Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20/10/2024, 22:56
Static task
static1
Behavioral task
behavioral1
Sample
6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe
Resource
win10v2004-20241007-en
General
-
Target
6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe
-
Size
145KB
-
MD5
6e0a5bad73ddf8b05ea69aa6775df2a3
-
SHA1
7185cfa795b13bfca5213af466aacc0ff4145968
-
SHA256
6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34
-
SHA512
58646b0234fd5377b5942eef4430bb9ac2187e802cfdd156cdd258940dbcb5951b91dc5882062d5f108f6e0900f6a3c5fcd6352940b4fa41318a8c3f9833b83b
-
SSDEEP
1536:1Jo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTVG:zx6AHjYzaFXg+w17jsgS/jHagQg19VG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\SysWOW64\drivers\system32.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe -
Executes dropped EXE 30 IoCs
pid Process 2724 smss.exe 2900 smss.exe 528 Gaara.exe 1268 smss.exe 2520 Gaara.exe 3056 csrss.exe 2492 smss.exe 2032 Gaara.exe 1988 csrss.exe 2316 Kazekage.exe 1760 smss.exe 872 Gaara.exe 1848 csrss.exe 2180 Kazekage.exe 1068 system32.exe 1652 smss.exe 1524 Gaara.exe 1336 csrss.exe 2064 Kazekage.exe 1060 system32.exe 648 system32.exe 2600 Kazekage.exe 2000 system32.exe 1920 csrss.exe 2332 Kazekage.exe 1252 system32.exe 704 Gaara.exe 2964 csrss.exe 2616 Kazekage.exe 2800 system32.exe -
Loads dropped DLL 62 IoCs
pid Process 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2724 smss.exe 2724 smss.exe 2900 smss.exe 2724 smss.exe 2724 smss.exe 528 Gaara.exe 528 Gaara.exe 528 Gaara.exe 1268 smss.exe 2520 Gaara.exe 528 Gaara.exe 528 Gaara.exe 3056 csrss.exe 3056 csrss.exe 2492 smss.exe 3056 csrss.exe 2032 Gaara.exe 1988 csrss.exe 3056 csrss.exe 3056 csrss.exe 2316 Kazekage.exe 1760 smss.exe 2316 Kazekage.exe 872 Gaara.exe 2316 Kazekage.exe 1848 csrss.exe 2316 Kazekage.exe 2316 Kazekage.exe 2316 Kazekage.exe 2316 Kazekage.exe 1068 system32.exe 1652 smss.exe 1068 system32.exe 1524 Gaara.exe 1068 system32.exe 1336 csrss.exe 1068 system32.exe 1068 system32.exe 1068 system32.exe 1068 system32.exe 3056 csrss.exe 3056 csrss.exe 528 Gaara.exe 528 Gaara.exe 528 Gaara.exe 528 Gaara.exe 2724 smss.exe 1920 csrss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 704 Gaara.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2964 csrss.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" Kazekage.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\I:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\Q:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\U:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\X:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\V:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\A:\Desktop.ini smss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\T: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\E: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\G: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\I: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\B: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\Q: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\M: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\P: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\Z: 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\W: csrss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\W:\Autorun.inf csrss.exe File opened for modification \??\O:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification D:\Autorun.inf smss.exe File created \??\O:\Autorun.inf smss.exe File created \??\T:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf Kazekage.exe File created \??\T:\Autorun.inf system32.exe File created \??\Y:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf Gaara.exe File created \??\Y:\Autorun.inf csrss.exe File opened for modification \??\B:\Autorun.inf system32.exe File opened for modification \??\U:\Autorun.inf system32.exe File opened for modification \??\J:\Autorun.inf system32.exe File created \??\R:\Autorun.inf system32.exe File created \??\S:\Autorun.inf Kazekage.exe File created \??\H:\Autorun.inf csrss.exe File created \??\Q:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\Q:\Autorun.inf Gaara.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File created \??\E:\Autorun.inf smss.exe File opened for modification \??\O:\Autorun.inf csrss.exe File created \??\E:\Autorun.inf Kazekage.exe File opened for modification \??