Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2024 02:18

General

  • Target

    d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe

  • Size

    66KB

  • MD5

    b0dc6f177e107542de822e68deab2fce

  • SHA1

    ab08cabec8fa3351bb9f8468c974ec77382e55b6

  • SHA256

    d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea

  • SHA512

    2f83891a0f803c34fe45c3ce016337c409eb86619ec163a04d93087a7cd3640de6278650fb42fe7eb90a2bea7b715e5fb757b705a31259d144d4192e916dacf9

  • SSDEEP

    1536:N7OE59Vyzrc8K3WgFtKhJP+tcrVOXKzaJThZfaKhQiSEKNJh:NV5998K3WQ8fjEXKgZfnhfxuh

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe
    "C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3144
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2464
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3632
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3528
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2628
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4912
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4368
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2524
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2112
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3336
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2200
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3940
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1216
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2024
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2604
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Event Triggered Execution: Image File Execution Options Injection
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1512
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3584
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1032
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4852
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4896
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3404
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2800
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4356
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2188
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2892
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4804
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3904
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:180
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4988
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2712
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4996
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:748
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4796
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1460
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4944
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3332
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1460
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2760
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2824
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1076
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1048
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2636
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4048
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3064
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5080
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2276
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4356
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:892
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4424
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2592
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2888
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2828
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2368
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1956
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2788
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4496
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3424
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3428
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2764
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3908
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1428
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4356
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4352
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3340
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3440
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2712
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Admin Games\Gaara games - Naruto.exe

    Filesize

    66KB

    MD5

    5a23920559e53f8a5967308e32938097

    SHA1

    91e49d205a57670541f9b685f80fb157d8330c69

    SHA256

    cc65abe6f00896cf3868ba5f22a74ce56d6eb58803d84280866638674f03d34d

    SHA512

    bdcbd005f60d574357e1d2969b3a8232951617a953f4c26ea5fa1b8cbd188ea1ccfab962d70d870021af61319a5986521e059b538b6a1260277d0b04f95ccb60

  • C:\Admin Games\Readme.txt

    Filesize

    736B

    MD5

    bb5d6abdf8d0948ac6895ce7fdfbc151

    SHA1

    9266b7a247a4685892197194d2b9b86c8f6dddbd

    SHA256

    5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

    SHA512

    878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

  • C:\Autorun.inf

    Filesize

    196B

    MD5

    1564dfe69ffed40950e5cb644e0894d1

    SHA1

    201b6f7a01cc49bb698bea6d4945a082ed454ce4

    SHA256

    be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

    SHA512

    72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

  • C:\Gaara.exe

    Filesize

    66KB

    MD5

    b0dc6f177e107542de822e68deab2fce

    SHA1

    ab08cabec8fa3351bb9f8468c974ec77382e55b6

    SHA256

    d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea

    SHA512

    2f83891a0f803c34fe45c3ce016337c409eb86619ec163a04d93087a7cd3640de6278650fb42fe7eb90a2bea7b715e5fb757b705a31259d144d4192e916dacf9

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

    Filesize

    66KB

    MD5

    c182c845aa415d188c65e62548ca3f8d

    SHA1

    229bd426b0defc241b65a59fcba629c4e4e987f7

    SHA256

    6fee297a5fedc80f13a44435c939cdcd39f6b6753db10ff54f9f63e2651644dd

    SHA512

    d23bc82d60afd7914587b102d10e8ecf63adca48c8a8910c688b063ef60bd40c9d36356de3bcdb6e9c8e66eb3ad6e42e22d0e805fd70c6e610f53892c29d1085

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

    Filesize

    66KB

    MD5

    aa6ddf1639a5fa93ded878abd1937023

    SHA1

    aa14a246febd5e65b1ffdcfd192825d321108ab5

    SHA256

    9b301b16f0bb2a3ff0581220f3aa9ead7d7728f2374883e598f3bab5a76ea875

    SHA512

    75dd7cb99f29883085f5dc7e97172ff04a0e02d22942fda6fd1ad5d09351204b15e05323b18da0cf6968b44890f7a445f16f6570cd6e35f5d299855b3cc658f0

