Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2025, 09:42
Behavioral task
behavioral1
Sample
2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe
Resource
win10v2004-20250410-en
General
-
Target
2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe
-
Size
9.5MB
-
MD5
43334a7043505d6ddbff13cd13568e4a
-
SHA1
86bfea6e01e10a46af5f60ccc1eab48304bd274e
-
SHA256
c9bce23cd71da05bf8c5fda6ee18d7d389916035ea5456a1e52c7632b4326797
-
SHA512
c7887e6d4ba3ab7417bd2449f3b3dfd55f6a9005072bcc76df3ed9e3085c0564a112d6f3174cf8fcd433b5af615386970a5b08d77c506762ea3e75452f701929
-
SSDEEP
98304:EyyqWyWy0GyqWyWyMRPC1eHL5dGYSEYvP:X1eHL5dEvP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe -
Executes dropped EXE 29 IoCs
pid Process 2616 smss.exe 5472 smss.exe 4900 Gaara.exe 4936 smss.exe 3916 Gaara.exe 3696 csrss.exe 5732 smss.exe 6068 Gaara.exe 3652 csrss.exe 1612 Gaara.exe 3456 csrss.exe 1960 Kazekage.exe 732 Kazekage.exe 5204 Kazekage.exe 5928 smss.exe 1904 csrss.exe 1028 Kazekage.exe 5416 Gaara.exe 1472 system32.exe 3012 system32.exe 1384 csrss.exe 368 Kazekage.exe 6032 smss.exe 6124 Gaara.exe 6096 system32.exe 5512 csrss.exe 1136 system32.exe 2340 Kazekage.exe 4376 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 2616 smss.exe 5472 smss.exe 4900 Gaara.exe 4936 smss.exe 3916 Gaara.exe 3696 csrss.exe 5732 smss.exe 6068 Gaara.exe 3652 csrss.exe 1612 Gaara.exe 3456 csrss.exe 5928 smss.exe 1904 csrss.exe 5416 Gaara.exe 1384 csrss.exe 6032 smss.exe 6124 Gaara.exe 5512 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\N:\Desktop.ini 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\R:\Desktop.ini 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\O:\Desktop.ini 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini system32.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: smss.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\T: 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\B: 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\E: 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\X: 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\K: 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\M: 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\I: 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\A: 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\Q: 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\P: 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\O: 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\V: 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\A: Kazekage.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\U:\Autorun.inf Kazekage.exe File opened for modification \??\X:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf csrss.exe File opened for modification \??\P:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf csrss.exe File created \??\Q:\Autorun.inf system32.exe File opened for modification \??\K:\Autorun.inf smss.exe File opened for modification \??\E:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf system32.exe File created \??\L:\Autorun.inf 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File created \??\M:\Autorun.inf 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification D:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf csrss.exe File created \??\J:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf Kazekage.exe File opened for modification \??\E:\Autorun.inf system32.exe File created \??\N:\Autorun.inf system32.exe File opened for modification \??\Z:\Autorun.inf 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File created \??\G:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf system32.exe File created \??\B:\Autorun.inf 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\Q:\Autorun.inf 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File created \??\T:\Autorun.inf 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File created \??\J:\Autorun.inf smss.exe File created \??\W:\Autorun.inf csrss.exe File opened for modification \??\R:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf csrss.exe File created \??\P:\Autorun.inf csrss.exe File opened for modification \??\A:\Autorun.inf Kazekage.exe File opened for modification \??\O:\Autorun.inf Kazekage.exe File created \??\I:\Autorun.inf smss.exe File opened for modification \??\P:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf Gaara.exe File opened for modification \??