Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/05/2025, 09:42

General

  • Target

    2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe

  • Size

    9.5MB

  • MD5

    43334a7043505d6ddbff13cd13568e4a

  • SHA1

    86bfea6e01e10a46af5f60ccc1eab48304bd274e

  • SHA256

    c9bce23cd71da05bf8c5fda6ee18d7d389916035ea5456a1e52c7632b4326797

  • SHA512

    c7887e6d4ba3ab7417bd2449f3b3dfd55f6a9005072bcc76df3ed9e3085c0564a112d6f3174cf8fcd433b5af615386970a5b08d77c506762ea3e75452f701929

  • SSDEEP

    98304:EyyqWyWy0GyqWyWyMRPC1eHL5dGYSEYvP:X1eHL5dEvP

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 29 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 46 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1152
    • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
      "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2616
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5472
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4900
        • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
          "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4936
        • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3916
        • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3696
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5732
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1612
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3456
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:732
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5584
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1388
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4620
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2932
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2416
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4968
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5204
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:1472
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:6032
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:6124
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5512
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2340
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4376
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1624
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2232
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:116
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4376
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:400
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1484
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5016
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4892
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4408
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3916
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1904
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1028
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3012
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4880
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4776
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1336
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5576
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1620
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5128
    • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
      "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:6068
    • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
      "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3652
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1960
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5928
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5416
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1384
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:368
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:6096
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5708
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1660
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3116
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2752
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5672
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:760
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1136
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5040
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1336
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4572
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2876
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5000
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5132
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe
    1⤵
      PID:3520
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe
      1⤵
        PID:3760
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 2-5-2025.exe
        1⤵
          PID:3040
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c drivers\csrss.exe
          1⤵
            PID:5276

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Admin Games\Readme.txt

                  Filesize

                  736B

                  MD5

                  bb5d6abdf8d0948ac6895ce7fdfbc151

                  SHA1

                  9266b7a247a4685892197194d2b9b86c8f6dddbd

                  SHA256

                  5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

                  SHA512

                  878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

                • C:\Autorun.inf

                  Filesize

                  196B

                  MD5

                  1564dfe69ffed40950e5cb644e0894d1

                  SHA1

                  201b6f7a01cc49bb698bea6d4945a082ed454ce4

                  SHA256

                  be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

                  SHA512

                  72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

                  Filesize

                  9.5MB

                  MD5

                  b761eed788286951e7fd602195eda319

                  SHA1

                  b9c28d479bf5e73c4cfdb6d96b091ab9fbe5ad38

                  SHA256

                  0a6fb1c9aae734f548b9ecf93420c2ceee40354142b82fb3bdd2ad8140e1f86d

                  SHA512

                  9e79f35bd48a338f392b3598f4856ef300a04c8c39b2f1042b6f218c1871049e49f6836ec01a21ca0bfbc3b6f1c4fa185eee99bfb492437ce5f5d5d4496518e0

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

                  Filesize

                  9.5MB

                  MD5

                  43334a7043505d6ddbff13cd13568e4a

                  SHA1

                  86bfea6e01e10a46af5f60ccc1eab48304bd274e

                  SHA256

                  c9bce23cd71da05bf8c5fda6ee18d7d389916035ea5456a1e52c7632b4326797

                  SHA512

                  c7887e6d4ba3ab7417bd2449f3b3dfd55f6a9005072bcc76df3ed9e3085c0564a112d6f3174cf8fcd433b5af615386970a5b08d77c506762ea3e75452f701929

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

                  Filesize

                  9.5MB

                  MD5

                  08d51cd548ae1c1410ac360291b52f92

                  SHA1

                  f8ff7af484156645ec02346a2c157f7cfe6802d3

                  SHA256

                  29d1135782bd768059540da35bfd1228c15c3e02fbe1022fbe274411547fece4

                  SHA512

                  4c61cb533a54dd2fe62283e224f5cfa1abed4ae38564b5cc73990a3882de05b888928b83381ed709e2f20d3b7d107a233f6a2dc6db59756b083b4b7b90923a13

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

                  Filesize

                  9.5MB

                  MD5

                  fe2bd8462313af76e19a25086a860e45

                  SHA1

                  b713bbc1a816f9698b0c0af6f0e2e99b41c5e8c2

                  SHA256

                  ca196a861b0486d4ac64abd016cec623c30670d2f33e07c6fff958750b4db718

                  SHA512

                  908057cb2bdc0c7d699179e961bce75e3ac92d3517413b2c748992e657c23d8cdff353ab2046ae5ec1eff6a5d40d45c83ee7f88a0c05c41035df04c760e0c0cb

                • C:\Windows\Fonts\The Kazekage.jpg

                  Filesize

                  1.4MB

                  MD5

                  d6b05020d4a0ec2a3a8b687099e335df

                  SHA1

                  df239d830ebcd1cde5c68c46a7b76dad49d415f4

                  SHA256

                  9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

                  SHA512

                  78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  9.5MB

                  MD5

                  b9a7acfd55442696f9a32cd924e289e3

                  SHA1

                  2725caa7d05b9259b72782cd6af806aad2314be4

                  SHA256

                  7aed92010844b8531a016bd7680e8537942b2803b7f41d4487fa1b3c058777e9

                  SHA512

                  e89a8e8c7051fc8f5e66bcec760392797e2fcb97cb73e2673b930bb2ad8e6e02a30acf15061c2d8776f8dbed0d29c9a3cd425a2d41a00162876e6dd8ec7e8289

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  9.5MB

                  MD5

                  e799a73ffdb77511a0628a5271b24b9f

                  SHA1

                  e3b35e38b31079b6e63383abacd0a68d428e91b4

                  SHA256

                  8a97bc7af6c86835752e8305cd54747505610e5bcd0c885e08c3d6c0ec9e9d9d

                  SHA512

                  1aca39f79723ebf452e48c8182850e1a21d4cf6769bd9d53e33f31667fe5cd778f10d0fa4ed51a4e52cb0ac506973be4051708841b1b69d5fea61529cf96caf4

                • C:\Windows\SysWOW64\Desktop.ini

                  Filesize

                  65B

                  MD5

                  64acfa7e03b01f48294cf30d201a0026

                  SHA1

                  10facd995b38a095f30b4a800fa454c0bcbf8438

                  SHA256

                  ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

                  SHA512

                  65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  9.5MB

                  MD5

                  dac84a6cc1ec533e1ccda6f6c0efdfdd

                  SHA1

                  8d3743b4202e65e0f2e64f1650a9b013c0c61f93

                  SHA256

                  03e6fd83ee32cdcc1786ff8b5916206f31abb8c7b5d6d1980a225e7f6b581ca7

                  SHA512

                  d6a1789b86ee3df6cd04cf79167643fbb91029146a71053f19bede521347d2f77074643fd970e2c274ad9484885f5a4d8f08f8143b41dc4c95e120c929e6d621

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  9.5MB

                  MD5

                  a3848c3573728eaf6be9dc05fb13707f

                  SHA1

                  231237c75a386b194d4af3411483da5fb0a1c40c

                  SHA256

                  c7ecda76bee6852bf23b71c05ad01029ca22ce26e29648c44f1a38ae818888cf

                  SHA512

                  8d56d8e3ecf950a84490ab89d5adbacf57e32b080f9d71211bf2676a4a7ccb61782d14e3b7bdf029a3cc4429abf5cf7093f40762a76a56f1e8bf4776427cce62

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  9.5MB

                  MD5

                  5e7008a098750c4015d547727695c538

                  SHA1

                  061a83e48302d9de5e30548bf5206239c54f632b

                  SHA256

                  73bf07ae250bf316f501f51b7722f3f6d435c55dd2ec789adf90a443c002c256

                  SHA512

                  372473605be6f0de1c1117375a2520968488ef90c12c85f1001a40abd22f5ca2b63fe3fd3a2e53a88c30ebd8ae7a9cada0d00c984b63900a6176e3b43a2187e1

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  9.5MB

                  MD5

                  4c666f09276d13a4ffb2e2df15304282

                  SHA1

                  b374b130cf82b6150d3744bab60281cf8ea81a71

                  SHA256

                  17493d55c7ba944479f0d5abbec7c85a20b33d2c8338ad6330f248bf3b948b21

                  SHA512

                  798bcf62fc4f4d5902f1528ddc75e883c3e78d193f9f0a99954f8c819c7e587956f6283fc8c3a4ac2d94c16d02bbf0d1a307471ab1fae48e12eb432c62903cee

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  9.5MB

                  MD5

                  6910528972eadb723f9859da239de91a

                  SHA1

                  44ac178c646b54820782b825b8231f68f4365b95

                  SHA256

                  7f8a2f666291989f30a5f2eccbe1035fb24e71e7b89cc35b3d4c77bc649d8f39

                  SHA512

                  673f4b4881f2fa7025353694ce4039d20af1ebc847d106a30cdd2117f23c02e3c7836e9670b2624264e29b8d39b793cc222a027e15f9797156e8cca2a844866b

                • C:\Windows\System\msvbvm60.dll

                  Filesize

                  1.4MB

                  MD5

                  25f62c02619174b35851b0e0455b3d94

                  SHA1

                  4e8ee85157f1769f6e3f61c0acbe59072209da71

                  SHA256

                  898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                  SHA512

                  f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                • memory/368-255-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/732-204-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1028-228-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1136-266-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1152-127-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1152-0-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1384-241-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1472-229-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1472-269-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1612-170-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1960-176-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1960-230-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2340-270-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2616-139-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2616-34-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3012-238-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3456-169-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3456-182-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3652-168-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3696-119-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3696-177-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3916-113-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3916-116-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4376-273-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4900-78-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4900-159-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5204-225-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5204-203-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5416-236-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5472-74-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5472-70-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/6068-161-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/6096-262-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/6096-257-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/6124-260-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB