Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2024 02:18
Behavioral task
behavioral1
Sample
d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe
Resource
win10v2004-20241007-en
General
-
Target
d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe
-
Size
66KB
-
MD5
b0dc6f177e107542de822e68deab2fce
-
SHA1
ab08cabec8fa3351bb9f8468c974ec77382e55b6
-
SHA256
d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea
-
SHA512
2f83891a0f803c34fe45c3ce016337c409eb86619ec163a04d93087a7cd3640de6278650fb42fe7eb90a2bea7b715e5fb757b705a31259d144d4192e916dacf9
-
SSDEEP
1536:N7OE59Vyzrc8K3WgFtKhJP+tcrVOXKzaJThZfaKhQiSEKNJh:NV5998K3WQ8fjEXKgZfnhfxuh
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe -
Executes dropped EXE 30 IoCs
pid Process 2464 smss.exe 3632 smss.exe 3528 Gaara.exe 2628 smss.exe 4912 Gaara.exe 4368 csrss.exe 2524 smss.exe 2112 Gaara.exe 3336 csrss.exe 2200 Kazekage.exe 3940 smss.exe 1216 Gaara.exe 2024 csrss.exe 2604 Kazekage.exe 1512 system32.exe 3584 smss.exe 1032 Gaara.exe 4852 csrss.exe 4896 Kazekage.exe 3404 system32.exe 1460 system32.exe 1048 Kazekage.exe 2636 system32.exe 4424 csrss.exe 2592 Kazekage.exe 2888 system32.exe 3428 Gaara.exe 2764 csrss.exe 3908 Kazekage.exe 1428 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 2464 smss.exe 3632 smss.exe 3528 Gaara.exe 2628 smss.exe 4912 Gaara.exe 4368 csrss.exe 2524 smss.exe 2112 Gaara.exe 3336 csrss.exe 3940 smss.exe 1216 Gaara.exe 2024 csrss.exe 3584 smss.exe 1032 Gaara.exe 4852 csrss.exe 4424 csrss.exe 3428 Gaara.exe 2764 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 20 - 10 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 20 - 10 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "20-10-2024.exe" Kazekage.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification \??\J:\Desktop.ini d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification \??\H:\Desktop.ini d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification \??\O:\Desktop.ini d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini csrss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: system32.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\X: d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\V: d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\Y: d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\T: d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened (read-only) \??\U: d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\J: d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\B: d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\Q: d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened (read-only) \??\L: csrss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\L:\Autorun.inf csrss.exe File created D:\Autorun.inf system32.exe File created \??\W:\Autorun.inf system32.exe File created \??\Z:\Autorun.inf system32.exe File created \??\M:\Autorun.inf d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Autorun.inf Kazekage.exe File created \??\P:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf system32.exe File opened for modification \??\H:\Autorun.inf d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification \??\B:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf csrss.exe File created \??\M:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf system32.exe File created \??\S:\Autorun.inf smss.exe File opened for modification F:\Autorun.inf Gaara.exe File created \??\U:\Autorun.inf Gaara.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File opened for modification D:\Autorun.inf d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification \??\M:\Autorun.inf d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File created D:\Autorun.inf smss.exe File opened for modification \??\I:\Autorun.inf smss.exe File opened for modification \??\S:\Autorun.inf csrss.exe File opened for modification \??\P:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf system32.exe File created \??\R:\Autorun.inf system32.exe File created \??\H:\Autorun.inf smss.exe File created \??\M:\Autorun.inf csrss.exe File opened for modification \??\U:\Autorun.inf system32.exe File opened for modification \??\R:\Autorun.inf d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification \??\L:\Autorun.inf smss.exe File created \??\O:\Autorun.inf Gaara.exe File opened for modification C:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf Kazekage.exe File created \??\S:\Autorun.inf system32.exe File opened for modification \??\G:\Autorun.inf smss.exe File created \??\I:\Autorun.inf Gaara.exe File opened for modification \??\R:\Autorun.inf Gaara.exe File opened for modification \??\S:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf system32.exe File opened for modification \??\O:\Autorun.inf system32.exe File created \??\N:\Autorun.inf d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification \??\X:\Autorun.inf d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File created \??\I:\Autorun.inf smss.exe File created D:\Autorun.inf csrss.exe File created \??\K:\Autorun.inf csrss.exe File opened for modification \??\P:\Autorun.inf csrss.exe File created \??\E:\Autorun.inf d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File created \??\H:\Autorun.inf d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification \??\L:\Autorun.inf d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File created \??\Z:\Autorun.inf smss.exe File created \??\R:\Autorun.inf d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification \??\Y:\Autorun.inf d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File created D:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf smss.exe File opened for modification \??\P:\Autorun.inf smss.exe File created \??\T:\Autorun.inf Gaara.exe File created \??\K:\Autorun.inf system32.exe File opened for modification \??\J:\Autorun.inf d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification \??\J:\Autorun.inf Kazekage.exe File created \??\P:\Autorun.inf system32.exe File opened for modification \??\G:\Autorun.inf csrss.exe File opened for modification \??\O:\Autorun.inf csrss.exe File opened for modification \??\Q:\Autorun.inf Kazekage.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File created C:\Windows\SysWOW64\Desktop.ini d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\20-10-2024.exe d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\mscomctl.ocx d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\20-10-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\ d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
resource yara_rule behavioral2/memory/3144-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023ca9-31.dat upx behavioral2/files/0x0007000000023cad-53.dat upx behavioral2/files/0x0007000000023cac-49.dat upx behavioral2/files/0x0007000000023cab-45.dat upx behavioral2/memory/3632-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023caa-41.dat upx behavioral2/memory/3528-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023cae-97.dat upx behavioral2/files/0x0007000000023cad-93.dat upx behavioral2/files/0x0007000000023cac-89.dat upx behavioral2/files/0x0007000000023cab-85.dat upx behavioral2/memory/2628-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023cac-129.dat upx behavioral2/files/0x0007000000023cae-137.dat upx behavioral2/files/0x0007000000023cad-133.dat upx behavioral2/memory/2524-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023cac-176.dat upx behavioral2/files/0x0007000000023cae-180.dat upx behavioral2/memory/2464-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0007000000023cd9-330.dat upx behavioral2/memory/3144-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-536-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\ d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Gaara.exe File created C:\Windows\system\msvbvm60.dll d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\ csrss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe smss.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe system32.exe File opened for modification C:\Windows\ Gaara.exe File created C:\Windows\msvbvm60.dll d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe File created C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe Gaara.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4356 ping.exe 3440 ping.exe 5080 ping.exe 2712 ping.exe 2368 ping.exe 2828 ping.exe 3064 ping.exe 3332 ping.exe 892 ping.exe 1076 ping.exe 1956 ping.exe 2760 ping.exe 2892 ping.exe 4496 ping.exe 4352 ping.exe 4048 ping.exe 4944 ping.exe 3340 ping.exe 4356 ping.exe 2788 ping.exe 2276 ping.exe 4996 ping.exe 3600 ping.exe 4796 ping.exe 4988 ping.exe 2800 ping.exe 4804 ping.exe 3904 ping.exe 3424 ping.exe 4356 ping.exe 1460 ping.exe 2188 ping.exe 2712 ping.exe 2824 ping.exe 748 ping.exe 180 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallpaperStyle = "2" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Speed = "4" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 4356 ping.exe 4944 ping.exe 4988 ping.exe 2892 ping.exe 3424 ping.exe 748 ping.exe 2368 ping.exe 3600 ping.exe 2828 ping.exe 4048 ping.exe 3064 ping.exe 2800 ping.exe 3440 ping.exe 2824 ping.exe 2712 ping.exe 180 ping.exe 3340 ping.exe 2788 ping.exe 4996 ping.exe 2712 ping.exe 4356 ping.exe 892 ping.exe 1076 ping.exe 4796 ping.exe 2188 ping.exe 4496 ping.exe 3332 ping.exe 4356 ping.exe 1956 ping.exe 5080 ping.exe 2276 ping.exe 4352 ping.exe 1460 ping.exe 2760 ping.exe 4804 ping.exe 3904 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 3528 Gaara.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 4368 csrss.exe 2200 Kazekage.exe 2200 Kazekage.exe 2200 Kazekage.exe 2200 Kazekage.exe 2200 Kazekage.exe 2200 Kazekage.exe 2200 Kazekage.exe 2200 Kazekage.exe 2200 Kazekage.exe 2200 Kazekage.exe 2200 Kazekage.exe 2200 Kazekage.exe 2200 Kazekage.exe 2200 Kazekage.exe 2200 Kazekage.exe 2200 Kazekage.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 3144 d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe 2464 smss.exe 3632 smss.exe 3528 Gaara.exe 2628 smss.exe 4912 Gaara.exe 4368 csrss.exe 2524 smss.exe 2112 Gaara.exe 3336 csrss.exe 2200 Kazekage.exe 3940 smss.exe 1216 Gaara.exe 2024 csrss.exe 2604 Kazekage.exe 1512 system32.exe 3584 smss.exe 1032 Gaara.exe 4852 csrss.exe 4896 Kazekage.exe 3404 system32.exe 1460 system32.exe 1048 Kazekage.exe 2636 system32.exe 4424 csrss.exe 2592 Kazekage.exe 2888 system32.exe 3428 Gaara.exe 2764 csrss.exe 3908 Kazekage.exe 1428 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3144 wrote to memory of 2464 3144 d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe 84 PID 3144 wrote to memory of 2464 3144 d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe 84 PID 3144 wrote to memory of 2464 3144 d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe 84 PID 2464 wrote to memory of 3632 2464 smss.exe 87 PID 2464 wrote to memory of 3632 2464 smss.exe 87 PID 2464 wrote to memory of 3632 2464 smss.exe 87 PID 2464 wrote to memory of 3528 2464 smss.exe 88 PID 2464 wrote to memory of 3528 2464 smss.exe 88 PID 2464 wrote to memory of 3528 2464 smss.exe 88 PID 3528 wrote to memory of 2628 3528 Gaara.exe 90 PID 3528 wrote to memory of 2628 3528 Gaara.exe 90 PID 3528 wrote to memory of 2628 3528 Gaara.exe 90 PID 3528 wrote to memory of 4912 3528 Gaara.exe 91 PID 3528 wrote to memory of 4912 3528 Gaara.exe 91 PID 3528 wrote to memory of 4912 3528 Gaara.exe 91 PID 3528 wrote to memory of 4368 3528 Gaara.exe 92 PID 3528 wrote to memory of 4368 3528 Gaara.exe 92 PID 3528 wrote to memory of 4368 3528 Gaara.exe 92 PID 4368 wrote to memory of 2524 4368 csrss.exe 93 PID 4368 wrote to memory of 2524 4368 csrss.exe 93 PID 4368 wrote to memory of 2524 4368 csrss.exe 93 PID 4368 wrote to memory of 2112 4368 csrss.exe 94 PID 4368 wrote to memory of 2112 4368 csrss.exe 94 PID 4368 wrote to memory of 2112 4368 csrss.exe 94 PID 4368 wrote to memory of 3336 4368 csrss.exe 95 PID 4368 wrote to memory of 3336 4368 csrss.exe 95 PID 4368 wrote to memory of 3336 4368 csrss.exe 95 PID 4368 wrote to memory of 2200 4368 csrss.exe 96 PID 4368 wrote to memory of 2200 4368 csrss.exe 96 PID 4368 wrote to memory of 2200 4368 csrss.exe 96 PID 2200 wrote to memory of 3940 2200 Kazekage.exe 97 PID 2200 wrote to memory of 3940 2200 Kazekage.exe 97 PID 2200 wrote to memory of 3940 2200 Kazekage.exe 97 PID 2200 wrote to memory of 1216 2200 Kazekage.exe 98 PID 2200 wrote to memory of 1216 2200 Kazekage.exe 98 PID 2200 wrote to memory of 1216 2200 Kazekage.exe 98 PID 2200 wrote to memory of 2024 2200 Kazekage.exe 99 PID 2200 wrote to memory of 2024 2200 Kazekage.exe 99 PID 2200 wrote to memory of 2024 2200 Kazekage.exe 99 PID 2200 wrote to memory of 2604 2200 Kazekage.exe 100 PID 2200 wrote to memory of 2604 2200 Kazekage.exe 100 PID 2200 wrote to memory of 2604 2200 Kazekage.exe 100 PID 2200 wrote to memory of 1512 2200 Kazekage.exe 101 PID 2200 wrote to memory of 1512 2200 Kazekage.exe 101 PID 2200 wrote to memory of 1512 2200 Kazekage.exe 101 PID 1512 wrote to memory of 3584 1512 system32.exe 102 PID 1512 wrote to memory of 3584 1512 system32.exe 102 PID 1512 wrote to memory of 3584 1512 system32.exe 102 PID 1512 wrote to memory of 1032 1512 system32.exe 103 PID 1512 wrote to memory of 1032 1512 system32.exe 103 PID 1512 wrote to memory of 1032 1512 system32.exe 103 PID 1512 wrote to memory of 4852 1512 system32.exe 104 PID 1512 wrote to memory of 4852 1512 system32.exe 104 PID 1512 wrote to memory of 4852 1512 system32.exe 104 PID 1512 wrote to memory of 4896 1512 system32.exe 107 PID 1512 wrote to memory of 4896 1512 system32.exe 107 PID 1512 wrote to memory of 4896 1512 system32.exe 107 PID 1512 wrote to memory of 3404 1512 system32.exe 108 PID 1512 wrote to memory of 3404 1512 system32.exe 108 PID 1512 wrote to memory of 3404 1512 system32.exe 108 PID 4368 wrote to memory of 1460 4368 csrss.exe 109 PID 4368 wrote to memory of 1460 4368 csrss.exe 109 PID 4368 wrote to memory of 1460 4368 csrss.exe 109 PID 3528 wrote to memory of 1048 3528 Gaara.exe 110 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe"C:\Users\Admin\AppData\Local\Temp\d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3144 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2464 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3632
