Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2024, 23:06
Static task
static1
Behavioral task
behavioral1
Sample
6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe
Resource
win10v2004-20241007-en
General
-
Target
6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe
-
Size
145KB
-
MD5
6e0a5bad73ddf8b05ea69aa6775df2a3
-
SHA1
7185cfa795b13bfca5213af466aacc0ff4145968
-
SHA256
6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34
-
SHA512
58646b0234fd5377b5942eef4430bb9ac2187e802cfdd156cdd258940dbcb5951b91dc5882062d5f108f6e0900f6a3c5fcd6352940b4fa41318a8c3f9833b83b
-
SSDEEP
1536:1Jo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTVG:zx6AHjYzaFXg+w17jsgS/jHagQg19VG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\SysWOW64\drivers\system32.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe -
Executes dropped EXE 30 IoCs
pid Process 3316 smss.exe 4800 smss.exe 3532 Gaara.exe 4324 smss.exe 5100 Gaara.exe 4236 csrss.exe 1952 smss.exe 3720 Gaara.exe 3412 csrss.exe 3768 Kazekage.exe 4472 smss.exe 368 Gaara.exe 4680 csrss.exe 32 Kazekage.exe 488 system32.exe 4768 smss.exe 2656 Gaara.exe 2212 csrss.exe 1016 Kazekage.exe 4060 system32.exe 2816 system32.exe 4280 Kazekage.exe 3912 system32.exe 1048 csrss.exe 1440 Kazekage.exe 1844 system32.exe 1796 Gaara.exe 1944 csrss.exe 636 Kazekage.exe 4456 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 3316 smss.exe 4800 smss.exe 3532 Gaara.exe 4324 smss.exe 5100 Gaara.exe 4236 csrss.exe 1952 smss.exe 3720 Gaara.exe 3412 csrss.exe 4472 smss.exe 368 Gaara.exe 4680 csrss.exe 4768 smss.exe 2656 Gaara.exe 2212 csrss.exe 1048 csrss.exe 1796 Gaara.exe 1944 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" smss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification F:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\I:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\M:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\V:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\L:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\Z:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini Gaara.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\S: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\T: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\V: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\P: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\G: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\L: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\B: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\O: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\W: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\Y: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\U: csrss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\Q:\Autorun.inf smss.exe File opened for modification C:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf Kazekage.exe File opened for modification \??\P:\Autorun.inf Kazekage.exe File created \??\Y:\Autorun.inf Gaara.exe File opened for modification \??\Y:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf Kazekage.exe File created \??\H:\Autorun.inf system32.exe File created \??\L:\Autorun.inf smss.exe File created \??\S:\Autorun.inf smss.exe File opened for modification \??\G:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\N:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\Q:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\U:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\A:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf smss.exe File created \??\H:\Autorun.inf Kazekage.exe File opened for modification \??\G:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf Gaara.exe File opened for modification \??\Q:\Autorun.inf csrss.exe File opened for modification \??\V:\Autorun.inf csrss.exe File opened for modification F:\Autorun.inf system32.exe File created \??\L:\Autorun.inf system32.exe File created \??\M:\Autorun.inf Kazekage.exe File created \??\Y:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf smss.exe File opened for modification \??\N:\Autorun.inf smss.exe File opened for modification \??\S:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf smss.exe File created \??\W:\Autorun.inf Gaara.exe File created \??\H:\Autorun.inf csrss.exe File opened for modification \??\E:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\R:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\A:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf csrss.exe File opened for modification \??\P:\Autorun.inf system32.exe File opened for modification \??\T:\Autorun.inf system32.exe File opened for modification \??\K:\Autorun.inf csrss.exe File opened for modification \??\M:\Autorun.inf csrss.exe File opened for modification \??\K:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\T:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\Y:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\M:\Autorun.inf smss.exe File opened for modification \??\V:\Autorun.inf Gaara.exe File created \??\J:\Autorun.inf csrss.exe File opened for modification \??\V:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\T:\Autorun.inf csrss.exe File created \??\R:\Autorun.inf Kazekage.exe File created \??\N:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf Kazekage.exe File created \??\J:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\X:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created D:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf Gaara.exe File created \??\T:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf csrss.exe File created \??\J:\Autorun.inf system32.exe File created \??\N:\Autorun.inf system32.exe File created \??\L:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\O:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\Y:\Autorun.inf smss.exe File opened for modification \??\P:\Autorun.inf Gaara.exe File opened for modification F:\Autorun.inf Kazekage.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\20-10-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\20-10-2024.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\SysWOW64\mscomctl.ocx 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\SysWOW64\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\ 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File created C:\Windows\Fonts\The Kazekage.jpg 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\system\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\WBEM\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\ Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\system\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe csrss.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 32 ping.exe 980 ping.exe 672 ping.exe 3344 ping.exe 1384 ping.exe 4352 ping.exe 4228 ping.exe 3596 ping.exe 3492 ping.exe 4452 ping.exe 3412 ping.exe 5000 ping.exe 4340 ping.exe 2576 ping.exe 3980 ping.exe 4060 ping.exe 3932 ping.exe 2576 ping.exe 2516 ping.exe 1680 ping.exe 1976 ping.exe 552 ping.exe 4048 ping.exe 1828 ping.exe 756 ping.exe 4476 ping.exe 4512 ping.exe 4448 ping.exe 2908 ping.exe 1136 ping.exe 1668 ping.exe 1944 ping.exe 4404 ping.exe 2024 ping.exe 2356 ping.exe 1164 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Size = "72" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\WallpaperStyle = "2" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main smss.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 2356 ping.exe 1944 ping.exe 3596 ping.exe 5000 ping.exe 2576 ping.exe 1668 ping.exe 980 ping.exe 756 ping.exe 4476 ping.exe 3344 ping.exe 2908 ping.exe 1384 ping.exe 4060 ping.exe 4048 ping.exe 1164 ping.exe 1136 ping.exe 3932 ping.exe 2576 ping.exe 2024 ping.exe 672 ping.exe 1976 ping.exe 4452 ping.exe 4512 ping.exe 4448 ping.exe 552 ping.exe 32 ping.exe 4228 ping.exe 3492 ping.exe 4404 ping.exe 4340 ping.exe 3980 ping.exe 2516 ping.exe 1828 ping.exe 4352 ping.exe 1680 ping.exe 3412 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 3532 Gaara.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 4236 csrss.exe 3768 Kazekage.exe 3768 Kazekage.exe 3768 Kazekage.exe 3768 Kazekage.exe 3768 Kazekage.exe 3768 Kazekage.exe 3768 Kazekage.exe 3768 Kazekage.exe 3768 Kazekage.exe 3768 Kazekage.exe 3768 Kazekage.exe 3768 Kazekage.exe 3768 Kazekage.exe 3768 Kazekage.exe 3768 Kazekage.exe 3768 Kazekage.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 2364 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 3316 smss.exe 4800 smss.exe 3532 Gaara.exe 4324 smss.exe 5100 Gaara.exe 4236 csrss.exe 1952 smss.exe 3720 Gaara.exe 3412 csrss.exe 3768 Kazekage.exe 4472 smss.exe 368 Gaara.exe 4680 csrss.exe 32 Kazekage.exe 488 system32.exe 4768 smss.exe 2656 Gaara.exe 2212 csrss.exe 1016 Kazekage.exe 2816 system32.exe 4280 Kazekage.exe 3912 system32.exe 1048 csrss.exe 1440 Kazekage.exe 1844 system32.exe 1796 Gaara.exe 1944 csrss.exe 636 Kazekage.exe 4456 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 3316 2364 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 85 PID 2364 wrote to memory of 3316 2364 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 85 PID 2364 wrote to memory of 3316 2364 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 85 PID 3316 wrote to memory of 4800 3316 smss.exe 87 PID 3316 wrote to memory of 4800 3316 smss.exe 87 PID 3316 wrote to memory of 4800 3316 smss.exe 87 PID 3316 wrote to memory of 3532 3316 smss.exe 88 PID 3316 wrote to memory of 3532 3316 smss.exe 88 PID 3316 wrote to memory of 3532 3316 smss.exe 88 PID 3532 wrote to memory of 4324 3532 Gaara.exe 90 PID 3532 wrote to memory of 4324 3532 Gaara.exe 90 PID 3532 wrote to memory of 4324 3532 Gaara.exe 90 PID 3532 wrote to memory of 5100 3532 Gaara.exe 91 PID 3532 wrote to memory of 5100 3532 Gaara.exe 91 PID 3532 wrote to memory of 5100 3532 Gaara.exe 91 PID 3532 wrote to memory of 4236 3532 Gaara.exe 92 PID 3532 wrote to memory of 4236 3532 Gaara.exe 92 PID 3532 wrote to memory of 4236 3532 Gaara.exe 92 PID 4236 wrote to memory of 1952 4236 csrss.exe 93 PID 4236 wrote to memory of 1952 4236 csrss.exe 93 PID 4236 wrote to memory of 1952 4236 csrss.exe 93 PID 4236 wrote to memory of 3720 4236 csrss.exe 94 PID 4236 wrote to memory of 3720 4236 csrss.exe 94 PID 4236 wrote to memory of 3720 4236 csrss.exe 94 PID 4236 wrote to memory of 3412 4236 csrss.exe 95 PID 4236 wrote to memory of 3412 4236 csrss.exe 95 PID 4236 wrote to memory of 3412 4236 csrss.exe 95 PID 4236 wrote to memory of 3768 4236 csrss.exe 96 PID 4236 wrote to memory of 3768 4236 csrss.exe 96 PID 4236 wrote to memory of 3768 4236 csrss.exe 96 PID 3768 wrote to memory of 4472 3768 Kazekage.exe 97 PID 3768 wrote to memory of 4472 3768 Kazekage.exe 97 PID 3768 wrote to memory of 4472 3768 Kazekage.exe 97 PID 3768 wrote to memory of 368 3768 Kazekage.exe 98 PID 3768 wrote to memory of 368 3768 Kazekage.exe 98 PID 3768 wrote to memory of 368 3768 Kazekage.exe 98 PID 3768 wrote to memory of 4680 3768 Kazekage.exe 99 PID 3768 wrote to memory of 4680 3768 Kazekage.exe 99 PID 3768 wrote to memory of 4680 3768 Kazekage.exe 99 PID 3768 wrote to memory of 32 3768 Kazekage.exe 100 PID 3768 wrote to memory of 32 3768 Kazekage.exe 100 PID 3768 wrote to memory of 32 3768 Kazekage.exe 100 PID 3768 wrote to memory of 488 3768 Kazekage.exe 101 PID 3768 wrote to memory of 488 3768 Kazekage.exe 101 PID 3768 wrote to memory of 488 3768 Kazekage.exe 101 PID 488 wrote to memory of 4768 488 system32.exe 102 PID 488 wrote to memory of 4768 488 system32.exe 102 PID 488 wrote to memory of 4768 488 system32.exe 102 PID 488 wrote to memory of 2656 488 system32.exe 103 PID 488 wrote to memory of 2656 488 system32.exe 103 PID 488 wrote to memory of 2656 488 system32.exe 103 PID 488 wrote to memory of 2212 488 system32.exe 104 PID 488 wrote to memory of 2212 488 system32.exe 104 PID 488 wrote to memory of 2212 488 system32.exe 104 PID 488 wrote to memory of 1016 488 system32.exe 105 PID 488 wrote to memory of 1016 488 system32.exe 105 PID 488 wrote to memory of 1016 488 system32.exe 105 PID 488 wrote to memory of 4060 488 system32.exe 106 PID 488 wrote to memory of 4060 488 system32.exe 106 PID 488 wrote to memory of 4060 488 system32.exe 106 PID 4236 wrote to memory of 2816 4236 csrss.exe 109 PID 4236 wrote to memory of 2816 4236 csrss.exe 109 PID 4236 wrote to memory of 2816 4236 csrss.exe 109 PID 3532 wrote to memory of 4280 3532 Gaara.exe 110 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe"C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2364 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3316 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4800
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3532 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4324
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5100
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4236 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1952
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3720
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3412
