Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2025, 10:20
Behavioral task
behavioral1
Sample
2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe
Resource
win11-20250410-en
General
-
Target
2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe
-
Size
9.5MB
-
MD5
e7c26a99c460179a23acf1ddc43b3813
-
SHA1
84856d678293e9a1efd808b2067c9ab968ba6fb9
-
SHA256
8c37250c7c6c01eb992d0f6fd005f8977aef24b16a9dca12c9d2a459a0b36579
-
SHA512
23a9618adbd840d059810f1cb66e0f12ccae83077578ae74517c18173af5db03d85a2ed669ad78707cfd568a9458d43cbf9db9a5b688cb9da5b0b1fe0797ccad
-
SSDEEP
98304:iyyqWyWy0GyqWyWyMRPC1eHL5dGYSEYvP:V1eHL5dEvP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe -
Executes dropped EXE 29 IoCs
pid Process 4668 smss.exe 4864 smss.exe 4824 Gaara.exe 3728 smss.exe 5824 Gaara.exe 5676 csrss.exe 2080 smss.exe 5840 Gaara.exe 5680 Gaara.exe 3752 csrss.exe 1944 csrss.exe 1872 Kazekage.exe 4472 Kazekage.exe 2376 csrss.exe 516 smss.exe 4404 Kazekage.exe 5520 Kazekage.exe 1220 Gaara.exe 1536 system32.exe 1672 system32.exe 3384 csrss.exe 2896 Kazekage.exe 556 smss.exe 3972 system32.exe 4340 Gaara.exe 5028 system32.exe 1760 csrss.exe 1596 Kazekage.exe 5816 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 4668 smss.exe 4864 smss.exe 4824 Gaara.exe 3728 smss.exe 5824 Gaara.exe 5676 csrss.exe 2080 smss.exe 5840 Gaara.exe 5680 Gaara.exe 3752 csrss.exe 1944 csrss.exe 2376 csrss.exe 516 smss.exe 1220 Gaara.exe 3384 csrss.exe 556 smss.exe 4340 Gaara.exe 1760 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\E:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\J:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini Gaara.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\U: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\S: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\Z: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\J: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\V: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\E: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\G: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\M: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\T: Gaara.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\I:\Autorun.inf system32.exe File opened for modification \??\B:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created D:\Autorun.inf Gaara.exe File opened for modification \??\R:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf system32.exe File opened for modification F:\Autorun.inf system32.exe File created \??\B:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created \??\N:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification D:\Autorun.inf smss.exe File created \??\Q:\Autorun.inf smss.exe File created \??\B:\Autorun.inf Gaara.exe File opened for modification \??\T:\Autorun.inf Gaara.exe File created \??\Q:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification F:\Autorun.inf csrss.exe File opened for modification \??\K:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf smss.exe File opened for modification \??\B:\Autorun.inf Gaara.exe File created \??\T:\Autorun.inf system32.exe File opened for modification \??\W:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\H:\Autorun.inf smss.exe File created \??\K:\Autorun.inf smss.exe File opened for modification \??\A:\Autorun.inf Gaara.exe File created \??\A:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf smss.exe File created \??\M:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf system32.exe File created C:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created D:\Autorun.inf csrss.exe File created \??\R:\Autorun.inf csrss.exe File opened for modification \??\B:\Autorun.inf system32.exe File opened for modification \??\P:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\T:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Autorun.inf smss.exe File opened for modification \??\H:\Autorun.inf Kazekage.exe File created \??\E:\Autorun.inf system32.exe File created \??\Y:\Autorun.inf system32.exe File created \??\K:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf csrss.exe File created \??\T:\Autorun.inf Kazekage.exe File opened for modification C:\Autorun.inf system32.exe File created \??\T:\Autorun.inf Gaara.exe File opened for modification \??\Q:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf system32.exe File created \??