Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2025, 11:06
Behavioral task
behavioral1
Sample
2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe
Resource
win11-20250410-en
General
-
Target
2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe
-
Size
9.1MB
-
MD5
24e7c1a8417dc201634e941d8b909cc9
-
SHA1
d5239624c22cbe561bd329a47990acf8be008315
-
SHA256
3b322952e1c18e764d5d989406a13f4c2f4fcef039860d6cf45ba100a2abf76b
-
SHA512
3c87c96300069756ec558532ea5965d8c67803684ed0f050227c3a2e2a3ed714430b3302b66f237ec0cd7843bc06fdc9c7bada32a0258a1826ba1190d7104d23
-
SSDEEP
49152:FGyqWyWy0GyqWyWyMRPC1eHc785diLvQ8b1gt/Ido:FGyqWyWy0GyqWyWyMRPC1eHL5dGYSEYo
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe csrss.exe -
Executes dropped EXE 30 IoCs
pid Process 2492 smss.exe 4492 smss.exe 4852 Gaara.exe 4808 smss.exe 6052 Gaara.exe 2976 csrss.exe 2796 smss.exe 5336 Gaara.exe 232 Gaara.exe 1372 csrss.exe 5624 csrss.exe 5260 Kazekage.exe 5608 Kazekage.exe 6092 smss.exe 1376 system32.exe 3416 csrss.exe 3460 Gaara.exe 2496 csrss.exe 3860 Kazekage.exe 452 smss.exe 5760 Kazekage.exe 5912 system32.exe 5252 Gaara.exe 5384 system32.exe 348 csrss.exe 1604 system32.exe 3516 Kazekage.exe 5924 Kazekage.exe 1048 system32.exe 4352 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 2492 smss.exe 4492 smss.exe 4852 Gaara.exe 4808 smss.exe 6052 Gaara.exe 2976 csrss.exe 2796 smss.exe 5336 Gaara.exe 232 Gaara.exe 1372 csrss.exe 5624 csrss.exe 6092 smss.exe 3416 csrss.exe 3460 Gaara.exe 2496 csrss.exe 452 smss.exe 5252 Gaara.exe 348 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" csrss.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\K:\Desktop.ini 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\T:\Desktop.ini 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\B:\Desktop.ini 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\S:\Desktop.ini 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\W:\Desktop.ini 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\X:\Desktop.ini 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini system32.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\Q: 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\H: 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\Z: 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\V: 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\A: 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\R: 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\E: 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\T: 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\U: 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\S: 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\K: 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened (read-only) \??\R: csrss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\R:\Autorun.inf Kazekage.exe File created \??\B:\Autorun.inf system32.exe File created \??\E:\Autorun.inf 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File created \??\J:\Autorun.inf 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File created \??\U:\Autorun.inf 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\Y:\Autorun.inf csrss.exe File created \??\L:\Autorun.inf smss.exe File opened for modification \??\X:\Autorun.inf Gaara.exe File created D:\Autorun.inf csrss.exe File opened for modification F:\Autorun.inf 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File created \??\E:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf Kazekage.exe File opened for modification \??\X:\Autorun.inf system32.exe File created \??\Y:\Autorun.inf system32.exe File opened for modification \??\W:\Autorun.inf 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File created \??\W:\Autorun.inf Kazekage.exe File opened for modification D:\Autorun.inf smss.exe File created \??\O:\Autorun.inf smss.exe File created \??\L:\Autorun.inf 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Autorun.inf Kazekage.exe File opened for modification \??\Y:\Autorun.inf Kazekage.exe File opened for modification \??\L:\Autorun.inf system32.exe File opened for modification \??\T:\Autorun.inf system32.exe File opened for modification \??\O:\Autorun.inf smss.exe File created \??\V:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Autorun.inf Gaara.exe File created \??\H:\Autorun.inf smss.exe File created \??\A:\Autorun.inf 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\B:\Autorun.inf csrss.exe File opened for modification \??\K:\Autorun.inf system32.exe File created \??\W:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf system32.exe File created \??\M:\Autorun.inf system32.exe File created \??\T:\Autorun.inf system32.exe File created \??\N:\Autorun.inf 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Autorun.inf csrss.exe File created \??\I:\Autorun.inf Kazekage.exe File created \??