Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2025, 08:06
Behavioral task
behavioral1
Sample
2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe
Resource
win11-20250410-en
General
-
Target
2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe
-
Size
9.4MB
-
MD5
de01a22e6c425a183ea1cf5d4885fc00
-
SHA1
497a9d42f0399808ca69d3e85f21abb4b21607fd
-
SHA256
7bf1fe4359ff9dad74a1d30d2b26a89631450b34a983835a497447df96c50b3e
-
SHA512
dd3a43126bb0ad9007a2ee947ea84c492fb8c8bce254fa2910f9202cf9141af716ac884f8297918e4d45778d05d6e8e736d2a4571fae4cb6124d309fc37a0a86
-
SSDEEP
98304:KGyqWyWy0GyqWyWyMRPC1eHL5dGYSEYvD:v1eHL5dEvD
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe -
Executes dropped EXE 29 IoCs
pid Process 2644 smss.exe 4760 smss.exe 4916 Gaara.exe 832 smss.exe 3280 Gaara.exe 456 csrss.exe 3552 smss.exe 572 Gaara.exe 5488 Gaara.exe 1796 csrss.exe 3492 csrss.exe 1092 Kazekage.exe 3896 Kazekage.exe 3036 Kazekage.exe 2892 smss.exe 5856 csrss.exe 3344 Gaara.exe 2292 system32.exe 1036 Kazekage.exe 2880 csrss.exe 4372 system32.exe 1352 Kazekage.exe 1612 smss.exe 5656 system32.exe 5960 Gaara.exe 6020 system32.exe 2952 csrss.exe 3044 Kazekage.exe 4084 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 2644 smss.exe 4760 smss.exe 4916 Gaara.exe 832 smss.exe 3280 Gaara.exe 456 csrss.exe 3552 smss.exe 572 Gaara.exe 5488 Gaara.exe 1796 csrss.exe 3492 csrss.exe 2892 smss.exe 5856 csrss.exe 3344 Gaara.exe 2880 csrss.exe 1612 smss.exe 5960 Gaara.exe 2952 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\L:\Desktop.ini 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\U:\Desktop.ini 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\A: 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\L: 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\O: 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\Y: 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\E: 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\T: 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\H: 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\R: 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\Q: 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\I: 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\K: 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\S: Kazekage.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\U:\Autorun.inf system32.exe File created \??\Y:\Autorun.inf system32.exe File created \??\W:\Autorun.inf 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File created \??\M:\Autorun.inf Gaara.exe File created \??\K:\Autorun.inf Kazekage.exe File created \??\L:\Autorun.inf Kazekage.exe File created \??\T:\Autorun.inf system32.exe File created \??\T:\Autorun.inf Gaara.exe File opened for modification \??\Y:\Autorun.inf 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File created \??\H:\Autorun.inf 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\B:\Autorun.inf csrss.exe File opened for modification \??\Q:\Autorun.inf Kazekage.exe File opened for modification \??\Z:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf system32.exe File opened for modification \??\H:\Autorun.inf smss.exe File opened for modification \??\P:\Autorun.inf Gaara.exe File opened for modification \??\Z:\Autorun.inf Gaara.exe File opened for modification \??\K:\Autorun.inf system32.exe File opened for modification \??\J:\Autorun.inf 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\B:\Autorun.inf smss.exe File created \??\J:\Autorun.inf smss.exe File opened for modification \??\Y:\Autorun.inf csrss.exe File opened for modification \??\E:\Autorun.inf smss.exe File created \??\E:\Autorun.inf Gaara.exe File opened for modification D:\Autorun.inf Kazekage.exe File opened for modification \??\E:\Autorun.inf system32.exe File created \??\M:\Autorun.inf 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\R:\Autorun.inf 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\H:\Autorun.inf csrss.exe File opened for modification \??\S:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf Kazekage.exe File opened for modification \??\I:\Autorun.inf system32.exe File created \??\K:\Autorun.inf csrss.exe File created \??\T:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf csrss.exe File created \??\R:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf system32.exe File created \??\W:\Autorun.inf system32.exe File created \??