\H:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\O:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\J:\Autorun.inf smss.exe File created \??\X:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf system32.exe File created \??\S:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created \??\O:\Autorun.inf Kazekage.exe File opened for modification \??\E:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created \??\M:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created \??\U:\Autorun.inf smss.exe File opened for modification C:\Autorun.inf Kazekage.exe File created D:\Autorun.inf Kazekage.exe File opened for modification \??\U:\Autorun.inf Gaara.exe File opened for modification D:\Autorun.inf csrss.exe File created \??\L:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\L:\Autorun.inf smss.exe File created \??\H:\Autorun.inf Gaara.exe File created \??\J:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf Gaara.exe File created \??\V:\Autorun.inf csrss.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\2-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe -
resource yara_rule behavioral1/memory/1704-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024215-11.dat upx behavioral1/files/0x0007000000024212-33.dat upx behavioral1/memory/4668-32-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024215-46.dat upx behavioral1/files/0x0007000000024218-57.dat upx behavioral1/memory/4864-70-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4824-77-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024214-75.dat upx behavioral1/memory/4864-80-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024217-93.dat upx behavioral1/files/0x0007000000024216-88.dat upx behavioral1/memory/5824-112-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5824-116-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024215-118.dat upx behavioral1/memory/5676-120-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1704-119-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024217-132.dat upx behavioral1/memory/4668-133-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2080-161-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5840-162-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4824-159-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5680-171-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3752-172-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024217-174.dat upx behavioral1/memory/1872-175-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5676-177-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4472-181-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2376-185-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4472-210-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2376-213-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5520-219-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1672-235-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4404-231-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024218-230.dat upx behavioral1/memory/516-229-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1872-228-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1536-227-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1220-239-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1672-244-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2896-257-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3972-263-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1536-265-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4340-266-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5028-269-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1760-270-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1596-273-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5816-276-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\WBEM\msvbvm60.dll 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll system32.exe File created C:\Windows\system\msvbvm60.dll 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll smss.