\U:\Autorun.inf system32.exe File opened for modification \??\S:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf csrss.exe File created \??\E:\Autorun.inf system32.exe File created \??\X:\Autorun.inf system32.exe File opened for modification \??\M:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf Gaara.exe File opened for modification F:\Autorun.inf csrss.exe File opened for modification \??\O:\Autorun.inf Kazekage.exe File created \??\B:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf smss.exe File opened for modification \??\U:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf system32.exe File created \??\M:\Autorun.inf smss.exe File opened for modification \??\S:\Autorun.inf smss.exe File created \??\P:\Autorun.inf 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File created \??\W:\Autorun.inf 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf system32.exe File created \??\Q:\Autorun.inf Kazekage.exe File opened for modification \??\S:\Autorun.inf Kazekage.exe File opened for modification \??\H:\Autorun.inf csrss.exe File created \??\I:\Autorun.inf csrss.exe File created \??\V:\Autorun.inf csrss.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Gaara.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File created C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe -
resource yara_rule behavioral1/memory/5096-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242e7-11.dat upx behavioral1/files/0x00070000000242e5-31.dat upx behavioral1/memory/2492-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242e6-41.dat upx behavioral1/files/0x00070000000242e7-46.dat upx behavioral1/files/0x00070000000242e8-49.dat upx behavioral1/files/0x00070000000242ea-57.dat upx behavioral1/memory/4492-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4852-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4492-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242e8-89.dat upx behavioral1/files/0x00070000000242e9-94.dat upx behavioral1/memory/6052-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6052-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242e7-122.dat upx behavioral1/memory/2976-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5096-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242e9-136.dat upx behavioral1/memory/2492-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242ea-139.dat upx behavioral1/memory/5336-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4852-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/232-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5624-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5260-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5608-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242e8-196.dat upx behavioral1/memory/1376-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5608-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3416-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242e8-233.dat upx behavioral1/memory/452-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3460-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3416-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5260-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5912-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3860-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5252-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5912-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5760-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5252-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1376-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5384-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5924-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3516-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4352-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4352-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5096-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5260-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4852-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1376-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5096-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5096-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5260-454-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll csrss.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll smss.