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3528 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2628
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4912
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4368 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2112
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3336
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2200 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3940
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1216
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2024
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2604
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1512 -
C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3584
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1032
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4852
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4896
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3404
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2800
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4356
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2188
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2892
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4804
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3904
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:180
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4988
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2712
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4996
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:748
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4796
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1460
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4944
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3332
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1460
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2760
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2824
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1076
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1048
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2636
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4048
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3064
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5080
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2276
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4356
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:892
-
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4424
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2592
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2888
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2828
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2368
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1956
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2788
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4496
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3424
-
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3428
-
-
C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2764
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3908
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1428
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4356
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4352
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3340
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3440
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2712
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3600
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD55a23920559e53f8a5967308e32938097
SHA191e49d205a57670541f9b685f80fb157d8330c69
SHA256cc65abe6f00896cf3868ba5f22a74ce56d6eb58803d84280866638674f03d34d
SHA512bdcbd005f60d574357e1d2969b3a8232951617a953f4c26ea5fa1b8cbd188ea1ccfab962d70d870021af61319a5986521e059b538b6a1260277d0b04f95ccb60
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
66KB
MD5b0dc6f177e107542de822e68deab2fce
SHA1ab08cabec8fa3351bb9f8468c974ec77382e55b6
SHA256d18d531ae8722acb924b6330e1e4fa6ab1160dca9acc9a5fb10cfd2a522e0fea
SHA5122f83891a0f803c34fe45c3ce016337c409eb86619ec163a04d93087a7cd3640de6278650fb42fe7eb90a2bea7b715e5fb757b705a31259d144d4192e916dacf9
-
Filesize
66KB
MD5c182c845aa415d188c65e62548ca3f8d
SHA1229bd426b0defc241b65a59fcba629c4e4e987f7
SHA2566fee297a5fedc80f13a44435c939cdcd39f6b6753db10ff54f9f63e2651644dd
SHA512d23bc82d60afd7914587b102d10e8ecf63adca48c8a8910c688b063ef60bd40c9d36356de3bcdb6e9c8e66eb3ad6e42e22d0e805fd70c6e610f53892c29d1085
-
Filesize
66KB
MD5aa6ddf1639a5fa93ded878abd1937023
SHA1aa14a246febd5e65b1ffdcfd192825d321108ab5
SHA2569b301b16f0bb2a3ff0581220f3aa9ead7d7728f2374883e598f3bab5a76ea875
SHA51275dd7cb99f29883085f5dc7e97172ff04a0e02d22942fda6fd1ad5d09351204b15e05323b18da0cf6968b44890f7a445f16f6570cd6e35f5d299855b3cc658f0
-
Filesize
66KB
MD5ca08da018b5b8a8ea7645d5ff893a73f
SHA1cd6d8052bcaabc292939fe334fddb398f877f76d
SHA256a96ec311e183697635dd26b9cc7e7f2864844b85c5eb2e8d4b858337f0ec79da
SHA512930ae775a32846a4b1ca2e6726fc60d219fbb72cc034d0051cddc730c852385c0c111811870c40443f9372dbe65a2dd43c739112df3cf89d35576b79f0ce51de
-
Filesize
66KB
MD5934d5899ad717e8964c0f311b60bbbba
SHA192162dd7ab61e54939ccf93727df207827a71d64
SHA256e0bff0d8906287d87e95caa9ba86cf7d70ae9e73057d5f546c4649c8ab313c79
SHA512210c77fa28eb63dc40f566b3a55e141fe3c497df87e102b703d3784547aab1f7993a49b9ea0fd0668f36a86774d560f7f202f81f91ddbab268fa86d6e27838c4
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
66KB
MD57616d8bbe830c25c935238dc07aed48d
SHA15282acce5f742ea1061c3c67fe7d1cff6369dcd6
SHA256881f65bb9c32ca12de57bb02b75b583f0c5461d192a36741933aaa83d799e9b5
SHA5127e7cc96909660bdbc45662c31c2bf40134ed3173028983166323497f8b8cd671036bf3592396787be5d29c2148b6c5db0768ccd23a1b7711ba6dd82f7dbc1afb
-
Filesize
66KB
MD5362e13537acb9afa360fb56a06cd76a3
SHA17b3c8e4f9a0cee8bb4fb098abb191245cab88e0c
SHA25607f2f0bbc35bafeb317e62047e7fadc225fcd358e418ac9f62351b3cd37b1a45
SHA512957cd38334b6fd9c44a2d9b1c6ab54d3e8e8bb6a106180787821942815d40a391bae67faf881b0a86c098918233293b8ed560188cb674cf1dd543e8b28c70c4f
-
Filesize
66KB
MD583a5cd0bddffd073cf24fd20945c6143
SHA13d6ffc9d4cdc8aac5eaf18f9519a415bc3aec0b0
SHA2566eaec0595d9e132c3003b4eba86c0e6221ed4cb4011799e4069ced8ada50a2cc
SHA512f772f8bb13bd040edd2a7784b97c37d4000b9450734197224b31ca5f134fde04f33f5da75f55186bc272cdd900bb2fbeae8ea7b3cf05904e9f11c1a33e346c5c
-
Filesize
66KB
MD565b4a1d1752c8e2a584de087f70c8ac9
SHA1ca0de370a1331ac3756eb23660865db200c33582
SHA256b2b8c46b57b5afb6503251d0577de12ef0198331c7080f00bd860a6550c945cc
SHA5120171a3761bca560d1370c022d0e015f83ba312693e26b22684e9cb709abb4b5ec7b0be0dcaac388f1b5b67161292dfa66264b0f45609da98c417eb9ca96d79ff
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
66KB
MD5de2a4687eb4fc20ffbf8cc1646317574
SHA1b20c9dba933755613820f58f0d88de5bb260fd79
SHA25654d4deca00cc9100d1c8545df20593d421f57d619a85338646b4c48def2547b1
SHA5128fba33056d749413b2dfb54a7964f6c11ac4dba9c2b64b5c481a3d7ba23ea4601aa790f226da2e16ef99f55faaaa71ecd22e1984c07852256b0b83ba828138a1
-
Filesize
66KB
MD57012d86e36776a7da066bf46232c2f30
SHA1f3f2188247f399b2e205cf6f54775b22cd936fad
SHA2567b89a6389c8d4d0a7bcba3f18ce4fb12c5c48e50bef2fa67777204b96cad227a
SHA5120d5a579b7e434a3dac58f598798c06ebf8061688690652a72045d01d29daa178dc4462da01f73e565369c2af8e9727daa3ec99f57ba8acb8993b4f88d2717410
-
Filesize
66KB
MD5aa24d3b0093cd5fc3fd31eaeeeaf1b1e
SHA142589fdfb114586d6b48ca14147a8287feb3f6b2
SHA2566718d49fa6317848066e095d7a62b234b0e3f691fc58f02764751182bdd3968d
SHA51263fd8a2ed4331b652dc8fbc0967a2ffedbe05a04ef0865eaaa81c8fe0d2a0d7a321a41988de2a4d3fb1f57a3ca28bd35a5a0eaff2dd4e803393f6c5d301f9a6a
-
Filesize
66KB
MD541f23cddf61b10454dd2547babc78a18
SHA10294cf2eb5a6eef563056dd5975d9a454bdf05df
SHA2560ffa16fb553d47194ced97e7aed4ca16b58855b76087e97ff430cf5937e826ab
SHA512d0ad97c9478778a0242d4c364d055196ed0a697a18ab8117ba003f9815d15ffc560ff9995dfd5afaa9ba77b4cc2510c46f2477c5fd39dc50e69832988050b9c1
-
Filesize
66KB
MD5c3030f35bd25999fbf6d4484f65d3b23
SHA1f20182d390f2b5a37509206571b4d682a58b0c53
SHA25626950a076ccd1bbdffb6f2dcfbb064a32281af14dd437b4af48b3257eeb3bd30
SHA512b362ac5bc71d1c43b96f7eca34ddfaeb4824b431a28264d4d3d9c523888a796fff93ed7206d596aa8c284b7f39074b844505a1107a039b5f981d35f7a0a2bb38
-
Filesize
66KB
MD5b1509de054e3ceef2c298f8b91718c2e
SHA193abe9f56c69bfa750b77798b8d1c37d0bb15cc8
SHA2562e731bda5565adc557b4327c203a9394fc7166244424b7e4791423ae0cee8d2d
SHA5125a291ada83930c87b66d8357b3b002f76e4aabc2f13eeccfa11e4a9901f84496330d59a39f2cf109373bd3a5f529a90c69b3e0241419f8c73332200b72e6dba0
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a