce9d23acbcddaae8
SHA1ba11214e04007faa6629cd0f38056457f803fc1c
SHA25603019ec381aab4e0492f5a1cf2e030ef2ab58249188e31aa03d9325647c8bec6
SHA51287172914d51a60791531ebd191ca75343db13d082bbdf6087593392a868ff74479f5bc98963c4ef7b23c9aff89fc256d74436f62d482de7631d53a228f733f2b
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
148KB
MD54e16157e70437e950eb4b1137af5777d
SHA10ef6e1ebfabf172f6f594c463a42fa8123c36fba
SHA256349ee2c769c672dc70fc7d2a5e0d44c897066834a7872d813257df43cd67721c
SHA51244b7eebb7d22fce31499678cb30feeae7843a8a241da5dab9a1044ea9bfc919155f4bf929341c45d52b461fa6c9e35d0afd1e6fdcb7a262fef024d7cd0a6df03