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\ 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\msvbvm60.dll 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4740 ping.exe 4700 ping.exe 5356 ping.exe 2860 ping.exe 4868 ping.exe 2476 ping.exe 3680 ping.exe 2244 ping.exe 4732 ping.exe 956 ping.exe 2808 ping.exe 5472 ping.exe 3232 ping.exe 640 ping.exe 3772 ping.exe 5716 ping.exe 4468 ping.exe 4656 ping.exe 2764 ping.exe 4756 ping.exe 3336 ping.exe 5908 ping.exe 1780 ping.exe 4500 ping.exe 5924 ping.exe 3004 ping.exe 5520 ping.exe 4188 ping.exe 3796 ping.exe 5604 ping.exe 4368 ping.exe 5520 ping.exe 5404 ping.exe 2496 ping.exe 232 ping.exe 3560 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Key created \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Key created \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Key created \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Key created \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Software\Microsoft\Internet Explorer\Main 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Software\Microsoft\Internet Explorer\Main smss.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Gaara.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 4732 ping.exe 5472 ping.exe 640 ping.exe 5908 ping.exe 4756 ping.exe 2860 ping.exe 3232 ping.exe 232 ping.exe 3772 ping.exe 2244 ping.exe 5716 ping.exe 5356 ping.exe 3336 ping.exe 5404 ping.exe 2496 ping.exe 5924 ping.exe 2476 ping.exe 4468 ping.exe 5520 ping.exe 4368 ping.exe 2764 ping.exe 3560 ping.exe 4868 ping.exe 4656 ping.exe 3004 ping.exe 4740 ping.exe 4500 ping.exe 4188 ping.exe 3680 ping.exe 3796 ping.exe 5604 ping.exe 4700 ping.exe 1780 ping.exe 956 ping.exe 2808 ping.exe 5520 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 4852 Gaara.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 2976 csrss.exe 2976 csrss.exe 2976 csrss.exe 2976 csrss.exe 2976 csrss.exe 2976 csrss.exe 2976 csrss.exe 2976 csrss.exe 2976 csrss.exe 2976 csrss.exe 2976 csrss.exe 2976 csrss.exe 2976 csrss.exe 2976 csrss.exe 2976 csrss.exe 2976 csrss.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 2492 smss.exe 4492 smss.exe 4852 Gaara.exe 4808 smss.exe 6052 Gaara.exe 2976 csrss.exe 2796 smss.exe 5336 Gaara.exe 232 Gaara.exe 1372 csrss.exe 5624 csrss.exe 5260 Kazekage.exe 5608 Kazekage.exe 6092 smss.exe 1376 system32.exe 3416 csrss.exe 3460 Gaara.exe 2496 csrss.exe 3860 Kazekage.exe 452 smss.exe 5760 Kazekage.exe 5912 system32.exe 5252 Gaara.exe 5384 system32.exe 348 csrss.exe 1604 system32.exe 3516 Kazekage.exe 5924 Kazekage.exe 4352 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5096 wrote to memory of 2492 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 87 PID 5096 wrote to memory of 2492 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 87 PID 5096 wrote to memory of 2492 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 87 PID 2492 wrote to memory of 4492 2492 smss.exe 91 PID 2492 wrote to memory of 4492 2492 smss.exe 91 PID 2492 wrote to memory of 4492 2492 smss.exe 91 PID 2492 wrote to memory of 4852 2492 smss.exe 92 PID 2492 wrote to memory of 4852 2492 smss.exe 92 PID 2492 wrote to memory of 4852 2492 smss.exe 92 PID 4852 wrote to memory of 4808 4852 Gaara.exe 95 PID 4852 wrote to memory of 4808 4852 Gaara.exe 95 PID 4852 wrote to memory of 4808 4852 Gaara.exe 95 PID 4852 wrote to memory of 6052 4852 Gaara.exe 98 PID 4852 wrote to memory of 6052 4852 Gaara.exe 98 PID 4852 wrote to memory of 6052 4852 Gaara.exe 98 PID 4852 wrote to memory of 2976 4852 Gaara.exe 99 PID 4852 wrote to memory of 2976 4852 Gaara.exe 99 PID 4852 wrote to memory of 2976 4852 Gaara.exe 99 PID 2976 wrote to memory of 2796 2976 csrss.exe 100 PID 2976 wrote to memory of 2796 2976 csrss.exe 100 PID 2976 wrote to memory of 2796 2976 csrss.exe 100 PID 2976 wrote to memory of 5336 2976 csrss.exe 102 PID 2976 wrote to memory of 5336 2976 csrss.exe 102 PID 2976 wrote to memory of 5336 2976 csrss.exe 102 PID 5096 wrote to memory of 232 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 103 PID 5096 wrote to memory of 232 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 103 PID 5096 wrote to memory of 232 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 103 PID 2976 wrote to memory of 1372 2976 csrss.exe 104 PID 2976 wrote to memory of 1372 2976 csrss.exe 104 PID 2976 wrote to memory of 1372 2976 csrss.exe 104 PID 5096 wrote to memory of 5624 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 105 PID 5096 wrote to memory of 5624 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 105 PID 5096 wrote to memory of 5624 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 105 PID 2976 wrote to memory of 5260 2976 csrss.exe 106 PID 2976 wrote to memory of 5260 2976 csrss.exe 106 PID 2976 wrote to memory of 5260 2976 csrss.exe 106 PID 5096 wrote to memory of 5608 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 107 PID 5096 wrote to memory of 5608 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 107 PID 5096 wrote to memory of 5608 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 107 PID 5260 wrote to memory of 6092 5260 Kazekage.exe 111 PID 5260 wrote to memory of 6092 5260 Kazekage.exe 111 PID 5260 wrote to memory of 6092 5260 Kazekage.exe 111 PID 5096 wrote to memory of 1376 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 110 PID 5096 wrote to memory of 1376 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 110 PID 5096 wrote to memory of 1376 5096 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe 110 PID 2492 wrote to memory of 3416 2492 smss.exe 112 PID 2492 wrote to memory of 3416 2492 smss.exe 112 PID 2492 wrote to memory of 3416 2492 smss.exe 112 PID 5260 wrote to memory of 3460 5260 Kazekage.exe 113 PID 5260 wrote to memory of 3460 5260 Kazekage.exe 113 PID 5260 wrote to memory of 3460 5260 Kazekage.exe 113 PID 5260 wrote to memory of 2496 5260 Kazekage.exe 114 PID 5260 wrote to memory of 2496 5260 Kazekage.exe 114 PID 5260 wrote to memory of 2496 5260 Kazekage.exe 114 PID 2492 wrote to memory of 3860 2492 smss.exe 115 PID 2492 wrote to memory of 3860 2492 smss.exe 115 PID 2492 wrote to memory of 3860 2492 smss.exe 115 PID 1376 wrote to memory of 452 1376 system32.exe 116 PID 1376 wrote to memory of 452 1376 system32.exe 116 PID 1376 wrote to memory of 452 1376 system32.exe 116 PID 5260 wrote to memory of 5760 5260 Kazekage.exe 117 PID 5260 wrote to memory of 5760 5260 Kazekage.exe 117 PID 5260 wrote to memory of 5760 5260 Kazekage.exe 117 PID 2492 wrote to memory of 5912 2492 smss.exe 118 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5096 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2492 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4492
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4852 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4808
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6052
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2976 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2796
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5336
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1372
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5260 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6092
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3460
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2496
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5760
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5384
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4368
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2808
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5908
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5520
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3796
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2496
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1604
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5520
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5356
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4188
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:640
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2244
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4500
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3516
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1048
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:956
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4700
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4868
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3336
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3680
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1780
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3416
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3860
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5912
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3004
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4656
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2764
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3560
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4468
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4740
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:232
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5624
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5608
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1376 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:452
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5252
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:348
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5924
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4352
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5472
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2860
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3772
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2476
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5924
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5716
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5604
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4732
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3232
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:232
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5404
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:5388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4944
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
9.1MB
MD5bf800ffc0ff13cda9a5cb633f5c65d57
SHA16a173ec33fabd87c4aec58cd98ec82d95bad39e1
SHA2568401fbd0e05e634f30287f1a31604b8f432139b8112407747a072996123a2b3b
SHA512d5e6c7e06654e44b0702d0b34901267153db073558f22477b119d0d55f2ff83d8329f2dd807cf55fcecea945c935b80c65572edfa90825740af89ae719cf48e0
-
Filesize
9.1MB
MD524e7c1a8417dc201634e941d8b909cc9
SHA1d5239624c22cbe561bd329a47990acf8be008315
SHA2563b322952e1c18e764d5d989406a13f4c2f4fcef039860d6cf45ba100a2abf76b
SHA5123c87c96300069756ec558532ea5965d8c67803684ed0f050227c3a2e2a3ed714430b3302b66f237ec0cd7843bc06fdc9c7bada32a0258a1826ba1190d7104d23
-
Filesize
9.1MB
MD5e29eaf33fc952c843e007fdd0c068a14
SHA170434f3899cb17976277491543c9ecb7abc80340
SHA25612d8e18c114deda6f4000ba939f789d3b79222b2f14e8c2cc580276f63dca9c4
SHA5121ebc8048834b500cec41b5195cb37b44a9e6d3210c2b2a2c3c7c7d1e4cb85344e2e193f843e6ada70026ee103391fe9f47cc490ef8fd8677c52e30e1b6b2d072
-
Filesize
9.1MB
MD54674b3cae18063f058d3db42c1bde21b
SHA1307fcd931ef8244741f4ff8789583f34728f202c
SHA256ae620bb744ebbe992c14680b27d111910c323591f09b7e367e686b16fd8a9a54
SHA512b30a5c84ae6fb035d741c9d0e83258a1803d407dc03f2ebc9a61abb61627552c3bb85bbea56a9364d01b48c35fb7f323ebe9096e813a7a3e7d4a059247c4f16c
-
Filesize
9.1MB
MD56ce7284de85d3acece3da910a6d3cb73
SHA1243364f9a2bcbf5ad496ff86479e3ce5f1541909
SHA2568c618964947dcd836d52de4ad671b2f6cd90bf9fc6ec85bf9aa0423b7479dc2a
SHA512ad7c60efed40259327ca0a43310ce1ed7f7b7602595c38a52ae7e1fb1400f5566674d9a87e63f779a6a5ae2b69eccd6413b6251176ddd8349adeeb906ea58ce0
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
9.1MB
MD58967c1369f3d5286fe713e7a2b09c8e6
SHA1709437271e4bcf282b74a14ed9a65ce548e00a61
SHA256a0af974815a05df3c2176fa25ffc2f6ff31b9eec160e9da935d97792cebca9eb
SHA512439bdf2ce88cf3561da40253caf6097e63f9864967615a22cc56b6c4442b20c04226bd9b3448c43cc51c7311aa8d15072483577e643562e716ee26ee9dff67ee
-
Filesize
9.1MB
MD5fe21144bf71b7f69b82f9f272039e81e
SHA1570d228ad457c079b14bb167080f6affaee99117
SHA256cabf5136ccf9eca88ac8ff8d3f674d15d78067fe4e912617032a15f712064d34
SHA512159419822ed62dda53540bce7dd933fe19f3218242c313385f760c4c667102b7521afa78bd42ed79db7078ca4a3ba8dd2c7934a9b5ea3e33e4e123461bfcd181
-
Filesize
9.1MB
MD5b1f72e0bf39a31cdf59124e316a3a528
SHA1fae2f3db30cf1d3228b827e70812a63e475e964a
SHA25642d039dcb395e867e97657a342047c94ca04fe1e09574ecdd9392d88676d6e93
SHA512311477221b05510dc1d9f87beb0054229b91f379896bbdcc50fbcb7d37d39ed073b8dc0a5f87e6f18177747397901afd85f0cc14efeca6c0c65d0e7050758cb3
-
Filesize
9.1MB
MD57f2154e9305d7f2c4bb22199f4815809
SHA16d2b832b85d65fcaefeb2d583cc3a09b6e565660
SHA256db6c0a1a179a37465061622ad65d4a8672122aa08212e2fd99d07718c4907692
SHA512bd32c2177948f375c3b0cb717cf66ad6fe652f30cadf1561c05fe76f726b052bee23e5bab28efb51d012788dffc282d1ae90fb00562a313bc98342300349e9cb
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
9.1MB
MD5efa9a0f5d742dd7a5c815228021fa7ab
SHA1e9d4498fc4e07d4da93e937d7931718a12f9f70c
SHA256f52f6041eff51b294c366b32cb8017641efdc85e6e77eb8ef763b1b1e0f50020
SHA5128d558a20e09e746c25458981a43aa95f6fac32db2d68daefe51136f4062ebde7fe41186555344639d5891fb0723c087f6378ba7c32e220f0c136fdf9a13bf828
-
Filesize
9.1MB
MD59f21b8f864ced7d7da1902beca1c6de4
SHA1506dcd9f054b03d007942329291d4791628635d1
SHA25665ebfb04eaabcae9f46933de4d7c8d381accc574820e2a72fc83fba464f352ba
SHA5128c9749eb88914d9f1e79c5c499e66585e860ab22c98beda125fa34f89f3c71b061cf540909d615d9ab41eb66b9280e136305d45955fa7f9b561fdc78a463719b
-
Filesize
9.1MB
MD588c13dc651c9979a6750bf8f979385e8
SHA1fe08f5caae349c91da9e3235f9fe18c379e311d2
SHA2561bb4c5e49772b6e45bd63583e3b66056db1627005762293ef5e0c60e6111e6aa
SHA5120d3325e24115ecb8d10f19c3ea2a56cd9674ac0cd2015a0e316da94b37a4de7ae0a4a4cb2c3b730c09428265a06c58217c3d573f83b8d6ba1092ac221afa53db
-
Filesize
9.1MB
MD5f3b127bf4e0a06df17629039a745ad87
SHA1aea63a7d978c1947babffab03d88b41894b1bd77
SHA2561d2e9b08f369b55b8d1abeb8bdd84fcf09937a0ac4ed6e035c2946acc68546b7
SHA5125a46436d6b0d969041b04756a6a6ad6b6659bfff837289e4bd55687a2f8b1328059006df1ce7fe7bb92d9e62562ece74772e5d647d818a27e0cc11030e382429
-
Filesize
9.1MB
MD55a6cc9ce188da8161fd0c906caaab3cc
SHA195522ebe8820e96590e80c0e9a4b77fed67d176b
SHA256fcaf377663ab11cbe9b692f1bd9b9a16678652c010e2717078882e7158e1194a
SHA51287d1ea7ae857e28cede0e68cfb56fb23fb9bf11baf18df7f28bf9cb2187de72d31f753d5e125c49910d6b48188097155daae2ca9485844c25974120abc63b930
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a