Analysis
-
max time kernel
148s -
max time network
136s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/05/2025, 10:20
Behavioral task
behavioral1
Sample
2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe
Resource
win11-20250410-en
General
-
Target
2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe
-
Size
9.5MB
-
MD5
e7c26a99c460179a23acf1ddc43b3813
-
SHA1
84856d678293e9a1efd808b2067c9ab968ba6fb9
-
SHA256
8c37250c7c6c01eb992d0f6fd005f8977aef24b16a9dca12c9d2a459a0b36579
-
SHA512
23a9618adbd840d059810f1cb66e0f12ccae83077578ae74517c18173af5db03d85a2ed669ad78707cfd568a9458d43cbf9db9a5b688cb9da5b0b1fe0797ccad
-
SSDEEP
98304:iyyqWyWy0GyqWyWyMRPC1eHL5dGYSEYvP:V1eHL5dEvP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe -
Executes dropped EXE 30 IoCs
pid Process 4528 smss.exe 5956 smss.exe 6136 Gaara.exe 5004 smss.exe 5040 Gaara.exe 3636 csrss.exe 3016 smss.exe 3996 Gaara.exe 5084 csrss.exe 2768 Kazekage.exe 3132 smss.exe 2980 Gaara.exe 4448 csrss.exe 1456 Gaara.exe 4044 Kazekage.exe 5052 csrss.exe 5464 system32.exe 5992 Kazekage.exe 2072 system32.exe 252 smss.exe 348 Gaara.exe 4200 csrss.exe 6080 Kazekage.exe 32 csrss.exe 5560 system32.exe 1620 Kazekage.exe 5420 system32.exe 5892 system32.exe 2612 Kazekage.exe 1356 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 4528 smss.exe 5956 smss.exe 6136 Gaara.exe 5004 smss.exe 5040 Gaara.exe 3636 csrss.exe 3016 smss.exe 3996 Gaara.exe 5084 csrss.exe 3132 smss.exe 2980 Gaara.exe 4448 csrss.exe 1456 Gaara.exe 5052 csrss.exe 252 smss.exe 348 Gaara.exe 4200 csrss.exe 32 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\W:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\R:\Desktop.ini Gaara.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\R: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\Q: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\S: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\H: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\A: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\B: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\W: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\L: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\Y: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\T: 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\Q: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\X:\Autorun.inf Gaara.exe File created \??\H:\Autorun.inf csrss.exe File opened for modification \??\L:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created \??\T:\Autorun.inf Gaara.exe File created \??\W:\Autorun.inf Gaara.exe File created \??\B:\Autorun.inf csrss.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File opened for modification C:\Autorun.inf system32.exe File created \??\G:\Autorun.inf system32.exe File opened for modification \??\N:\Autorun.inf smss.exe File created \??\J:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf Gaara.exe File opened for modification \??\Y:\Autorun.inf Gaara.exe File opened for modification \??\U:\Autorun.inf csrss.exe File created \??\V:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created \??\M:\Autorun.inf smss.exe File opened for modification D:\Autorun.inf Gaara.exe File opened for modification \??\V:\Autorun.inf csrss.exe File opened for modification \??\J:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf Kazekage.exe File created \??\U:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created \??\V:\Autorun.inf system32.exe File opened for modification F:\Autorun.inf Gaara.exe File opened for modification \??\H:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\L:\Autorun.inf Gaara.exe File created \??\O:\Autorun.inf system32.exe File created \??\Y:\Autorun.inf smss.exe File created \??\A:\Autorun.inf Gaara.exe File created \??\G:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification F:\Autorun.inf csrss.exe File created \??\M:\Autorun.inf Kazekage.exe File opened for modification \??\O:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf system32.exe File opened for modification \??\W:\Autorun.inf system32.exe File created D:\Autorun.inf Gaara.exe File opened for modification \??\T:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf csrss.exe File opened for modification \??\K:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created \??\T:\Autorun.inf csrss.exe File created \??\T:\Autorun.inf system32.exe File created \??\N:\Autorun.inf Gaara.exe File opened for modification \??\Q:\Autorun.inf Gaara.exe File created \??\Z:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf csrss.exe File opened for modification \??\I:\Autorun.inf Kazekage.exe File created \??\I:\Autorun.inf system32.exe File opened for modification D:\Autorun.inf smss.exe File opened for modification \??\V:\Autorun.inf smss.exe File opened for modification \??\Q:\Autorun.inf csrss.exe File created \??\X:\Autorun.inf system32.exe File created \??\G:\Autorun.inf Gaara.exe File created \??\K:\Autorun.inf csrss.exe File opened for modification \??\G:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf system32.exe File created \??\W:\Autorun.inf system32.exe File created \??\W:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\L:\Autorun.inf smss.exe File opened for modification \??\S:\Autorun.inf smss.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe -
resource yara_rule behavioral2/memory/740-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b116-11.dat upx behavioral2/files/0x001900000002b112-31.dat upx behavioral2/memory/4528-32-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b113-41.dat upx behavioral2/files/0x001c00000002b117-50.dat upx behavioral2/memory/5956-70-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b119-57.dat upx behavioral2/memory/5956-73-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b113-75.dat upx behavioral2/memory/6136-76-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001c00000002b117-89.dat upx behavioral2/files/0x001900000002b118-92.dat upx behavioral2/files/0x001900000002b119-96.dat upx behavioral2/memory/5004-113-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5040-116-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3636-122-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/740-121-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b116-119.dat upx behavioral2/memory/4528-128-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b119-137.dat upx behavioral2/memory/5084-158-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3996-159-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/6136-157-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5084-163-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b118-167.dat upx behavioral2/memory/2768-166-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b119-177.dat upx behavioral2/memory/3636-199-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2980-198-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4044-206-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4448-207-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1456-204-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1456-215-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5464-221-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4044-214-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2768-223-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5992-230-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001c00000002b117-234.dat upx behavioral2/memory/2072-233-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/252-247-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/348-250-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4200-253-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5464-260-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/6080-258-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5420-264-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1620-267-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5560-268-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5420-271-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5892-272-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2612-275-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1356-278-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\ smss.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\ Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\mscomctl.ocx 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\ 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\system\msvbvm60.dll 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ Gaara.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2876 ping.exe 1584 ping.exe 2952 ping.exe 3596 ping.exe 5376 ping.exe 4560 ping.exe 4116 ping.exe 3816 ping.exe 5680 ping.exe 2156 ping.exe 2240 ping.exe 4824 ping.exe 5932 ping.exe 2372 ping.exe 4672 ping.exe 2652 ping.exe 2616 ping.exe 3556 ping.exe 3420 ping.exe 4668 ping.exe 3092 ping.exe 5092 ping.exe 2168 ping.exe 3004 ping.exe 1196 ping.exe 5504 ping.exe 4828 ping.exe 1584 ping.exe 5764 ping.exe 3184 ping.exe 1796 ping.exe 4480 ping.exe 3532 ping.exe 5728 ping.exe 2608 ping.exe 2072 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Key created \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Key created \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Key created \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Key created \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Key created \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Internet Explorer\Main 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 4824 ping.exe 5932 ping.exe 3816 ping.exe 5092 ping.exe 4560 ping.exe 3532 ping.exe 2952 ping.exe 1196 ping.exe 2240 ping.exe 2616 ping.exe 4668 ping.exe 3184 ping.exe 4116 ping.exe 2372 ping.exe 2876 ping.exe 4672 ping.exe 3596 ping.exe 2608 ping.exe 5680 ping.exe 1796 ping.exe 4480 ping.exe 5728 ping.exe 2652 ping.exe 3092 ping.exe 5764 ping.exe 2156 ping.exe 1584 ping.exe 3556 ping.exe 1584 ping.exe 2168 ping.exe 2072 ping.exe 5504 ping.exe 4828 ping.exe 3420 ping.exe 3004 ping.exe 5376 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 3636 csrss.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 6136 Gaara.exe 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 5464 system32.exe 5464 system32.exe 5464 system32.exe 5464 system32.exe 5464 system32.exe 5464 system32.exe 5464 system32.exe 5464 system32.exe 5464 system32.exe 5464 system32.