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\mscomctl.ocx 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2968 ping.exe 3916 ping.exe 6124 ping.exe 3972 ping.exe 4784 ping.exe 720 ping.exe 544 ping.exe 5992 ping.exe 4924 ping.exe 4564 ping.exe 5428 ping.exe 2164 ping.exe 5332 ping.exe 2060 ping.exe 5580 ping.exe 5360 ping.exe 5904 ping.exe 2220 ping.exe 3868 ping.exe 5276 ping.exe 5912 ping.exe 516 ping.exe 1532 ping.exe 6084 ping.exe 4940 ping.exe 3452 ping.exe 752 ping.exe 1344 ping.exe 980 ping.exe 776 ping.exe 2168 ping.exe 5620 ping.exe 3160 ping.exe 3600 ping.exe 1776 ping.exe 1284 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Key created \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Key created \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Software\Microsoft\Internet Explorer\Main 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 1284 ping.exe 4940 ping.exe 5332 ping.exe 3972 ping.exe 2220 ping.exe 3916 ping.exe 6084 ping.exe 2168 ping.exe 5620 ping.exe 5580 ping.exe 6124 ping.exe 4564 ping.exe 4784 ping.exe 3452 ping.exe 2060 ping.exe 5276 ping.exe 720 ping.exe 2164 ping.exe 1532 ping.exe 3868 ping.exe 5360 ping.exe 5912 ping.exe 544 ping.exe 5992 ping.exe 2968 ping.exe 4924 ping.exe 980 ping.exe 1776 ping.exe 776 ping.exe 3160 ping.exe 752 ping.exe 516 ping.exe 5428 ping.exe 3600 ping.exe 1344 ping.exe 5904 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 5676 csrss.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4824 Gaara.exe 4668 smss.exe 4668 smss.exe 4668 smss.exe 4668 smss.exe 4668 smss.exe 4668 smss.exe 4668 smss.exe 4668 smss.exe 4668 smss.exe 4668 smss.exe 4668 smss.exe 4668 smss.exe 4668 smss.exe 4668 smss.exe 4668 smss.exe 4668 smss.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 1704 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 4668 smss.exe 4864 smss.exe 4824 Gaara.exe 3728 smss.exe 5824 Gaara.exe 5676 csrss.exe 2080 smss.exe 5840 Gaara.exe 5680 Gaara.exe 3752 csrss.exe 1944 csrss.exe 1872 Kazekage.exe 4472 Kazekage.exe 2376 csrss.exe 516 smss.exe 4404 Kazekage.exe 5520 Kazekage.exe 1220 Gaara.exe 1536 system32.exe 1672 system32.exe 3384 csrss.exe 2896 Kazekage.exe 556 smss.exe 3972 system32.exe 4340 Gaara.exe 5028 system32.exe 1760 csrss.exe 1596 Kazekage.exe 5816 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1704 wrote to memory of 4668 1704 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 87 PID 1704 wrote to memory of 4668 1704 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 87 PID 1704 wrote to memory of 4668 1704 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 87 PID 4668 wrote to memory of 4864 4668 smss.exe 89 PID 4668 wrote to memory of 4864 4668 smss.exe 89 PID 4668 wrote to memory of 4864 4668 smss.exe 89 PID 4668 wrote to memory of 4824 4668 smss.exe 90 PID 4668 wrote to memory of 4824 4668 smss.exe 90 PID 4668 wrote to memory of 4824 4668 smss.exe 90 PID 4824 wrote to memory of 3728 4824 Gaara.exe 94 PID 4824 wrote to memory of 3728 4824 Gaara.exe 94 PID 4824 wrote to memory of 3728 4824 Gaara.exe 94 PID 4824 wrote to memory of 5824 4824 Gaara.exe 96 PID 4824 wrote to memory of 5824 4824 Gaara.exe 96 PID 4824 wrote to memory of 5824 4824 Gaara.exe 96 PID 4824 wrote to memory of 5676 4824 Gaara.exe 98 PID 4824 wrote to memory of 5676 4824 Gaara.exe 98 PID 4824 wrote to memory of 5676 4824 Gaara.exe 98 PID 5676 wrote to memory of 2080 5676 csrss.exe 99 PID 5676 wrote to memory of 2080 5676 csrss.exe 99 PID 5676 wrote to memory of 2080 5676 csrss.exe 99 PID 1704 wrote to memory of 5840 1704 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 100 PID 1704 wrote to memory of 5840 1704 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 100 PID 1704 wrote to memory of 5840 1704 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 100 PID 5676 wrote to memory of 5680 5676 csrss.exe 103 PID 5676 wrote to memory of 5680 5676 csrss.exe 103 PID 5676 wrote to memory of 5680 5676 csrss.exe 103 PID 1704 wrote to memory of 3752 1704 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 104 PID 1704 wrote to memory of 3752 1704 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 104 PID 1704 wrote to memory of 3752 1704 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 104 PID 5676 wrote to memory of 1944 5676 csrss.exe 105 PID 5676 wrote to memory of 1944 5676 csrss.exe 105 PID 5676 wrote to memory of 1944 5676 csrss.exe 105 PID 1704 wrote to memory of 1872 1704 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 106 PID 1704 wrote to memory of 1872 1704 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 106 PID 1704 wrote to memory of 1872 1704 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 106 PID 5676 wrote to memory of 4472 5676 csrss.exe 107 PID 5676 wrote to memory of 4472 5676 