\Z:\Autorun.inf Kazekage.exe File opened for modification \??\H:\Autorun.inf 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File created \??\U:\Autorun.inf smss.exe File opened for modification \??\V:\Autorun.inf smss.exe File opened for modification C:\Autorun.inf Gaara.exe File created \??\U:\Autorun.inf Gaara.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe File created \??\G:\Autorun.inf system32.exe File created \??\Z:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification D:\Autorun.inf 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\Z:\Autorun.inf Gaara.exe File created D:\Autorun.inf csrss.exe File opened for modification \??\V:\Autorun.inf system32.exe File opened for modification \??\I:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf smss.exe File created F:\Autorun.inf 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\S:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf csrss.exe File created \??\X:\Autorun.inf Kazekage.exe File created \??\T:\Autorun.inf system32.exe File opened for modification \??\Y:\Autorun.inf system32.exe File opened for modification \??\M:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File created \??\U:\Autorun.inf Kazekage.exe File opened for modification \??\I:\Autorun.inf system32.exe File opened for modification \??\A:\Autorun.inf Gaara.exe File created \??\H:\Autorun.inf Kazekage.exe File created \??\P:\Autorun.inf Kazekage.exe File created \??\J:\Autorun.inf system32.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe smss.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
resource yara_rule behavioral1/memory/1152-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000700000002401f-11.dat upx behavioral1/memory/2616-34-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000700000002401d-32.dat upx behavioral1/files/0x000700000002401e-41.dat upx behavioral1/files/0x0007000000024023-57.dat upx behavioral1/memory/5472-70-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5472-74-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4900-78-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024023-97.dat upx behavioral1/files/0x0007000000024022-92.dat upx behavioral1/files/0x0007000000024021-88.dat upx behavioral1/memory/3916-113-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3916-116-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000700000002401f-118.dat upx behavioral1/memory/3696-119-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1152-127-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024022-132.dat upx behavioral1/memory/2616-139-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4900-159-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/6068-161-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3652-168-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3456-169-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1612-170-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1960-176-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3696-177-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3456-182-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024021-188.dat upx behavioral1/memory/732-204-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5204-203-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024023-191.dat upx behavioral1/memory/1472-229-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1960-230-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1028-228-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5204-225-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5416-236-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3012-238-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1384-241-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/368-255-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/6096-257-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/6124-260-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/6096-262-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1136-266-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1472-269-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2340-270-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4376-273-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File created C:\Windows\mscomctl.ocx 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\msvbvm60.dll 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\ csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2416 ping.exe 4776 ping.exe 400 ping.exe 5584 ping.exe 2876 ping.exe 4408 ping.exe 2932 ping.exe 2752 ping.exe 116 ping.exe 1620 ping.exe 760 ping.exe 1388 ping.exe 1660 ping.exe 4620 ping.exe 5132 ping.exe 3916 ping.exe 4880 ping.exe 4892 ping.exe 5000 ping.exe 5128 ping.exe 2232 ping.exe 1336 ping.exe 5576 ping.exe 5672 ping.exe 5040 ping.exe 4572 ping.exe 4968 ping.exe 1336 ping.exe 1484 ping.exe 5708 ping.exe 1624 ping.exe 5016 ping.exe 3116 ping.exe 4376 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Key created \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop system32.exe Key created \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Internet Explorer\Main 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 5708 ping.exe 2876 ping.exe 5576 ping.exe 4620 ping.exe 3116 ping.exe 5040 ping.exe 2752 ping.exe 5672 ping.exe 1336 ping.exe 5016 ping.exe 2932 ping.exe 4408 ping.exe 4968 ping.exe 1624 ping.exe 4572 ping.exe 4376 ping.exe 5132 ping.exe 1620 ping.exe 760 ping.exe 5128 ping.exe 1336 ping.exe 1484 ping.exe 1388 ping.exe 2416 ping.exe 4880 ping.exe 4776 ping.exe 116 ping.exe 3916 ping.exe 400 ping.exe 5584 ping.exe 2232 ping.exe 4892 ping.exe 5000 ping.exe 1660 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 3696 csrss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 2616 smss.exe 1472 system32.exe 1472 system32.exe 1472 system32.exe 1472 system32.exe 1472 system32.exe 1472 system32.exe 1472 system32.exe 1472 system32.exe 1472 system32.exe 1472 system32.exe 1472 system32.exe 1472 system32.exe 1472 system32.exe 1472 system32.exe 1472 system32.exe 1472 system32.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 1152 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe 2616 smss.exe 5472 smss.exe 4900 Gaara.exe 4936 smss.exe 3916 Gaara.exe 3696 csrss.exe 6068 Gaara.exe 5732 smss.exe 3652 csrss.exe 1612 Gaara.exe 3456 csrss.exe 1960 Kazekage.exe 732 Kazekage.exe 5204 Kazekage.exe 5928 smss.exe 1904 csrss.exe 1028 Kazekage.exe 5416 Gaara.exe 1472 system32.exe 3012 system32.exe 1384 csrss.exe 368 Kazekage.exe 6032 smss.exe 6124 Gaara.exe 6096 system32.exe 5512 csrss.exe 1136 system32.exe 2340 Kazekage.exe 4376 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2616 1152 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe 87 PID 1152 wrote to memory of 2616 1152 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe 87 PID 1152 wrote to memory of 2616 1152 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe 87 PID 2616 wrote to memory of 5472 2616 smss.exe 89 PID 2616 wrote to memory of 5472 2616 smss.exe 89 PID 2616 wrote to memory of 5472 2616 smss.exe 89 PID 2616 wrote to memory of 4900 2616 smss.exe 92 PID 2616 wrote to memory of 4900 2616 smss.exe 92 PID 2616 wrote to memory of 4900 2616 smss.exe 92 PID 4900 wrote to memory of 4936 4900 Gaara.exe 95 PID 4900 wrote to memory of 4936 4900 Gaara.exe 95 PID 4900 wrote to memory of 4936 4900 Gaara.exe 95 PID 4900 wrote to memory of 3916 4900 Gaara.exe 97 PID 4900 wrote to memory of 3916 4900 Gaara.exe 97 PID 4900 wrote to memory of 3916 4900 Gaara.exe 97 PID 4900 wrote to memory of 3696 4900 Gaara.exe 98 PID 4900 wrote to memory of 3696 4900 Gaara.exe 98 PID 4900 wrote to memory of 3696 4900 Gaara.exe 98 PID 3696 wrote to memory of 5732 3696 csrss.exe 99 PID 3696 wrote to memory of 5732 3696 csrss.exe 99 PID 3696 wrote to memory of 5732 3696 csrss.exe 99 PID 1152 wrote to memory of 6068 1152 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe 100 PID 1152 wrote to memory of 6068 1152 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe 100 PID 1152 wrote to memory of 6068 1152 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe 100 PID 1152 wrote to memory of 3652 1152 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe 103 PID 1152 wrote to memory of 3652 1152 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe 103 PID 1152 wrote to memory of 3652 1152 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe 103 PID 3696 wrote to memory of 1612 3696 csrss.exe 104 PID 3696 wrote to memory of 1612 3696 csrss.exe 104 PID 3696 wrote to memory of 1612 3696 csrss.exe 104 PID 3696 wrote to memory of 3456 3696 csrss.exe 105 PID 3696 wrote to memory of 3456 3696 csrss.exe 105 PID 3696 wrote to memory of 3456 3696 csrss.exe 105 PID 1152 wrote to memory of 1960 1152 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe 106 PID 1152 wrote to memory of 1960 1152 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe 106 PID 1152 wrote to memory of 1960 1152 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe 106 PID 3696 wrote to memory of 732 3696 csrss.exe 107 PID 3696 wrote to memory of 732 3696 csrss.exe 107 PID 3696 wrote to memory of 732 3696 csrss.exe 107 PID 4900 wrote to memory of 5204 4900 Gaara.exe 108 PID 4900 wrote to memory of 5204 4900 Gaara.exe 108 PID 4900 wrote to memory of 5204 4900 Gaara.exe 108 PID 1960 wrote to memory of 5928 1960 Kazekage.exe 109 PID 1960 wrote to memory of 5928 1960 Kazekage.exe 109 PID 1960 wrote to memory of 5928 1960 Kazekage.exe 109 PID 2616 wrote to memory of 1904 2616 smss.exe 110 PID 2616 wrote to memory of 1904 2616 smss.exe 110 PID 2616 wrote to memory of 1904 2616 smss.exe 110 PID 2616 wrote to memory of 1028 2616 smss.exe 111 PID 2616 wrote to memory of 1028 2616 smss.exe 111 PID 2616 wrote to memory of 1028 2616 smss.exe 111 PID 1960 wrote to memory of 5416 1960 Kazekage.exe 112 PID 1960 wrote to memory of 5416 1960 Kazekage.exe 112 PID 1960 wrote to memory of 5416 1960 Kazekage.exe 112 PID 4900 wrote to memory of 1472 4900 Gaara.exe 113 PID 4900 wrote to memory of 1472 4900 Gaara.exe 113 PID 4900 wrote to memory of 1472 4900 Gaara.exe 113 PID 2616 wrote to memory of 3012 2616 smss.exe 114 PID 2616 wrote to memory of 3012 2616 smss.exe 114 PID 2616 wrote to memory of 3012 2616 smss.exe 114 PID 1960 wrote to memory of 1384 1960 Kazekage.exe 115 PID 1960 wrote to memory of 1384 1960 Kazekage.exe 115 PID 1960 wrote to memory of 1384 1960 Kazekage.exe 115 PID 1960 wrote to memory of 368 1960 Kazekage.exe 124 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1152 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2616 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5472
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4900 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4936
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3916
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3696 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5732
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1612
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3456
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:732
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5584
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1388
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4620
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2932
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2416
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4968
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5204
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1472 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6032
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6124
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5512
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2340
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4376
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1624
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2232
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:116
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4376
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:400
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1484
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5016
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4892
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4408
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3916
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1904
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1028
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3012
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4880
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4776
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1336
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5576
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1620
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5128
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6068
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3652
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1960 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5928
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5416
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1384
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:368
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6096
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5708
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1660
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3116
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2752
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5672
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:760
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1136
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5040
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1336
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4572
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2876
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5000
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3040
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:5276
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
9.5MB
MD5b761eed788286951e7fd602195eda319
SHA1b9c28d479bf5e73c4cfdb6d96b091ab9fbe5ad38
SHA2560a6fb1c9aae734f548b9ecf93420c2ceee40354142b82fb3bdd2ad8140e1f86d
SHA5129e79f35bd48a338f392b3598f4856ef300a04c8c39b2f1042b6f218c1871049e49f6836ec01a21ca0bfbc3b6f1c4fa185eee99bfb492437ce5f5d5d4496518e0
-
Filesize
9.5MB
MD543334a7043505d6ddbff13cd13568e4a
SHA186bfea6e01e10a46af5f60ccc1eab48304bd274e
SHA256c9bce23cd71da05bf8c5fda6ee18d7d389916035ea5456a1e52c7632b4326797
SHA512c7887e6d4ba3ab7417bd2449f3b3dfd55f6a9005072bcc76df3ed9e3085c0564a112d6f3174cf8fcd433b5af615386970a5b08d77c506762ea3e75452f701929
-
Filesize
9.5MB
MD508d51cd548ae1c1410ac360291b52f92
SHA1f8ff7af484156645ec02346a2c157f7cfe6802d3
SHA25629d1135782bd768059540da35bfd1228c15c3e02fbe1022fbe274411547fece4
SHA5124c61cb533a54dd2fe62283e224f5cfa1abed4ae38564b5cc73990a3882de05b888928b83381ed709e2f20d3b7d107a233f6a2dc6db59756b083b4b7b90923a13
-
Filesize
9.5MB
MD5fe2bd8462313af76e19a25086a860e45
SHA1b713bbc1a816f9698b0c0af6f0e2e99b41c5e8c2
SHA256ca196a861b0486d4ac64abd016cec623c30670d2f33e07c6fff958750b4db718
SHA512908057cb2bdc0c7d699179e961bce75e3ac92d3517413b2c748992e657c23d8cdff353ab2046ae5ec1eff6a5d40d45c83ee7f88a0c05c41035df04c760e0c0cb
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
9.5MB
MD5b9a7acfd55442696f9a32cd924e289e3
SHA12725caa7d05b9259b72782cd6af806aad2314be4
SHA2567aed92010844b8531a016bd7680e8537942b2803b7f41d4487fa1b3c058777e9
SHA512e89a8e8c7051fc8f5e66bcec760392797e2fcb97cb73e2673b930bb2ad8e6e02a30acf15061c2d8776f8dbed0d29c9a3cd425a2d41a00162876e6dd8ec7e8289
-
Filesize
9.5MB
MD5e799a73ffdb77511a0628a5271b24b9f
SHA1e3b35e38b31079b6e63383abacd0a68d428e91b4
SHA2568a97bc7af6c86835752e8305cd54747505610e5bcd0c885e08c3d6c0ec9e9d9d
SHA5121aca39f79723ebf452e48c8182850e1a21d4cf6769bd9d53e33f31667fe5cd778f10d0fa4ed51a4e52cb0ac506973be4051708841b1b69d5fea61529cf96caf4
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
9.5MB
MD5dac84a6cc1ec533e1ccda6f6c0efdfdd
SHA18d3743b4202e65e0f2e64f1650a9b013c0c61f93
SHA25603e6fd83ee32cdcc1786ff8b5916206f31abb8c7b5d6d1980a225e7f6b581ca7
SHA512d6a1789b86ee3df6cd04cf79167643fbb91029146a71053f19bede521347d2f77074643fd970e2c274ad9484885f5a4d8f08f8143b41dc4c95e120c929e6d621
-
Filesize
9.5MB
MD5a3848c3573728eaf6be9dc05fb13707f
SHA1231237c75a386b194d4af3411483da5fb0a1c40c
SHA256c7ecda76bee6852bf23b71c05ad01029ca22ce26e29648c44f1a38ae818888cf
SHA5128d56d8e3ecf950a84490ab89d5adbacf57e32b080f9d71211bf2676a4a7ccb61782d14e3b7bdf029a3cc4429abf5cf7093f40762a76a56f1e8bf4776427cce62
-
Filesize
9.5MB
MD55e7008a098750c4015d547727695c538
SHA1061a83e48302d9de5e30548bf5206239c54f632b
SHA25673bf07ae250bf316f501f51b7722f3f6d435c55dd2ec789adf90a443c002c256
SHA512372473605be6f0de1c1117375a2520968488ef90c12c85f1001a40abd22f5ca2b63fe3fd3a2e53a88c30ebd8ae7a9cada0d00c984b63900a6176e3b43a2187e1
-
Filesize
9.5MB
MD54c666f09276d13a4ffb2e2df15304282
SHA1b374b130cf82b6150d3744bab60281cf8ea81a71
SHA25617493d55c7ba944479f0d5abbec7c85a20b33d2c8338ad6330f248bf3b948b21
SHA512798bcf62fc4f4d5902f1528ddc75e883c3e78d193f9f0a99954f8c819c7e587956f6283fc8c3a4ac2d94c16d02bbf0d1a307471ab1fae48e12eb432c62903cee
-
Filesize
9.5MB
MD56910528972eadb723f9859da239de91a
SHA144ac178c646b54820782b825b8231f68f4365b95
SHA2567f8a2f666291989f30a5f2eccbe1035fb24e71e7b89cc35b3d4c77bc649d8f39
SHA512673f4b4881f2fa7025353694ce4039d20af1ebc847d106a30cdd2117f23c02e3c7836e9670b2624264e29b8d39b793cc222a027e15f9797156e8cca2a844866b
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a