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 4528 smss.exe 5956 smss.exe 6136 Gaara.exe 5004 smss.exe 5040 Gaara.exe 3636 csrss.exe 3016 smss.exe 3996 Gaara.exe 5084 csrss.exe 2768 Kazekage.exe 3132 smss.exe 2980 Gaara.exe 4448 csrss.exe 4044 Kazekage.exe 1456 Gaara.exe 5052 csrss.exe 5992 Kazekage.exe 5464 system32.exe 2072 system32.exe 252 smss.exe 348 Gaara.exe 4200 csrss.exe 6080 Kazekage.exe 32 csrss.exe 5560 system32.exe 1620 Kazekage.exe 5420 system32.exe 5892 system32.exe 2612 Kazekage.exe 1356 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 740 wrote to memory of 4528 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 78 PID 740 wrote to memory of 4528 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 78 PID 740 wrote to memory of 4528 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 78 PID 4528 wrote to memory of 5956 4528 smss.exe 79 PID 4528 wrote to memory of 5956 4528 smss.exe 79 PID 4528 wrote to memory of 5956 4528 smss.exe 79 PID 4528 wrote to memory of 6136 4528 smss.exe 80 PID 4528 wrote to memory of 6136 4528 smss.exe 80 PID 4528 wrote to memory of 6136 4528 smss.exe 80 PID 6136 wrote to memory of 5004 6136 Gaara.exe 81 PID 6136 wrote to memory of 5004 6136 Gaara.exe 81 PID 6136 wrote to memory of 5004 6136 Gaara.exe 81 PID 6136 wrote to memory of 5040 6136 Gaara.exe 82 PID 6136 wrote to memory of 5040 6136 Gaara.exe 82 PID 6136 wrote to memory of 5040 6136 Gaara.exe 82 PID 6136 wrote to memory of 3636 6136 Gaara.exe 83 PID 6136 wrote to memory of 3636 6136 Gaara.exe 83 PID 6136 wrote to memory of 3636 6136 Gaara.exe 83 PID 3636 wrote to memory of 3016 3636 csrss.exe 84 PID 3636 wrote to memory of 3016 3636 csrss.exe 84 PID 3636 wrote to memory of 3016 3636 csrss.exe 84 PID 3636 wrote to memory of 3996 3636 csrss.exe 85 PID 3636 wrote to memory of 3996 3636 csrss.exe 85 PID 3636 wrote to memory of 3996 3636 csrss.exe 85 PID 3636 wrote to memory of 5084 3636 csrss.exe 86 PID 3636 wrote to memory of 5084 3636 csrss.exe 86 PID 3636 wrote to memory of 5084 3636 csrss.exe 86 PID 3636 wrote to memory of 2768 3636 csrss.exe 87 PID 3636 wrote to memory of 2768 3636 csrss.exe 87 PID 3636 wrote to memory of 2768 3636 csrss.exe 87 PID 2768 wrote to memory of 3132 2768 Kazekage.exe 88 PID 2768 wrote to memory of 3132 2768 Kazekage.exe 88 PID 2768 wrote to memory of 3132 2768 Kazekage.exe 88 PID 2768 wrote to memory of 2980 2768 Kazekage.exe 89 PID 2768 wrote to memory of 2980 2768 Kazekage.exe 89 PID 2768 wrote to memory of 2980 2768 Kazekage.exe 89 PID 2768 wrote to memory of 4448 2768 Kazekage.exe 90 PID 2768 wrote to memory of 4448 2768 Kazekage.exe 90 PID 2768 wrote to memory of 4448 2768 Kazekage.exe 90 PID 740 wrote to memory of 1456 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 91 PID 740 wrote to memory of 1456 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 91 PID 740 wrote to memory of 1456 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 91 PID 2768 wrote to memory of 4044 2768 Kazekage.exe 92 PID 2768 wrote to memory of 4044 2768 Kazekage.exe 92 PID 2768 wrote to memory of 4044 2768 Kazekage.exe 92 PID 740 wrote to memory of 5052 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 94 PID 740 wrote to memory of 5052 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 94 PID 740 wrote to memory of 5052 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 94 PID 2768 wrote to memory of 5464 2768 Kazekage.exe 93 PID 2768 wrote to memory of 5464 2768 Kazekage.exe 93 PID 2768 wrote to memory of 5464 2768 Kazekage.exe 93 PID 740 wrote to memory of 5992 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 95 PID 740 wrote to memory of 5992 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 95 PID 740 wrote to memory of 5992 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 95 PID 740 wrote to memory of 2072 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 96 PID 740 wrote to memory of 2072 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 96 PID 740 wrote to memory of 2072 740 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe 96 PID 5464 wrote to memory of 252 5464 system32.exe 97 PID 5464 wrote to memory of 252 5464 system32.exe 97 PID 5464 wrote to memory of 252 5464 system32.exe 97 PID 5464 wrote to memory of 348 5464 system32.exe 98 PID 5464 wrote to memory of 348 5464 system32.exe 98 PID 5464 wrote to memory of 348 5464 system32.exe 98 PID 5464 wrote to memory of 4200 5464 system32.exe 99 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-02_e7c26a99c460179a23acf1ddc43b3813_black-basta_elex_hijackloader_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:740 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4528 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5956
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6136 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5004
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5040
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3636 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3016
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3996
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5084
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2768 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3132
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2980