\A:\Autorun.inf smss.exe File opened for modification D:\Autorun.inf smss.exe File created \??\Z:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf system32.exe File opened for modification \??\U:\Autorun.inf system32.exe File created \??\B:\Autorun.inf 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File created \??\S:\Autorun.inf 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\J:\Autorun.inf smss.exe File created \??\S:\Autorun.inf Gaara.exe File created D:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf Gaara.exe File created \??\J:\Autorun.inf 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\V:\Autorun.inf 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf Kazekage.exe File opened for modification \??\X:\Autorun.inf Kazekage.exe File created \??\X:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf system32.exe File created \??\K:\Autorun.inf 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File created \??\L:\Autorun.inf 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File created \??\H:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf smss.exe File opened for modification \??\H:\Autorun.inf Gaara.exe File created \??\H:\Autorun.inf csrss.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
resource yara_rule behavioral1/memory/3564-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000241ef-11.dat upx behavioral1/files/0x00070000000241ec-31.dat upx behavioral1/memory/2644-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000241ee-41.dat upx behavioral1/files/0x00070000000241ef-46.dat upx behavioral1/files/0x00070000000241f0-49.dat upx behavioral1/memory/4760-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4916-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4760-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000241f0-89.dat upx behavioral1/files/0x00070000000241f1-93.dat upx behavioral1/memory/3564-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3280-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3280-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000241ef-122.dat upx behavioral1/memory/2644-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/456-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000241f1-137.dat upx behavioral1/files/0x00070000000241f2-142.dat upx behavioral1/memory/4916-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3552-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5488-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3896-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3492-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000241f0-198.dat upx behavioral1/memory/456-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3896-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000241f2-202.dat upx behavioral1/memory/2292-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5856-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3344-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000241f0-255.dat upx behavioral1/memory/4372-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/456-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5656-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4372-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5656-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5960-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6020-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4084-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4916-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3564-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/456-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3564-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4916-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/456-581-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll csrss.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\ Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\ 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\msvbvm60.dll 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe -
System Location Discovery: System Language Discovery 1 TTPs 62 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 32 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5512 ping.exe 748 ping.exe 4372 ping.exe 4652 ping.exe 1344 ping.exe 1464 ping.exe 5032 ping.exe 936 ping.exe 1232 ping.exe 2376 ping.exe 6104 ping.exe 764 ping.exe 1224 ping.exe 4984 ping.exe 3244 ping.exe 3192 ping.exe 1524 ping.exe 5448 ping.exe 1812 ping.exe 4360 ping.exe 2648 ping.exe 5952 ping.exe 2392 ping.exe 5948 ping.exe 880 ping.exe 5364 ping.exe 2952 ping.exe 1428 ping.exe 6100 ping.exe 3060 ping.exe 1456 ping.exe 4492 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee csrss.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe -
Runs ping.exe 1 TTPs 32 IoCs
pid Process 3060 ping.exe 936 ping.exe 6100 ping.exe 1232 ping.exe 5512 ping.exe 6104 ping.exe 5952 ping.exe 5032 ping.exe 1428 ping.exe 4360 ping.exe 1224 ping.exe 2648 ping.exe 1344 ping.exe 4984 ping.exe 1464 ping.exe 880 ping.exe 4652 ping.exe 4492 ping.exe 2392 ping.exe 5364 ping.exe 1812 ping.exe 3192 ping.exe 764 ping.exe 748 ping.exe 2376 ping.exe 5948 ping.exe 1524 ping.exe 2952 ping.exe 5448 ping.exe 1456 ping.exe 3244 ping.exe 4372 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 456 csrss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 2644 smss.exe 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 2644 smss.exe 4760 smss.exe 4916 Gaara.exe 832 smss.exe 3280 Gaara.exe 456 csrss.exe 3552 smss.exe 572 Gaara.exe 5488 Gaara.exe 1796 csrss.exe 3492 csrss.exe 1092 Kazekage.exe 3896 Kazekage.exe 3036 Kazekage.exe 2892 smss.exe 3344 Gaara.exe 5856 csrss.exe 2292 system32.exe 1036 Kazekage.exe 2880 csrss.exe 1352 Kazekage.exe 4372 system32.exe 1612 smss.exe 5656 system32.exe 5960 Gaara.exe 6020 system32.exe 2952 csrss.exe 3044 Kazekage.exe 4084 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3564 wrote to memory of 2644 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 88 PID 3564 wrote to memory of 2644 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 88 PID 3564 wrote to memory of 2644 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 88 PID 2644 wrote to memory of 4760 2644 smss.exe 90 PID 2644 wrote to memory of 4760 2644 smss.exe 90 PID 2644 wrote to memory of 4760 2644 smss.exe 90 PID 2644 wrote to memory of 4916 2644 smss.exe 91 PID 2644 wrote to memory of 4916 2644 smss.exe 91 PID 2644 wrote to memory of 4916 2644 smss.exe 91 PID 4916 wrote to memory of 832 4916 Gaara.exe 95 PID 4916 wrote to memory of 832 4916 Gaara.exe 95 PID 4916 wrote to memory of 832 4916 Gaara.exe 95 PID 4916 wrote to memory of 3280 4916 Gaara.exe 97 PID 4916 wrote to memory of 3280 4916 Gaara.exe 97 PID 4916 wrote to memory of 3280 4916 Gaara.exe 97 PID 4916 wrote to memory of 456 4916 Gaara.exe 99 PID 4916 wrote to memory of 456 4916 Gaara.exe 99 PID 4916 wrote to memory of 456 4916 Gaara.exe 99 PID 456 wrote to memory of 3552 456 csrss.exe 100 PID 456 wrote to memory of 3552 456 csrss.exe 100 PID 456 wrote to memory of 3552 456 csrss.exe 100 PID 3564 wrote to memory of 572 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 103 PID 3564 wrote to memory of 572 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 103 PID 3564 wrote to memory of 572 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 103 PID 456 wrote to memory of 5488 456 csrss.exe 104 PID 456 wrote to memory of 5488 456 csrss.exe 104 PID 456 wrote to memory of 5488 456 csrss.exe 104 PID 3564 wrote to memory of 1796 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 105 PID 3564 wrote to memory of 1796 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 105 PID 3564 wrote to memory of 1796 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 105 PID 456 wrote to memory of 3492 456 csrss.exe 106 PID 456 wrote to memory of 3492 456 csrss.exe 106 PID 456 wrote to memory of 3492 456 csrss.exe 106 PID 3564 wrote to memory of 1092 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 107 PID 3564 wrote to memory of 1092 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 107 PID 3564 wrote to memory of 1092 3564 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe 107 PID 456 wrote to memory of 3896 456 csrss.exe 108 PID 456 wrote to memory of 3896 456 csrss.exe 108 PID 456 wrote to memory of 3896 456 csrss.exe 108 PID 4916 wrote to memory of 3036 4916 Gaara.exe 109 PID 4916 wrote to memory of 3036 4916 Gaara.exe 109 PID 4916 wrote to memory of 3036 4916 Gaara.exe 109 PID 1092 wrote to memory of 2892 1092 Kazekage.exe 110 PID 1092 wrote to memory of 2892 1092 Kazekage.exe 110 PID 1092 wrote to memory of 2892 1092 Kazekage.exe 110 PID 2644 wrote to memory of 5856 2644 smss.exe 111 PID 