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3768 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4472
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:368
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4680
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:32
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:488 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4768
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2656
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2212
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1016
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4060
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:980
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2576
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4512
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2356
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1164
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1136
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4340
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1828
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4060
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2516
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3412
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2908
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2816
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:32
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1668
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:672
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4476
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4048
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3344
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4280
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3912
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4404
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1384
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4352
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4228
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3596
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:552
-
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1048
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1440
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1844
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2576
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3492
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3980
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2024
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1976
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1944
-
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1796
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1944
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:636
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4456
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3932
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5000
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4452
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:756
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4448
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1680
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
145KB
MD5633510bbd5a86789fc7e0c3b3a45f33e
SHA17a7927eda78fa6ee401c34a1ffc07a0cf081a363
SHA25649c9bf332c2ca47355dc1ebca0d8b2d7ac9f6c9201ef5bb3bfdfae15d8dec25d
SHA512c71f4c106ea271e953cd922eb8878b9789ecd1db7882813b697cf400bd36b3b8f70e87e61b6791d1c98d93afd6715465cd16a8479eb245d56c7e81569f8a9933
-
Filesize
145KB
MD52182e2b5a0ee539c29f1476ced3945aa
SHA1bcd4ce4c503d7e5b4bf1f2d00944bc5e9e74bcae
SHA25619793e7f6bde3a724b5f4a4142e1030f2bd581a5c20f8736181713399290dbe1
SHA5121f12c33ae113fd83777a6ee0767a2b3caaca908ceeb97fe07fd267fd45d78c7f77373694741b199f61ab239936720fcd5585eddd183ea5535099b1161c319f2c
-
Filesize
145KB
MD58ca7fd368e196de5f535bc3f04bc13eb
SHA1b6ccc8bfbbdc351fd9396dce713bacf136857105
SHA256abbbab72654c7f58473a8c33f63e684938f6a3e1da346030b0e4249cddb0c6dd
SHA512d50c9e7b3d302f28884c934cc67a113c1e81643457a24ab0833544d79267440efda110a91740b1996ec14aa0707ea2be2c9db83c041ee29b4f77c62c25ace61f
-
Filesize
145KB
MD5733ab7bb6a01a2c24114ac103892e323
SHA1b3288abcf4ac3f05524a8227a646193bb2512b8f
SHA2565608e2e4ee633dbbeb2a609fbd3b9fd07935d12ac7376480cf71fa3e8a179715
SHA5121cc36c32e92806e5f1847c41ea3564a6e10ca179c468c11e46de3b5049db1886cc6a6c9d7ed9e42e054dad1d8613d004c0a86551d3be9e2339bafebae6c5b7e0
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
145KB
MD5539bd0b68837c20d3de4b981438e2f7d
SHA17eadd68e8bd626d22fd1f377a80ccb442a718ac1
SHA2562c0a34d11272be4b0ac7782d8af2b424cd2963ed79a5e88062bd0f0ee5421580
SHA51206febb93b64420c0307b7a180b06d47679ce9ddd1064624430155343e0681967e21a0ab5ff7d5d6715542f1a9c279c9c570d401a66f8c0f0d3eb5d6010bf9a2e
-
Filesize
145KB
MD52a66c2723852b380204d7b7e3da8fc78
SHA10ef0cf42fca1e30e12f78ba50240c85e2ea78d32
SHA256aa0166fa461dd5e065c1d814e65eb93429c1a144a9d9d122330b851042efdc42
SHA51246be6f3cc4eab1161febc3ba3392b652bd67088736381204899aadc6fdc3cf6d1948cc8daadb043abf5cc42fdb83faa5eb17c5ccd224f954db6b2d99389f729a
-
Filesize
145KB
MD5451bd9b4668ecac963768bd123813464
SHA164ce9413815b970eae1287ecbd66e3ddf5064a8f
SHA25641474114181d73f1d0e875986046b2d38243241cedd90919fa18e87bb3ca87fe
SHA51244be9d51802a1b48ad7c3ee835dc6628c38168b7cb47d7b1ec04a9d834df9a657d40290562e4c412d86bf341ebab92cf36c72811f2f07627d8ed8a683352044a
-
Filesize
145KB
MD5f7c894aa05ba47003327c73f655561ea
SHA1b1be89c16d23f853bffb043c14c9c4cdd51e38d5
SHA256497ec547110474f0e5da2d1439ea7e42e4a07fa02a1350daa63835f8a0133d5f
SHA512897605d81aee63d5c6b909c70c45a6d777d4a1efe141cb924722743ccaaf467643d4541f5a626f4fa6365cf53a6befceb5c9e22db5991208c922186c2c0a3d74
-
Filesize
145KB
MD5ff2fc709ddfd52e98369d0a54d054fc1
SHA1592c4cc7903039edd0cca488fab41025c4e90b09
SHA25621d3c036e3de347c46f199b13bc2635a56145e0ad3ca7343733c3ef925c2929c
SHA512dc785f0ddb93490331b9f717bcfcbdcc0ec61bafbc0cfe1bdabf39135ef96ee7b397d71a146090e3dc5b070395d10fb5aa97152512a1802296271bc64c8c5b25
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
145KB
MD53a3e7d374c313bea5ed152eb0c4b95ac
SHA170d8c7e2695d5dc06bf76902572a4c65d4bbc6c6
SHA256b478793543ba58d50f33043c2ceec495b40d84225d9532e93a5e826dd744aba3
SHA5129e51617439bf3478906dae7d3d8a99b0934fc9f5f9d2457ad026fd1c89fb11b740a3f329d8b09ffee317474f52bc14b141fa80df8560d67860cb7cd21e98ac0f
-
Filesize
145KB
MD5d4958bb437ea95e974e60e713c55d3f7
SHA1644233d244cf571c856df22f9f430218f114d3c6
SHA256bccb49124991ad6f3551c985be2cbc7c94dbfa0e03ab6b34abd621bf708358e5
SHA512ce1e2f60e8d3310e5c83c626d3a2024e8c6bd5f398e184485cb31a61027c57021eaab803f527e74a5fb00ddcb4b5c6b88f4b4e681b0be041743b16fa4d07b154
-
Filesize
145KB
MD59a8ded540a19c9782d578917f27d07ed
SHA12a4af2151b1c6dd4b46ab6ec58e76f85d5889cf7
SHA2563d5b652fe6a3386ac3973c922ecab75071bfb1692745b63e50f5a0c17dc6c52b
SHA5129b4fecab736cfa86b997379043919adfaa7586db865e8d3b15b2c62c90a406f837b4f4aec3907a0b9f944ff655f2529d30cd58812d3c9188aabfb1563a585a1a
-
Filesize
145KB
MD57dcd365dbb501e43e07ef4912d2f0b03
SHA1925671b0bbec96371a55f17a85099d03648b1c6e
SHA2561a0cfff63045f29ffab2404d5abf830e123fcbf3ac67329530fcc4223b49fd01
SHA5126d1e8eb6a6b102a29973205cfd772ef8c666e09db64717b8b63101a119548bd6de3e2354ae990e299c12f8d97f5387169f4ed5858a4da8f6d4c48b87107f1a36
-
Filesize
145KB
MD537008e8edf75ccaf2dbfd820acf3cbfe
SHA10aaf9e8f07e52ebe86cf002c6cb2f0c3c623acff
SHA256cfef49fe33e0c920f86384c63f18f7e5d4f560b43a6d69cf80c0e41887ab0acf
SHA51230cccf37cb797014972953132b0638c77c57d0bd26febbaf2601b6de30df4ca5a6862bc8db4b95d0363cf2d308d8b8468c6c95e813ea167a71a2ed9244b93737
-
Filesize
145KB
MD5385c2cef8b4098d27641600853abc0d6
SHA112ce3789e7731f37fa081873a3d1771820b63989
SHA25675b59da2ddb117d15ac97cc46ac2b967ac20b740791223b298f20989b1c99636
SHA51289fbcdf71e25a87a15b583d0ac24a2118b0179ac8e10fa2931f7f5f3099b32449214bc0e18453025a8adaba7dc97fdedba55ab7cdd944124f063d0a1c3b86cf7
-
Filesize
145KB
MD539a702409c2cf297834eea43d0c9773d
SHA1addf1c89fd11dc3d4ef5f2bedfd90bae1dcca082
SHA256c03e73987b43dca5d51c7745fe2519bf0105cd4d1cf9c4ef25c19b95878a9c17
SHA51202e06f9c768b7b45b9b115164caa43b3f7f29b937f2b6cf8c84d24d2159a92ea60ef21829104e492059b17022f0275e7f11cbccbcddcbd3e6bac6376ffb02b63
-
Filesize
145KB
MD5f5a21dd6eb0ab1a8ca03b568bb7e51ae
SHA19a4e9d0856a1ee7ae58d2071aeb7d258ede1aa0f
SHA256001ca731f696c1289eac2706d26e8c839963040ca5aa7acf463548de6c51d805
SHA51223e938066f72989a31aaf8a4dd52f52d7b9356f44899f2738d9e6a84e5e565757a570157973136625fd243e771d4a51538bf9cf074adfba78f233cd41ab1502c
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a