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

    Filesize

    66KB

    MD5

    ca08da018b5b8a8ea7645d5ff893a73f

    SHA1

    cd6d8052bcaabc292939fe334fddb398f877f76d

    SHA256

    a96ec311e183697635dd26b9cc7e7f2864844b85c5eb2e8d4b858337f0ec79da

    SHA512

    930ae775a32846a4b1ca2e6726fc60d219fbb72cc034d0051cddc730c852385c0c111811870c40443f9372dbe65a2dd43c739112df3cf89d35576b79f0ce51de

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

    Filesize

    66KB

    MD5

    934d5899ad717e8964c0f311b60bbbba

    SHA1

    92162dd7ab61e54939ccf93727df207827a71d64

    SHA256

    e0bff0d8906287d87e95caa9ba86cf7d70ae9e73057d5f546c4649c8ab313c79

    SHA512

    210c77fa28eb63dc40f566b3a55e141fe3c497df87e102b703d3784547aab1f7993a49b9ea0fd0668f36a86774d560f7f202f81f91ddbab268fa86d6e27838c4

  • C:\Windows\Fonts\The Kazekage.jpg

    Filesize

    1.4MB

    MD5

    d6b05020d4a0ec2a3a8b687099e335df

    SHA1

    df239d830ebcd1cde5c68c46a7b76dad49d415f4

    SHA256

    9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

    SHA512

    78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    66KB

    MD5

    7616d8bbe830c25c935238dc07aed48d

    SHA1

    5282acce5f742ea1061c3c67fe7d1cff6369dcd6

    SHA256

    881f65bb9c32ca12de57bb02b75b583f0c5461d192a36741933aaa83d799e9b5

    SHA512

    7e7cc96909660bdbc45662c31c2bf40134ed3173028983166323497f8b8cd671036bf3592396787be5d29c2148b6c5db0768ccd23a1b7711ba6dd82f7dbc1afb

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    66KB

    MD5

    362e13537acb9afa360fb56a06cd76a3

    SHA1

    7b3c8e4f9a0cee8bb4fb098abb191245cab88e0c

    SHA256

    07f2f0bbc35bafeb317e62047e7fadc225fcd358e418ac9f62351b3cd37b1a45

    SHA512

    957cd38334b6fd9c44a2d9b1c6ab54d3e8e8bb6a106180787821942815d40a391bae67faf881b0a86c098918233293b8ed560188cb674cf1dd543e8b28c70c4f

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    66KB

    MD5

    83a5cd0bddffd073cf24fd20945c6143

    SHA1

    3d6ffc9d4cdc8aac5eaf18f9519a415bc3aec0b0

    SHA256

    6eaec0595d9e132c3003b4eba86c0e6221ed4cb4011799e4069ced8ada50a2cc

    SHA512

    f772f8bb13bd040edd2a7784b97c37d4000b9450734197224b31ca5f134fde04f33f5da75f55186bc272cdd900bb2fbeae8ea7b3cf05904e9f11c1a33e346c5c

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    66KB

    MD5

    65b4a1d1752c8e2a584de087f70c8ac9

    SHA1

    ca0de370a1331ac3756eb23660865db200c33582

    SHA256

    b2b8c46b57b5afb6503251d0577de12ef0198331c7080f00bd860a6550c945cc

    SHA512

    0171a3761bca560d1370c022d0e015f83ba312693e26b22684e9cb709abb4b5ec7b0be0dcaac388f1b5b67161292dfa66264b0f45609da98c417eb9ca96d79ff

  • C:\Windows\SysWOW64\Desktop.ini

    Filesize

    65B

    MD5

    64acfa7e03b01f48294cf30d201a0026

    SHA1

    10facd995b38a095f30b4a800fa454c0bcbf8438

    SHA256

    ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

    SHA512

    65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    66KB

    MD5

    de2a4687eb4fc20ffbf8cc1646317574

    SHA1

    b20c9dba933755613820f58f0d88de5bb260fd79

    SHA256

    54d4deca00cc9100d1c8545df20593d421f57d619a85338646b4c48def2547b1

    SHA512

    8fba33056d749413b2dfb54a7964f6c11ac4dba9c2b64b5c481a3d7ba23ea4601aa790f226da2e16ef99f55faaaa71ecd22e1984c07852256b0b83ba828138a1

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    66KB

    MD5

    7012d86e36776a7da066bf46232c2f30

    SHA1

    f3f2188247f399b2e205cf6f54775b22cd936fad

    SHA256

    7b89a6389c8d4d0a7bcba3f18ce4fb12c5c48e50bef2fa67777204b96cad227a

    SHA512

    0d5a579b7e434a3dac58f598798c06ebf8061688690652a72045d01d29daa178dc4462da01f73e565369c2af8e9727daa3ec99f57ba8acb8993b4f88d2717410

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    66KB

    MD5

    aa24d3b0093cd5fc3fd31eaeeeaf1b1e

    SHA1

    42589fdfb114586d6b48ca14147a8287feb3f6b2

    SHA256

    6718d49fa6317848066e095d7a62b234b0e3f691fc58f02764751182bdd3968d

    SHA512

    63fd8a2ed4331b652dc8fbc0967a2ffedbe05a04ef0865eaaa81c8fe0d2a0d7a321a41988de2a4d3fb1f57a3ca28bd35a5a0eaff2dd4e803393f6c5d301f9a6a

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    66KB

    MD5

    41f23cddf61b10454dd2547babc78a18

    SHA1

    0294cf2eb5a6eef563056dd5975d9a454bdf05df

    SHA256

    0ffa16fb553d47194ced97e7aed4ca16b58855b76087e97ff430cf5937e826ab

    SHA512

    d0ad97c9478778a0242d4c364d055196ed0a697a18ab8117ba003f9815d15ffc560ff9995dfd5afaa9ba77b4cc2510c46f2477c5fd39dc50e69832988050b9c1

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    66KB

    MD5

    c3030f35bd25999fbf6d4484f65d3b23

    SHA1

    f20182d390f2b5a37509206571b4d682a58b0c53

    SHA256

    26950a076ccd1bbdffb6f2dcfbb064a32281af14dd437b4af48b3257eeb3bd30

    SHA512

    b362ac5bc71d1c43b96f7eca34ddfaeb4824b431a28264d4d3d9c523888a796fff93ed7206d596aa8c284b7f39074b844505a1107a039b5f981d35f7a0a2bb38

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    66KB

    MD5

    b1509de054e3ceef2c298f8b91718c2e

    SHA1

    93abe9f56c69bfa750b77798b8d1c37d0bb15cc8

    SHA256

    2e731bda5565adc557b4327c203a9394fc7166244424b7e4791423ae0cee8d2d

    SHA512

    5a291ada83930c87b66d8357b3b002f76e4aabc2f13eeccfa11e4a9901f84496330d59a39f2cf109373bd3a5f529a90c69b3e0241419f8c73332200b72e6dba0

  • C:\Windows\System\msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • memory/1032-244-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1048-268-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1216-205-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1428-300-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1460-262-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1512-306-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1512-275-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1512-218-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1512-584-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2024-210-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2112-161-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2200-536-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2200-305-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2200-251-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2200-168-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2464-580-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2464-302-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2464-192-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2464-32-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2524-155-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2592-280-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2604-217-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2628-114-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2636-272-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2764-292-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2888-284-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3144-368-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3144-301-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3144-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3144-166-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3336-169-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3404-252-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3404-258-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3428-288-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3528-452-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3528-75-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3528-204-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3528-303-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3584-240-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3632-81-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3632-70-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3908-296-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3940-199-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4368-304-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4368-121-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4368-236-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4368-494-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4424-276-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4852-248-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4896-254-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4912-118-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB