Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2025, 11:04
Behavioral task
behavioral1
Sample
2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250410-en
General
-
Target
2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe
-
Size
9.1MB
-
MD5
081190a3c71c8f5fe364a40716b00ad5
-
SHA1
c1e9d8023a841bd9ca95eeed58908a8611fdd98e
-
SHA256
085a996485968c9eaaf71ad895c7f01c72f9e3ffb3579b546a8a0ceab6236f89
-
SHA512
ab259952d9bb3e9135c0887b1a2278be4d6cb4d278f053ff2bc5ce44551cc76e4d1d7edb113bad60a88234197954260ad02e5fd067c69a994e5d783017b2e9ff
-
SSDEEP
49152:oGyqWyWy0GyqWyWyMRPC1eHc785diLvQ8b1gt/Ido:oGyqWyWy0GyqWyWyMRPC1eHL5dGYSEYo
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe -
Executes dropped EXE 30 IoCs
pid Process 5496 smss.exe 4592 smss.exe 4688 Gaara.exe 3200 smss.exe 4668 Gaara.exe 4780 csrss.exe 5056 smss.exe 1620 Gaara.exe 2336 Gaara.exe 3956 csrss.exe 4028 csrss.exe 5864 Kazekage.exe 4696 Kazekage.exe 4540 smss.exe 1920 system32.exe 6008 csrss.exe 4252 Gaara.exe 3236 Kazekage.exe 3748 smss.exe 372 csrss.exe 4076 system32.exe 2708 Gaara.exe 1400 Kazekage.exe 4816 system32.exe 3252 csrss.exe 2528 Kazekage.exe 6068 system32.exe 5632 Kazekage.exe 812 system32.exe 4376 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 5496 smss.exe 4592 smss.exe 4688 Gaara.exe 3200 smss.exe 4668 Gaara.exe 4780 csrss.exe 5056 smss.exe 1620 Gaara.exe 2336 Gaara.exe 3956 csrss.exe 4028 csrss.exe 4540 smss.exe 6008 csrss.exe 4252 Gaara.exe 3748 smss.exe 372 csrss.exe 2708 Gaara.exe 3252 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Kazekage.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification \??\N:\Desktop.ini 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification \??\U:\Desktop.ini 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini smss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\N: 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\M: 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\L: 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\R: 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\P: 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\B: 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened (read-only) \??\S: 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\V: 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\J: 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\Q: 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\I: 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\Z: smss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created D:\Autorun.inf Kazekage.exe File created \??\H:\Autorun.inf 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification \??\Q:\Autorun.inf 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File created \??\N:\Autorun.inf smss.exe File opened for modification \??\V:\Autorun.inf smss.exe File created \??\G:\Autorun.inf Gaara.exe File created \??\K:\Autorun.inf Gaara.exe File opened for modification \??\U:\Autorun.inf Gaara.exe File created \??\P:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf system32.exe File opened for modification \??\N:\Autorun.inf csrss.exe File opened for modification \??\O:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File created \??\K:\Autorun.inf Kazekage.exe File opened for modification \??\P:\Autorun.inf Kazekage.exe File opened for modification \??\S:\Autorun.inf Kazekage.exe File opened for modification D:\Autorun.inf 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File created \??\I:\Autorun.inf 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification \??\S:\Autorun.inf Gaara.exe File created \??\I:\Autorun.inf csrss.exe File opened for modification \??\R:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf csrss.exe File created \??\X:\Autorun.inf system32.exe File created \??\L:\Autorun.inf 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification \??\N:\Autorun.inf Gaara.exe File created \??\E:\Autorun.inf csrss.exe File opened for modification \??\E:\Autorun.inf Kazekage.exe File created \??\R:\Autorun.inf Kazekage.exe File created \??\Z:\Autorun.inf Kazekage.exe File opened for modification \??\R:\Autorun.inf system32.exe File created \??\E:\Autorun.inf smss.exe File created \??\V:\Autorun.inf Gaara.exe File opened for modification \??\M:\Autorun.inf system32.exe File opened for modification \??\P:\Autorun.inf system32.exe File created \??\S:\Autorun.inf system32.exe File created \??\B:\Autorun.inf 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File created \??\S:\Autorun.inf 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification \??\R:\Autorun.inf Gaara.exe File created \??\H:\Autorun.inf Kazekage.exe File opened for modification \??\L:\Autorun.inf Kazekage.exe File created \??\B:\Autorun.inf Gaara.exe File opened for modification D:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf smss.exe File created \??\Q:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf system32.exe File created \??\J:\Autorun.inf smss.exe File created \??\S:\Autorun.inf smss.exe File created \??\H:\Autorun.inf Gaara.exe File opened for modification \??\V:\Autorun.inf Gaara.exe File opened for modification \??\T:\Autorun.inf 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification \??\I:\Autorun.inf smss.exe File opened for modification \??\K:\Autorun.inf smss.exe File created \??\U:\Autorun.inf smss.exe File created D:\Autorun.inf Gaara.exe File opened for modification \??\K:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf csrss.exe File created \??\Y:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification \??\Q:\Autorun.inf Gaara.exe File created \??\P:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf system32.exe File opened for modification \??\P:\Autorun.inf csrss.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Gaara.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe smss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File created C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
resource yara_rule behavioral1/memory/1760-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242bb-11.dat upx behavioral1/files/0x00070000000242b8-31.dat upx behavioral1/memory/5496-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242bb-46.dat upx behavioral1/files/0x00070000000242bc-49.dat upx behavioral1/files/0x00070000000242be-57.dat upx behavioral1/memory/4592-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242ba-74.dat upx behavioral1/memory/4688-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4592-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242bb-85.dat upx behavioral1/memory/3200-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242be-97.dat upx behavioral1/files/0x00070000000242bd-93.dat upx behavioral1/files/0x00070000000242bc-89.dat upx behavioral1/memory/4668-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3200-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4668-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4780-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5496-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4028-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3956-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4688-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242bd-187.dat upx behavioral1/memory/5864-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4028-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4696-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242bc-199.dat upx behavioral1/files/0x00070000000242be-203.dat upx behavioral1/memory/4780-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4696-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3236-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3748-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4252-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4076-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5864-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3236-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3748-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4076-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1400-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6068-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/812-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6068-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/812-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5632-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4376-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5496-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5864-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4688-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4780-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5496-368-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File created C:\Windows\msvbvm60.dll 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File created C:\Windows\system\msvbvm60.dll 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\mscomctl.ocx 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2016 ping.exe 5820 ping.exe 4536 ping.exe 3876 ping.exe 2432 ping.exe 3964 ping.exe 3228 ping.exe 5368 ping.exe 3040 ping.exe 1012 ping.exe 3200 ping.exe 1672 ping.exe 4620 ping.exe 4016 ping.exe 3808 ping.exe 648 ping.exe 3184 ping.exe 1016 ping.exe 1400 ping.exe 3972 ping.exe 4836 ping.exe 4632 ping.exe 5784 ping.exe 4452 ping.exe 3496 ping.exe 4440 ping.exe 1104 ping.exe 1016 ping.exe 528 ping.exe 3960 ping.exe 4528 ping.exe 1932 ping.exe 5056 ping.exe 2368 ping.exe 1736 ping.exe 5692 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop smss.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main system32.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 4536 ping.exe 4836 ping.exe 2432 ping.exe 1012 ping.exe 3960 ping.exe 1104 ping.exe 3228 ping.exe 5368 ping.exe 4632 ping.exe 5820 ping.exe 1672 ping.exe 648 ping.exe 3184 ping.exe 4528 ping.exe 1932 ping.exe 1400 ping.exe 2016 ping.exe 1736 ping.exe 5692 ping.exe 1016 ping.exe 3496 ping.exe 1016 ping.exe 4452 ping.exe 5056 ping.exe 5784 ping.exe 3200 ping.exe 528 ping.exe 4016 ping.exe 3040 ping.exe 3876 ping.exe 3972 ping.exe 3964 ping.exe 4440 ping.exe 3808 ping.exe 4620 ping.exe 2368 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 5496 smss.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4688 Gaara.exe 4780 csrss.exe 4780 csrss.exe 4780 csrss.exe 4780 csrss.exe 4780 csrss.exe 4780 csrss.exe 4780 csrss.exe 4780 csrss.exe 4780 csrss.exe 4780 csrss.exe 4780 csrss.exe 4780 csrss.exe 4780 csrss.exe 4780 csrss.exe 4780 csrss.exe 4780 csrss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 1760 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe 5496 smss.exe 4592 smss.exe 4688 Gaara.exe 3200 smss.exe 4668 Gaara.exe 4780 csrss.exe 5056 smss.exe 1620 Gaara.exe 2336 Gaara.exe 4028 csrss.exe 3956 csrss.exe 5864 Kazekage.exe 4696 Kazekage.exe 4540 smss.exe 1920 system32.exe 6008 csrss.exe 4252 Gaara.exe 3236 Kazekage.exe 3748 smss.exe 372 csrss.exe 4076 system32.exe 2708 Gaara.exe 1400 Kazekage.exe 4816 system32.exe 3252 csrss.exe 2528 Kazekage.exe 6068 system32.exe 812 system32.exe 5632 Kazekage.exe 4376 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1760 wrote to memory of 5496 1760 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe 89 PID 1760 wrote to memory of 5496 1760 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe 89 PID 1760 wrote to memory of 5496 1760 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe 89 PID 5496 wrote to memory of 4592 5496 smss.exe 90 PID 5496 wrote to memory of 4592 5496 smss.exe 90 PID 5496 wrote to memory of 4592 5496 smss.exe 90 PID 5496 wrote to memory of 4688 5496 smss.exe 91 PID 5496 wrote to memory of 4688 5496 smss.exe 91 PID 5496 wrote to memory of 4688 5496 smss.exe 91 PID 4688 wrote to memory of 3200 4688 Gaara.exe 92 PID 4688 wrote to memory of 3200 4688 Gaara.exe 92 PID 4688 wrote to memory of 3200 4688 Gaara.exe 92 PID 4688 wrote to memory of 4668 4688 Gaara.exe 93 PID 4688 wrote to memory of 4668 4688 Gaara.exe 93 PID 4688 wrote to memory of 4668 4688 Gaara.exe 93 PID 4688 wrote to memory of 4780 4688 Gaara.exe 94 PID 4688 wrote to memory of 4780 4688 Gaara.exe 94 PID 4688 wrote to memory of 4780 4688 Gaara.exe 94 PID 4780 wrote to memory of 5056 4780 csrss.exe 95 PID 4780 wrote to memory of 5056 4780 csrss.exe 95 PID 4780 wrote to memory of 5056 4780 csrss.exe 95 PID 4780 wrote to memory of 1620 4780 csrss.exe 96 PID 4780 wrote to memory of 1620 4780 csrss.exe 96 PID 4780 wrote to memory of 1620 4780 csrss.exe 96 PID 1760 wrote to memory of 2336 1760 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe 97 PID 1760 wrote to memory of 2336 1760 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe 97 PID 1760 wrote to memory of 2336 1760 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe 97 PID 4780 wrote to memory of 3956 4780 csrss.exe 98 PID 4780 wrote to memory of 3956 4780 csrss.exe 98 PID 4780 wrote to memory of 3956 4780 csrss.exe 98 PID 1760 wrote to memory of 4028 1760 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe 99 PID 1760 wrote to memory of 4028 1760 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe 99 PID 1760 wrote to memory of 4028 1760 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe 99 PID 1760 wrote to memory of 5864 1760 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe 100 PID 1760 wrote to memory of 5864 1760 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe 100 PID 1760 wrote to memory of 5864 1760 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe 100 PID 4780 wrote to memory of 4696 4780 csrss.exe 101 PID 4780 wrote to memory of 4696 4780 csrss.exe 101 PID 4780 wrote to memory of 4696 4780 csrss.exe 101 PID 5864 wrote to memory of 4540 5864 Kazekage.exe 105 PID 5864 wrote to memory of 4540 5864 Kazekage.exe 105 PID 5864 wrote to memory of 4540 5864 Kazekage.exe 105 PID 4780 wrote to memory of 1920 4780 csrss.exe 104 PID 4780 wrote to memory of 1920 4780 csrss.exe 104 PID 4780 wrote to memory of 1920 4780 csrss.exe 104 PID 5496 wrote to memory of 6008 5496 smss.exe 108 PID 5496 wrote to memory of 6008 5496 smss.exe 108 PID 5496 wrote to memory of 6008 5496 smss.exe 108 PID 5864 wrote to memory of 4252 5864 Kazekage.exe 109 PID 5864 wrote to memory of 4252 5864 Kazekage.exe 109 PID 5864 wrote to memory of 4252 5864 Kazekage.exe 109 PID 5496 wrote to memory of 3236 5496 smss.exe 110 PID 5496 wrote to memory of 3236 5496 smss.exe 110 PID 5496 wrote to memory of 3236 5496 smss.exe 110 PID 1920 wrote to memory of 3748 1920 system32.exe 111 PID 1920 wrote to memory of 3748 1920 system32.exe 111 PID 1920 wrote to memory of 3748 1920 system32.exe 111 PID 5864 wrote to memory of 372 5864 Kazekage.exe 112 PID 5864 wrote to memory of 372 5864 Kazekage.exe 112 PID 5864 wrote to memory of 372 5864 Kazekage.exe 112 PID 5496 wrote to memory of 4076 5496 smss.exe 113 PID 5496 wrote to memory of 4076 5496 smss.exe 113 PID 5496 wrote to memory of 4076 5496 smss.exe 113 PID 1920 wrote to memory of 2708 1920 system32.exe 114 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1760 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5496 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4592
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4688 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3200
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4668
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4780 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5056
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1620
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3956
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4696
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1920 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3748
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3252
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5632
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4376
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3876
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3184
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2432
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1012
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3040
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4632
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4536
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1672
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1400
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1932
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4440
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4016
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2528
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6068
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1016
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5820
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1016
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4528
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3964
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3972
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6008
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3236
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4076
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3808
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3200
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3960
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5692
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2368
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3496
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2336
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4028
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5864 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4540
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4252
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:372
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1400
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4816
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:528
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:648
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4452
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2016
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3228
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5368
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:812
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1736
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5784
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4836
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4620
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5056
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:4296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4316
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
9.1MB
MD53f5cdaddfe8e342e24609c33a3b7b9f7
SHA1436a969fc65cf39b5f57cab570ec3aac539d0ba6
SHA256fc4c2dd926701e227c4612bdba4bdf15bfe17d54bb2b36390f934b6190d610e9
SHA5123fff8c45815683458fe8cbf8ad4fa1ed4dd30b8f0a3cec767a502fa24cc6c2f338a09ca691c9f5c0b12b3c1afab0c108e1885711d998423613f5d4288ac272ec
-
Filesize
9.1MB
MD5081190a3c71c8f5fe364a40716b00ad5
SHA1c1e9d8023a841bd9ca95eeed58908a8611fdd98e
SHA256085a996485968c9eaaf71ad895c7f01c72f9e3ffb3579b546a8a0ceab6236f89
SHA512ab259952d9bb3e9135c0887b1a2278be4d6cb4d278f053ff2bc5ce44551cc76e4d1d7edb113bad60a88234197954260ad02e5fd067c69a994e5d783017b2e9ff
-
Filesize
9.1MB
MD5a0324b42ffca8d2f9ba7468b264215d5
SHA1f00e2501daabbd71e459579558cc4451c1abf92a
SHA256a4d01eaf7a9242bb837033404e01f04e514298bfcda8e58264afc884e0a2a4f5
SHA5121c4b5289bf9c47d3dbc4d3105b748d248ec899930f7ee75de4f0d928b58ec161cb52605de7d9302e581d4e011bfaef3804a5d1db8e27051d09d271a16c6f024f
-
Filesize
9.1MB
MD5279959b071f8ab03c5da5f0b17b60360
SHA174eb7b218dad08e0947dd1274d2b1fa0eab15266
SHA256c902c3f41be2e92dd06fe0c8161df29d7afb0ed0686c90a1e527b95986298829
SHA5128c22a64a07a7752deaffef264dc04375f4b6b07c2041e51554867550e3e6fede6bc8dbd3cfb3a92ffc16a9b6f142409aa29ea85f08aec7239ef25220adc87adc
-
Filesize
9.1MB
MD5ea472b9e8c3abf7692b14dc75708825c
SHA182e2832a16bdd434a611b2aea52c3c8e775d8f82
SHA25694a41e1676b7157b63cfb0edf059b3c99a039e1433ae873f74259e551f70be17
SHA512f1c2001276d719e5681c8024991a01ee9726a16fd03ee8be9b7d829db9acc17112cd9809cb64aa594eb1002fc08945c3372679cece82dd40d4d2fe90750a5723
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
9.1MB
MD51a13536dba976062e64686e14f6a628e
SHA1fc1b66783f19a27aebc923ecd47b5f10a9472b19
SHA256d8424cbba9a01863994c3b5bfc4d9c4ad3f49534233d1eabfb132132fde36960
SHA512cf4462b3e3e5eeded2239da806e6ab055ba386a6787e28d68fe2f42235e323cd34d379d2a3a424bf0aa8123617809d4273003d5b5d28a47c7e561fab52b52a23
-
Filesize
9.1MB
MD5e110ce870a1e9221406cece0a88127c0
SHA14e6469e1c596411961b735b1535aede307e52c80
SHA2565671e714f453d94e48054e669b8762ed2a85fe4d9a78b24fe237bf2fa9ceda8a
SHA5126d9bdaa23b1db8c3dcc79883a7bc0df76d5855a90fdd2410287104e04dd20bc35d2e33d8fbfd9d4b9af6f7f226c48b5351294cd0413006c824472ff5ddc2cae4
-
Filesize
9.1MB
MD5476bdca2fdf8ef8a12e2da9409b79dab
SHA1b3a3a6fc12ef2b947ccfe0217dd7fda0b884a583
SHA256d69bba6efa1b5af86b093e0a059eadc34049dfcefa72d8b41159374ff0284423
SHA512cfbe2000924829dc94c267ee23dbfd3283e68aef138649f5ead9d9979b70216e94d5672bdd4275b7c8dd8acaf3a5894927821adbefa0f59bef3af4d91a8cef94
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
9.1MB
MD50e2f8f584b36b20eb5f9965b398268a8
SHA13d14f37af772307744ec3061fe691a171b2bdf31
SHA256d4db9dcf4ec4f2f72b218bf404c86db95a77d4d9d483d912752de50ea261edec
SHA51218592d4766a858c0c4cc3c1e25cdb9ca81f73422c7194c60de6452724ffd39468c776df9b7208c3ccf7a510317799cf6ed535421ca4aeea30b6489906a0c5559
-
Filesize
9.1MB
MD50c3bcdc53ec15fd4441a0c8ebcc891db
SHA1e40cbe921b6921ae16bc788c5b7d3e3c0553108b
SHA25690cacb716912ff16f126e182a5a42e6f35d617c52e9c7a76440a797510903e34
SHA5123504aa98f37a38629f8fc39dcc1568f89b40b5497c3bce67ec1682a9ac850671ab3a8f39cf8ea443db1f661ee843da8650d6923b413d01ed648709daf436fc3c
-
Filesize
9.1MB
MD52707983b096a6ef11dc8d64499461c56
SHA13e9eceac2a7d5bc0a41734535f5b6dcf52c9652e
SHA25631819dbbe8453bdc8e99f844436764a07ba34b973345d3f47bd051f556e0a1e6
SHA5121682536e516384f9a523e63272a0baf5b9a94abfbac9524de1e9c3adfda0d2408ce09bf987b7903b18a220811501009a77e669d5b52171ee322d8322b6e02cbc
-
Filesize
127KB
MD5536f876fc9f2662fc082b5c2754525f8
SHA1f17db351640511725eb3a0aeec4109129fee264b
SHA2560faf746cfec8607f6d142cc2d217ad0aac77d6655d5966eee24c37da9074293a
SHA5120c5c58b8efd35052cf1bb01ddbaf40ab896d2990df0cf195b1a76de01b6241ff37ccc76672c48248fd0c5e3be467095b46c2efe3e981ac31007148145a718881
-
Filesize
9.1MB
MD5e26c0b5fba9b65271f228998d6cc003e
SHA1434b7a5c1654f3c6cdb56084bfd9a348d6993751
SHA256120da64e3ca241813055b0b09a8702863329835f77dcaa994e5451a745591d78
SHA5125802226228c4caaa5705eed975d64543cc44012edfaedef64adbd92323560b21f7fd1b3e034025c2647d6f61102a7a747dce3910addba7f472474df0252b7d30
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
9.1MB
MD57bc9a2abbb0656acfdf8165c0b2f20af
SHA159e381f8cbd2bbe1c8bfd1db8221e71f055e7753
SHA25675a09b81502c684682726ba6a13f5004bc90ea613f67c9a5e5c4e096e1d6434c
SHA512a2474634ce83fe64dd7dfd2762ab5178da6316ff4b1e021f4d8e019a42cd4d12c13ec5e53023fce8bd990ce14f3297b3a9c8b614917c8f13fddde6f36cb51d3f
-
Filesize
9.1MB
MD5e54889208b440bdca12d16d1d21ac060
SHA187e74a72abec0dbd3bf78e92a9da2d392072f701
SHA256f61b30973645df0a678288a94d7ae0d9456446eb8d2de1b6d1a40e5ab17a7cd8
SHA512a74f5bde51ba7b18c7b683a8e62980c5a9ae6a64b38bdf288b18bf09f73d45f044a478a747424ad0c49d3e2ec415c205ffa41ea5185408ca08ff524bb0f6dc93