\K:\Autorun.inf system32.exe File created \??\M:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\T:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\B:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf Kazekage.exe File created \??\U:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\M:\Autorun.inf smss.exe File opened for modification D:\Autorun.inf csrss.exe File opened for modification \??\M:\Autorun.inf csrss.exe File opened for modification \??\H:\Autorun.inf system32.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\H:\Autorun.inf smss.exe File opened for modification \??\K:\Autorun.inf smss.exe File created \??\Q:\Autorun.inf smss.exe File opened for modification \??\T:\Autorun.inf system32.exe File created C:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\X:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\P:\Autorun.inf smss.exe File opened for modification \??\T:\Autorun.inf csrss.exe File created \??\M:\Autorun.inf Kazekage.exe File created \??\L:\Autorun.inf system32.exe File created \??\N:\Autorun.inf system32.exe File created \??\R:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf smss.exe File created \??\K:\Autorun.inf smss.exe File opened for modification \??\S:\Autorun.inf Gaara.exe File created \??\J:\Autorun.inf csrss.exe File opened for modification \??\L:\Autorun.inf Kazekage.exe File opened for modification \??\O:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf system32.exe File created \??\U:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created \??\E:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification \??\J:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf smss.exe File opened for modification \??\H:\Autorun.inf csrss.exe File created \??\I:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf Kazekage.exe File created \??\T:\Autorun.inf Kazekage.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\20-10-2024.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\ 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\20-10-2024.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\SysWOW64\Desktop.ini 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\WBEM\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\mscomctl.ocx 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\mscomctl.ocx 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\system\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe system32.exe File created C:\Windows\system\msvbvm60.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe smss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe smss.exe File opened for modification C:\Windows\ Gaara.exe File created C:\Windows\Fonts\The Kazekage.jpg 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\system\mscoree.dll 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\ 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1680 ping.exe 984 ping.exe 2164 ping.exe 2248 ping.exe 1904 ping.exe 2068 ping.exe 2760 ping.exe 424 ping.exe 3064 ping.exe 2180 ping.exe 1936 ping.exe 1556 ping.exe 1484 ping.exe 920 ping.exe 2204 ping.exe 2604 ping.exe 1544 ping.exe 2020 ping.exe 580 ping.exe 1640 ping.exe 1888 ping.exe 2964 ping.exe 1188 ping.exe 2144 ping.exe 2772 ping.exe 2780 ping.exe 1056 ping.exe 2136 ping.exe 1508 ping.exe 1800 ping.exe 2272 ping.exe 2096 ping.exe 1768 ping.exe 1680 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee system32.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Size = "72" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe -
Modifies registry class 48 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 1544 ping.exe 2180 ping.exe 1904 ping.exe 1800 ping.exe 2604 ping.exe 2020 ping.exe 1484 ping.exe 984 ping.exe 2068 ping.exe 1888 ping.exe 1056 ping.exe 1640 ping.exe 1680 ping.exe 2272 ping.exe 2760 ping.exe 2780 ping.exe 2096 ping.exe 2144 ping.exe 1768 ping.exe 2964 ping.exe 1680 ping.exe 1508 ping.exe 2204 ping.exe 580 ping.exe 2164 ping.exe 1556 ping.exe 2248 ping.exe 2136 ping.exe 920 ping.exe 3064 ping.exe 1188 ping.exe 424 ping.exe 1936 ping.exe 2772 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 2724 smss.exe 528 Gaara.exe 528 Gaara.exe 528 Gaara.exe 528 Gaara.exe 528 Gaara.exe 528 Gaara.exe 528 Gaara.exe 528 Gaara.exe 528 Gaara.exe 528 Gaara.exe 528 Gaara.exe 528 Gaara.exe 3056 csrss.exe 3056 csrss.exe 3056 csrss.exe 3056 csrss.exe 3056 csrss.exe 3056 csrss.exe 3056 csrss.exe 3056 csrss.exe 3056 csrss.exe 3056 csrss.exe 3056 csrss.exe 3056 csrss.exe 2316 Kazekage.exe 2316 Kazekage.exe 2316 Kazekage.exe 2316 Kazekage.exe 2316 Kazekage.exe 2316 Kazekage.exe 2316 Kazekage.exe 2316 Kazekage.exe 2316 Kazekage.exe 2316 Kazekage.exe 2316 Kazekage.exe 2316 Kazekage.exe 1068 system32.exe 1068 system32.exe 1068 system32.exe 1068 system32.