2644 wrote to memory of 5856 2644 smss.exe 111 PID 2644 wrote to memory of 5856 2644 smss.exe 111 PID 1092 wrote to memory of 3344 1092 Kazekage.exe 112 PID 1092 wrote to memory of 3344 1092 Kazekage.exe 112 PID 1092 wrote to memory of 3344 1092 Kazekage.exe 112 PID 4916 wrote to memory of 2292 4916 Gaara.exe 113 PID 4916 wrote to memory of 2292 4916 Gaara.exe 113 PID 4916 wrote to memory of 2292 4916 Gaara.exe 113 PID 2644 wrote to memory of 1036 2644 smss.exe 114 PID 2644 wrote to memory of 1036 2644 smss.exe 114 PID 2644 wrote to memory of 1036 2644 smss.exe 114 PID 1092 wrote to memory of 2880 1092 Kazekage.exe 115 PID 1092 wrote to memory of 2880 1092 Kazekage.exe 115 PID 1092 wrote to memory of 2880 1092 Kazekage.exe 115 PID 2644 wrote to memory of 4372 2644 smss.exe 116 PID 2644 wrote to memory of 4372 2644 smss.exe 116 PID 2644 wrote to memory of 4372 2644 smss.exe 116 PID 1092 wrote to memory of 1352 1092 Kazekage.exe 117 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3564 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2644 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4760
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4916 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:832
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3280
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:456 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3552
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5488
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3492
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3896
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4372
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1464
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:936
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:764
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1456
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1344
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3036
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2292 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1612
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5960
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2952
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3044
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4084
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2952
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1428
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4492
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2376
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3244
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2392
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5364
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5032
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2648
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1232
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5856
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1036
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4372
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1812
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5952
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:880
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3060
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4652
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5448
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:572
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1796
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1092 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2892
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3344
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2880
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1352
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5656
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5948
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3192
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1524
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1224
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:748
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5512
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6020
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4984