csrss.exe 107 PID 5676 wrote to memory of 4472 5676 csrss.exe 107 PID 4668 wrote to memory of 2376 4668 smss.exe 108 PID 4668 wrote to memory of 2376 4668 smss.exe 108 PID 4668 wrote to memory of 2376 4668 smss.exe 108 PID 1872 wrote to memory of 516 1872 Kazekage.exe 109 PID 1872 wrote to memory of 516 1872 Kazekage.exe 109 PID 1872 wrote to memory of 516 1872 Kazekage.exe 109 PID 4824 wrote to memory of 4404 4824 Gaara.exe 110 PID 4824 wrote to memory of 4404 4824 Gaara.exe 110 PID 4824 wrote to memory of 4404 4824 Gaara.exe 110 PID 4668 wrote to memory of 5520 4668 smss.exe 111 PID 4668 wrote to memory of 5520 4668 smss.exe 111 PID 4668 wrote to memory of 5520 4668 smss.exe 111 PID 1872 wrote to memory of 1220 1872 Kazekage.exe 113 PID 1872 wrote to memory of 1220 1872 Kazekage.exe 113 PID 1872 wrote to memory of 1220 1872 Kazekage.exe 113 PID 4668 wrote to memory of 1536 4668 smss.exe 112 PID 4668 wrote to memory of 1536 4668 smss.exe 112 PID 4668 wrote to memory of 1536 4668 smss.exe 112 PID 4824 wrote to memory of 1672 4824 Gaara.exe 114 PID 4824 wrote to memory of 1672 4824 Gaara.exe 114 PID 4824 wrote to memory of 1672 4824 Gaara.exe 114 PID 1872 wrote to memory of 3384 1872 Kazekage.exe 115 PID 1872 wrote to memory of 3384 1872 Kazekage.exe 115 PID 1872 wrote to memory of 3384 1872 Kazekage.exe 115 PID 1872 wrote to memory of 2896 1872 Kazekage.exe 124 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1704 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4668 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4864
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4824 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3728
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5824
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5676 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2080
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5680
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1944
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4472
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2220
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3868
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3972
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1344
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:516
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2164
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4404
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1672
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2168
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3452
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6124
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3916
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:980
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1776
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2376
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5520
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1536 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:556
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4340
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1760
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1596
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5816
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:752
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5580
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5912
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:720
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6084
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4940
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3160
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5332
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4924
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5360
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:544
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5992
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5840
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3752
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1872 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:516
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1220
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3384
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2896
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3972
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2060
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5620
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4564
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4784
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1284
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1532
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5028
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2968
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:776
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5276
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3600
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5904
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4048
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:2164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:6052
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
9.5MB
MD5c8385b294840f410deec0e17f32f85df
SHA1a1a1d6a874c157beab880c35aec1d13ec5a91d26
SHA25645a3df3e524eb6ca66458b277ef6830c0a217458782b18b1aed97d4a1d0b3144
SHA51212c36120dc44fb6063533c5d54dc04e736762ad14750f036c111270ec9f378497cae5b0ad8bb488fe260467f3013569ce97d760450ead53533935100c6a0be86
-
Filesize
9.5MB
MD5e7c26a99c460179a23acf1ddc43b3813
SHA184856d678293e9a1efd808b2067c9ab968ba6fb9
SHA2568c37250c7c6c01eb992d0f6fd005f8977aef24b16a9dca12c9d2a459a0b36579
SHA51223a9618adbd840d059810f1cb66e0f12ccae83077578ae74517c18173af5db03d85a2ed669ad78707cfd568a9458d43cbf9db9a5b688cb9da5b0b1fe0797ccad
-
Filesize
9.5MB
MD5734e79da24abcf6d518dc99914615367
SHA15b741c33b893c6fb2eb457c3d04bc52f1f2a22dc
SHA2565238bf276b69a85f73cd8c87262e0f62c647ff6bbfc5c44ea972c28d769b246e
SHA512524fe6adbd51ca87c22331eec3fb09144123d8010ec2583034152d678c11d372b34a423bcc6bc34ccc384cb57f6f8f31b20390ba8090fd5a9f63977b15ddc506
-
Filesize
9.5MB
MD5997786dce8dfad354bc0844558f27194
SHA100b39dbbdb42b1ba89892dca476472f1ffef6293
SHA25644bdf91a99702178f33653d9895968f94dba062ba340fd55f21acaa0fb4d7d64
SHA512de44c64331ac6e0bd6762317c329b22d5cbdd6ef5aba74cfd7c955d199ac9068c02b88eb2856417b89959d6552f26bfeb5e72494935abd7b296c6c9278462898
-
Filesize
9.5MB
MD5d210caede2fe593602116984239b5cfd
SHA19f39035cd96a56d6b5f405400f7a40e93b97ab40
SHA25655c3a801ce857801b89b48cddfbf3f444e91f249dbf05a9d8a10868519da8fa3
SHA512144da04f4c693f90a6f616a54ab39fed0d1b93f0f8cda08d496422859ee38e497287f0bf9b4b3cb88f589d37655e0215ecd90714c57bcda283c777ad3be7c0fb
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
9.5MB
MD56af6dd328062fde4ccfd06f553106dfe
SHA126e39ef3ecaa840e62650e9c02ba751fde0fe549
SHA2564893d146b3481c91d4c2a4d33209c4c5a8c3ca168dab7d086537ec0e586cf4b8
SHA512d9f7a88800a2184baff2bac4ba7e7b201c4a4d67eb22bf20b473579a1dfad7fb570139dc6e7ed465599a2f58324204bee31efd77fecc8223a7842afc22c0f4aa
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
8.0MB
MD51b3520f22adcfb94c85429c3ede538c1
SHA1f6b552e7fbc2b00c0237de8f2ead0752d2d6f1ad
SHA256ed65cf38d4d3695c1cad3839984fffdeff0a4e3fbb7bd96d03c94ddfa6d0b072
SHA5126ff4b6781bda91f901e13ba20f11f2c3af15a2c9f5cb9992468bd34c0b3f043e70b3767fb9faf3ab2babc4abd71f798f14d51ce5a887c52d86d2aaac97f577c7
-
Filesize
9.5MB
MD542cd7afeea4a6f91271054261f306933
SHA108310219e746b7e4947f02661f458f2b250a5dae
SHA2568f34b2350d23d806f999aa430274e2874ffb99ed1e51d66ebcce63c780043059
SHA512f9089658a6c915d87005c4a8d2f45a5034a023d52a515ea983fc8beb4d805a7162d3fdd36427a3ce07ca6acea88697950dff6c6d10e7bb690a90d46efc63f0e6
-
Filesize
9.5MB
MD5851ff602d3a9f72982061f8525eb551c
SHA1e14ceae321ab434261bf69ce8326ee6dd97c3a9c
SHA256b4af0b3c8140a6e5f7563b93df502e1e83843a84819f4727cad140543c238f9e
SHA512c7f16911d6f32d8bce8b93ed30b247675419a75dc2858b6bc281fcf16b69c55150c7404c4d64bb84b122c29a0627a6fbbbf8e6d609c0a0cdec4c169ba5430338
-
Filesize
9.5MB
MD522aaf4e74993b005886082e1a05f90ed
SHA1007ff36b4985ae96721099f49565c951655badc9
SHA2564afc4b0602817de34c1421103e2461606e3c9c3bfc7f81ee136952735282e59e
SHA5127106cce50e10400359e83580597e287ff8291aa18428802947eaffd1df63e8080c502b4e2f00281f2836fdc96bd030ef3c023e7d4cd768bab0204ab5197fd44b
-
Filesize
9.5MB
MD52a39aa9d6e34024e90fbad6ac620b49b
SHA1f6aaf1967f0c7bae2e52bd2dbcaf7c7f3bf7ac5b
SHA2568cf4b3ddc0fa77fd417b2c7f6affcc559fcd33e7bdaf665ab5c669d58998bbb8
SHA512083fcf68f1a7436e486f89e6f4a8826f3598bac0d64afce07a0320f207b48485e2282e933e40478f1510b6c4b7c0448d775a55d91b84c72a0bc6512a758c8cb4
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a