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 2724 smss.exe 2900 smss.exe 528 Gaara.exe 1268 smss.exe 2520 Gaara.exe 3056 csrss.exe 2492 smss.exe 2032 Gaara.exe 1988 csrss.exe 2316 Kazekage.exe 1760 smss.exe 872 Gaara.exe 1848 csrss.exe 2180 Kazekage.exe 1068 system32.exe 1652 smss.exe 1524 Gaara.exe 1336 csrss.exe 2064 Kazekage.exe 1060 system32.exe 648 system32.exe 2600 Kazekage.exe 2000 system32.exe 1920 csrss.exe 2332 Kazekage.exe 1252 system32.exe 704 Gaara.exe 2964 csrss.exe 2616 Kazekage.exe 2800 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2724 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 30 PID 2956 wrote to memory of 2724 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 30 PID 2956 wrote to memory of 2724 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 30 PID 2956 wrote to memory of 2724 2956 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe 30 PID 2724 wrote to memory of 2900 2724 smss.exe 31 PID 2724 wrote to memory of 2900 2724 smss.exe 31 PID 2724 wrote to memory of 2900 2724 smss.exe 31 PID 2724 wrote to memory of 2900 2724 smss.exe 31 PID 2724 wrote to memory of 528 2724 smss.exe 32 PID 2724 wrote to memory of 528 2724 smss.exe 32 PID 2724 wrote to memory of 528 2724 smss.exe 32 PID 2724 wrote to memory of 528 2724 smss.exe 32 PID 528 wrote to memory of 1268 528 Gaara.exe 33 PID 528 wrote to memory of 1268 528 Gaara.exe 33 PID 528 wrote to memory of 1268 528 Gaara.exe 33 PID 528 wrote to memory of 1268 528 Gaara.exe 33 PID 528 wrote to memory of 2520 528 Gaara.exe 34 PID 528 wrote to memory of 2520 528 Gaara.exe 34 PID 528 wrote to memory of 2520 528 Gaara.exe 34 PID 528 wrote to memory of 2520 528 Gaara.exe 34 PID 528 wrote to memory of 3056 528 Gaara.exe 35 PID 528 wrote to memory of 3056 528 Gaara.exe 35 PID 528 wrote to memory of 3056 528 Gaara.exe 35 PID 528 wrote to memory of 3056 528 Gaara.exe 35 PID 3056 wrote to memory of 2492 3056 csrss.exe 36 PID 3056 wrote to memory of 2492 3056 csrss.exe 36 PID 3056 wrote to memory of 2492 3056 csrss.exe 36 PID 3056 wrote to memory of 2492 3056 csrss.exe 36 PID 3056 wrote to memory of 2032 3056 csrss.exe 37 PID 3056 wrote to memory of 2032 3056 csrss.exe 37 PID 3056 wrote to memory of 2032 3056 csrss.exe 37 PID 3056 wrote to memory of 2032 3056 csrss.exe 37 PID 3056 wrote to memory of 1988 3056 csrss.exe 38 PID 3056 wrote to memory of 1988 3056 csrss.exe 38 PID 3056 wrote to memory of 1988 3056 csrss.exe 38 PID 3056 wrote to memory of 1988 3056 csrss.exe 38 PID 3056 wrote to memory of 2316 3056 csrss.exe 39 PID 3056 wrote to memory of 2316 3056 csrss.exe 39 PID 3056 wrote to memory of 2316 3056 csrss.exe 39 PID 3056 wrote to memory of 2316 3056 csrss.exe 39 PID 2316 wrote to memory of 1760 2316 Kazekage.exe 40 PID 2316 wrote to memory of 1760 2316 Kazekage.exe 40 PID 2316 wrote to memory of 1760 2316 Kazekage.exe 40 PID 2316 wrote to memory of 1760 2316 Kazekage.exe 40 PID 2316 wrote to memory of 872 2316 Kazekage.exe 41 PID 2316 wrote to memory of 872 2316 Kazekage.exe 41 PID 2316 wrote to memory of 872 2316 Kazekage.exe 41 PID 2316 wrote to memory of 872 2316 Kazekage.exe 41 PID 2316 wrote to memory of 1848 2316 Kazekage.exe 42 PID 2316 wrote to memory of 1848 2316 Kazekage.exe 42 PID 2316 wrote to memory of 1848 2316 Kazekage.exe 42 PID 2316 wrote to memory of 1848 2316 Kazekage.exe 42 PID 2316 wrote to memory of 2180 2316 Kazekage.exe 43 PID 2316 wrote to memory of 2180 2316 Kazekage.exe 43 PID 2316 wrote to memory of 2180 2316 Kazekage.exe 43 PID 2316 wrote to memory of 2180 2316 Kazekage.exe 43 PID 2316 wrote to memory of 1068 2316 Kazekage.exe 44 PID 2316 wrote to memory of 1068 2316 Kazekage.exe 44 PID 2316 wrote to memory of 1068 2316 Kazekage.exe 44 PID 2316 wrote to memory of 1068 2316 Kazekage.exe 44 PID 1068 wrote to memory of 1652 1068 system32.exe 45 PID 1068 wrote to memory of 1652 1068 system32.exe 45 PID 1068 wrote to memory of 1652 1068 system32.exe 45 PID 1068 wrote to memory of 1652 1068 system32.exe 45 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe"C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2956 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2724 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2900
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:528 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1268
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2520
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3056 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2492
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2032
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1988
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2316 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1760
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:872
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1848
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2180
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1068 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1652
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1524
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1336
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2064
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1060
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1800
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2068
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2096
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1056
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2180
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1508
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1768
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1888
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:424
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1188
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1936
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1484
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:648
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:984
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1640
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2772
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2780
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2000
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2204
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1680
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2964
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2604
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2020
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2136
-
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1920
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2332
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1252
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2144
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1904
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1556
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2760
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2248
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1680
-
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:704
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2616
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:920
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:580
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2164
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2272
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1544
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
145KB
MD5a29f5849837c5cf16d9bc7b9b6c2c6d1
SHA1a483837302f64b8d9df42981c60ee8ce0cdba2de
SHA25644ac7c7db112c899b9921d67036ec2ae63f36b8d1d456f354fa6d3d75472e62f
SHA512ed87234170801357f9b6e3c4b5770418b7b51237ff7ac0e18a8ceed545047e1d44cabd30da05ba63b3c7159e5fe1e8c7fde4330e53dc74eb986b845286b87cc2
-
Filesize
145KB
MD5e2e24b204e58e16848e4678218173efc
SHA16e952126c7f84599f9a7014d979b6d24413c5ace
SHA2567dfa145b92874212c8de21f5140a0b7924798874deafd1b2a19baaa344e9a164
SHA512469b7a73638c4d2adfe4193666a70db9c42011572eb728a098829a489c7734750aa71e3c473b107460b91286ff6370044fc44d11d366b0f311746ebbd9d0854e
-
Filesize
145KB
MD5844864ae07faca0a236ff2fc17e60ab8
SHA1522a58c1af85a478fa8b6964fc24dae9f5a15f66
SHA256791aae2fc70654086f4cb7f31ecde14ac8b1d57ac2f2fc918b2b96518dad84a5
SHA5126a2e5c9a5bafa5cc79ab28a10cebbcb905ab71b2d2ff9396da7dfc5e3f0b439ec81f5bf019dcd7c11de776a71220fd18960d631caeb2388b59094f6897abd0b7
-
Filesize
320KB
MD5f15940eb1d95d53941a0819198280dd4
SHA13c7314d9dbb92aa500a12c218a06f7d7c6ea0a72
SHA256c278c91e4a2b2f2fa837a6cdd75f61462c1b89fb007e0d29bad144939cd29b20
SHA512525b9b44e808b9900b8c22dac12b109f1b9ef44df56e853d4079e79365ff498e07b0616834c954c0d95be164f0e2aad778bf7f00e2c079a1d83c850dc007caac
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
145KB
MD56e0a5bad73ddf8b05ea69aa6775df2a3
SHA17185cfa795b13bfca5213af466aacc0ff4145968
SHA2566902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34
SHA51258646b0234fd5377b5942eef4430bb9ac2187e802cfdd156cdd258940dbcb5951b91dc5882062d5f108f6e0900f6a3c5fcd6352940b4fa41318a8c3f9833b83b
-
Filesize
145KB
MD5c9507bc981d027da82011957485749bd
SHA12bc0b5a4948039fa6ed5b85f1d3700396f0ac4db
SHA256841207a3b710c1413bba975b183878053841e5f2ea64f33d622460549ef4360b
SHA512b9c2c4bdad1fc482d81eafea8dc0ef713471ab968dad569084ab70a07d34bbdd41662bd70479663b3b27d000185989f1d48627ba194acacc5a1ef04f8d6870fc
-
Filesize
145KB
MD5fbdcc2c9fb41faf4bc4a5714115b0c03
SHA1399e356fe590f67179611b53ce3323bcb4e7c2ad
SHA2568217787d9c4b093d8e8b76f4dc635216b145c96ff2f0bcba78eb6b2e29eabb7a
SHA512dcb7ad69fa5afcf89a73c1624ee576d175ef10bf1d4c969561260581a5ffc065fe7a57804960b98476b7d760a81b4e3c85fd9cf35a5e38bbb48e3685be5af306
-
Filesize
145KB
MD5f87361bce6160b18368208e13a7b0faa
SHA15905a2c4d1cca58ce4d9f121d9753cdde4dde174
SHA25671c828fbc172ab3fa5c2aae65896dbd20096f9c6c1942890bc12f8be5cf494a9
SHA512787a1b65f0cd5f6aafbc3649561d1475d00027d950a344369064aa4a19199a257a40f9251d750caa59cdd3ed213085fd166c958abee8e5f6e46db758003682cc
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
145KB
MD54b5538130b031062f82947403b9cb9d3
SHA1ca29a91fb5ddf4414f34469a359523f9d8715fe7
SHA25606fd06548b9f40a582a01e63e1cb4aa4f712247fb2887c344553828ae6e9d83d
SHA512a8106ac10d6a69e89ce0fd88800b7b8b41f95f995e28b24d009e9231dd405b5e795d28a19b60151c63e150ba36a859827f3658d800c29403d3c5a3261d7718f9
-
Filesize
145KB
MD57d6c6e4b4f05c5df7686c20deb07e8e7
SHA155b9382d83b12dbef782ada33ec1ea981f298419
SHA25672fec5c7d15b13c32c5cc1de3baffa28e2b23251fa9cdfddfe0d811b529c1cd4
SHA512cc3ba46e7beac4497fe5ed49959a4524e3cc4e67f54d367e9eff649fcac72ca0770e142d0eedd2d9d9e1e2307ebc78c4d33392284c6df9518313248bc2304bee
-
Filesize
145KB
MD539b9371bd53c9f754b0acd23e67e4d82
SHA146c264cc4910e520ec9736ba187a626ff0078715
SHA256171d5835c5b1ad152bc4bfb5b36e9b93fd19032fa809f48863a5d8e4cfab8d68
SHA512d5b59b846e46826e6a49584ce43aacd76d9661a8c787ef072c396b34ad45ea11cc05a5bad9a13bb2fde0e29f0bdf8635f90a1d0b2215dc58201f0097625fdaf0
-
Filesize
145KB
MD52fd5b59c2ef085d3a83cb24371360fd2
SHA112fa8fe4474e063eb5dc8bea2cd74f591eefe87b
SHA2568017052e03410378ae138abfe646da642cb433119207f78ad6e8fb36f24a621b
SHA5121fc4a0f45c5bbeb9b61b34ffb59b0224f28bda969652b2d22107f5bb24e8a574bdcaa54d3192358b5b713f91cf070c66f3b61512f6c7ff238b6413158b2362a9
-
Filesize
145KB
MD5163a4e40fe2fbbef5c322cbfd26aa0bf
SHA1a48278bba568f025164eb7632eede4ebe15681ed
SHA2567beb1cf4ae9e7b360af6a5cb4ab68fa0d725c4783460b4d99bb8c5fb357c66b0
SHA51289a4048307ae5b7d2b3684a1542952f65c5031830c0a53a17e9c43015eb195be626d04f0b295cfefc4845d58c4c038a6a256b45da1d99cbdecf983be66d73c7f
-
Filesize
145KB
MD579f3856873ee41659442bf14f498c9cb
SHA151fce9d06ece6a23f262559918744785fe463734
SHA25641631be670bbc8aa957c590b6938e14c424f2141db945973c109ae13538466e3
SHA512fe433bf426f9f9a2dc4b15b90dc9d341c39ac5c94ef6f29ceed962ac4c49872ed347274eeaa594b36ff481d0129945211108b5d218d16e2a2d474cbd8538bb90
-
Filesize
145KB
MD5b5416bc6811b03d3b8787825c9cb8868
SHA1da05ec0798d327753b4e85440b010e8ee047d199
SHA2564947480682ddf46663563410142099a1417a8c0fbeb9a1e781ba406b77993c62
SHA5121ff66f41b39cc941045b2dee33922e81fd7df71648faaad1268b3a7d45d0ce4d752e2387a2f330a61c959bb1b4fef65311c1b030aac4442992ef56f06ebe5aeb
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
145KB
MD519554fe2333f590281323d63c7ae9382
SHA1d9f10ca9a1e1cd65741cd156a98d261c9ef9ade9
SHA256fc8025c035ea8f57fff5fbddc0231e80df2de34e9cebc8ab6b4e689225d76c1f
SHA51288f9aae4a067d983363cd2102fd270d36ee9796cb2db70f4b9ef152d53bad61d50c3dec31c9b8ce566f98d1d7ab9eba126e885773b2d342b0468d72de70427be
-
Filesize
145KB
MD5d366728f3533311010818fd568d5a037
SHA16d6cf2109bdc0c8aaadd70714ece3370cdec49d7
SHA256452c0412462dafc7240d94d015b4f95cb9fae3c58c0df2632ff8449c462953b4
SHA512584c09353e799142d832ec6ee3d1175b76c509595b51f9e43e025bd78defdc7fcb7dfbc48e8feaaefdc2e74a725b5ee93cd118fef1aad3802b2f30f880487c55