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6104
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6100
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4300
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:5500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1272
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
9.4MB
MD54c6ff0e39475772cb51de926e7dc951a
SHA18a57b2fcccf2a498076602be828df04c46e42581
SHA256017e3b1ff2644b3654b576cdc6650b13482cdd8ff7b1212aa5f5c66aad853e83
SHA512d09908275866df02b4a39b8711e44a00e310d2c695dd0248eb824f2fb57e6ff8288f7573c365162ccc6f0f713a1ffe0d3a404d1e8409ea930ec6a6a0cf4a33ed
-
Filesize
9.4MB
MD5de01a22e6c425a183ea1cf5d4885fc00
SHA1497a9d42f0399808ca69d3e85f21abb4b21607fd
SHA2567bf1fe4359ff9dad74a1d30d2b26a89631450b34a983835a497447df96c50b3e
SHA512dd3a43126bb0ad9007a2ee947ea84c492fb8c8bce254fa2910f9202cf9141af716ac884f8297918e4d45778d05d6e8e736d2a4571fae4cb6124d309fc37a0a86
-
Filesize
9.4MB
MD51aa1f8240bf8e1df0f8e9dce622b9686
SHA10ed29905c0a29c5c83f593a8da7931c77c4b5190
SHA2565e0a0ade22beb780ad78d27d635caf5bf534c2fe36a155ee8201f2d2e850bb9a
SHA5123b5b02fa42890da22d7eb157c4d64cb6a96b47761ffb0fa22b811d98f59b75671ee6f2bda067271a7e3a14afc10161bf345c43937fb2734641bff72807cd5e1e
-
Filesize
9.4MB
MD56a138074a24bed3c47df6e189c461a1a
SHA1872707d537eb340f8d5844718eba41aa247c3073
SHA256e38c0edb0195c602735007e07fbcf242f9eba3902ee52602c1cb4c5345a3854f
SHA512c2f6e6690d6272391eadb9872ca830233eb49b5bd691c147faf52eb9b6e6928ae550101ca44535e2c3e662925fe2e837875b9d82ca992d50519b3753e399891f
-
Filesize
9.4MB
MD5105462f0cc9624a7d3a8954e1bef074e
SHA14900ee9d9c40bd0157ef355665431d0e987ad625
SHA256c2f9161be86dc7a1699cb758c8ca9073e1f2f9895374d4e09c3515311d4f9439
SHA51262940241117d7d91356844a788b00b44b4236e8f5dc83bc28895d5c3b8a76b7dddd7750957c80a71c307598358efa961f2f03b154cce5645d5374f6a80bfa460
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
9.4MB
MD503b6d04a3e927f853ccc3f7be503a491
SHA1ef68546dfb792be3d08a238adcc34d335986b834
SHA25635143657f4b273dbb7cbd674df426c6adf458275b50e5bbe7044ee93ecaf111a
SHA5126dde569c854286ba74b525a78aeb70a62e1fd5585e20adf10c12995e1220862db006d8b747adf5c64dc2afb1e1ecf23f24a594caad2e0478acc39b1f44bc09ca
-
Filesize
9.4MB
MD55771672322fe0916002efdd011b2e32b
SHA13bb48d6e8ce7e6aebbb6a5d5bc42ea948b5f2e6e
SHA256d0fed84b30b1a20ebae414b98b7602e4fd68b8d7b8bcf6101882b4e37fac9bbf
SHA512e0eea0fee9d87ebc1d1e35c94888e6ec97f5da35763cbdbf3307f87f9cfc8f9a9d8afab67975ce31f97306e713b12956de8b14d434f2dda02bbb741287cdcc5b
-
Filesize
9.4MB
MD53bd791cdf1e08b73263a32ff31f966fa
SHA1959813a9cbf6dcfcec2347273358581caff9a761
SHA2565a56266c61bd8f73fddc040f4f8ded83947eb62e741e7d86779c6678bd4c6eee
SHA512a653c82a449c984a790bbf58c88b891d7a148b95336b2acfc8de0f3609e0b338bb9547020432d365c14a9f045d22654c6d975abc9c12ed6d03bd6d0b7ef2968a
-
Filesize
9.4MB
MD5ff42cf5d60ec7aa7cfe7c64454a899f4
SHA1750b80f723a575ef400bb6753ad8cfbd9eb722ac
SHA25664db9cc5aba5e04a44d39716cf94104d5b7511d21832fa73e2d11952e84ad68b
SHA5126b1e466d4a83b96ebbbe2f761e5ca66fee955c2ce9093976a190799d8782a8aac0d827d6240b8ab36bc98708d638739e4ed312da176458499d27ae27063f4344
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
9.4MB
MD5ff1ab89e3f95ace6b4777aa56ad9ae52
SHA1710ad910384744f501b0885c1acafcaf7fe252b3
SHA25648d0c293d2b738fa2951da82a2cc2784a49bfb768f80664050907759b2277b9c
SHA512b09685df633606a21c007b1329f081fea063bed68c3cf2ded66572b29c80391571aff3aaf128cd683b74154bd9810b624d35a4ccbf2a7dc0ea762974439caba5
-
Filesize
9.4MB
MD57747bb9f1f9d8be7f907775df7744343
SHA15f620c0bd93bc393559ef5035bc1702275c439f3
SHA256346de0dfb31b3ab0321fd35de768e8117307c889186e3fd0c89b2a59148cb152
SHA5124e45c0ea642106002ea2d08b84525e5c4264756eadf600c0f12bfb93abcf39249e8ceb9aeb0a66a233a5d8ddb6f35d36242f685e9dbabf978f5811a44b47b89f
-
Filesize
9.4MB
MD5c6134451ed6e3d7c112a3651738887be
SHA1cc3deaae30ff455cf8312ead59029573a3822dd8
SHA25608ad58e2c678cf948f57acbea0ee1729e9e7b4685858a71396be60a07dae8eb3
SHA5128ffed3508b9c45502b8b724fb977a87c969d6f99a9632eecf411ffe3007d57aab76fe005c3f6cb5a16a91eb9143db854ed54f7a9acfe3623d5dce078f935dc99
-
Filesize
9.4MB
MD59e113edcf4b68e6947b988a1c17018a4
SHA1016b3a4f2a1e2a298156599549dd45f513ee20f7
SHA256ae3084c7d7661ce95e4a5341145f1f222189eec58e22e996fac5b6e75db3a091
SHA512ec8ff20594070069b1583ee757e447f77a220ec03b2ad64b9facf23c790ff1a7641f5ea158cb6f358abc27dd50b671879a0a0d1939432c5e74a696e822479feb
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a