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4448
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4044
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5464 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:252
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:348
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4200
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6080
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5560
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4116
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2240
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3556
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4828
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2156
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2072
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3596
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3184
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3092
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5680
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2168
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3532
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5892
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4668
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4672
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3816
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5932
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2372
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4480
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2612
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1356
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2952
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1196
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2608
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4824
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5764
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4560
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:32
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1620
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5420
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1584
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3004
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2616
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5376
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5092
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1796
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1456
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5052
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5992
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2072
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2876
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5728
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5504
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2652
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1584
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:3436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4104
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
317KB
MD5cf0a442867dc2c3508d5fccc944eb35c
SHA100ae20c59029b2bcc3466329b70cf8db219af0a6
SHA256d0c9116be55da9acac40f9184b7a4a3044610a50cb78a626f0b7ba5794dff194
SHA5127ca816d5b7575a22c136805e11a743f1a4318ccb47bf912fc9966c68d7e0f52595b4f2235ed7cdd5ef74e8d2dcfcb046a8e2f00dce356a78b0dbf6b5dd62f00c
-
Filesize
9.5MB
MD52781f1030a32e73d70a17321ad220413
SHA13617d5f294a31b22d5ce8f942171161531adf618
SHA256943a1987a274ffb059d627e86b919ef4ccdcdc0097429140ebf08356d0650a64
SHA512424e7241e203bd9ee9e16bca85dad3ab0f98bc495df88773e9def8fb3ab6048b179e47af6a57842111429a82c1bdadab6fabcf0b5cdca8f5afd3cb49c5ff92fc
-
Filesize
9.5MB
MD5e7c26a99c460179a23acf1ddc43b3813
SHA184856d678293e9a1efd808b2067c9ab968ba6fb9
SHA2568c37250c7c6c01eb992d0f6fd005f8977aef24b16a9dca12c9d2a459a0b36579
SHA51223a9618adbd840d059810f1cb66e0f12ccae83077578ae74517c18173af5db03d85a2ed669ad78707cfd568a9458d43cbf9db9a5b688cb9da5b0b1fe0797ccad
-
Filesize
9.5MB
MD5e818154ffcf5773a39e2baf81b163462
SHA10e6856d2b03c67b45f35bb5e8a13a13b7a1affb6
SHA25659467bef4dabc0040495288986066c5dabeccbfb1008919b72463f931b151fd2
SHA512ada1fdb2e67c953c2e131b295ac6254c2ad15890811067b9eedc22597ddbdb3166fd7d84f0e2a1306dfb39652131e59b9b88468b58a27ae9b17d14c8945084da
-
Filesize
9.5MB
MD5d210caede2fe593602116984239b5cfd
SHA19f39035cd96a56d6b5f405400f7a40e93b97ab40
SHA25655c3a801ce857801b89b48cddfbf3f444e91f249dbf05a9d8a10868519da8fa3
SHA512144da04f4c693f90a6f616a54ab39fed0d1b93f0f8cda08d496422859ee38e497287f0bf9b4b3cb88f589d37655e0215ecd90714c57bcda283c777ad3be7c0fb
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
9.5MB
MD52288432fd612f457f45c14c7c5732553
SHA10ef1532317c3fd2655dabc464bd035bb811cc6bc
SHA256dd514fa0c1921c5575b198ad11befd025ef0011e0fb129c7e52afde13a581de9
SHA512b9e948ba341ac058568d98c8d5c9a0a5a594d0d90e5c196fc6fb267016c157704d87bfedadcb0f1f171f345fb4514298cf0d000db929226d70f6162cf1766df9
-
Filesize
9.5MB
MD5a6d6fe7dfea7a21be92eb230584d919a
SHA1f30194786e9b1d1c65884be26dcaa752ada107a4
SHA2561a189a3a0c742c670b8fd852a52838bf58d5ea700e3092d144f9bb53e47951f6
SHA5125b66600167746b9fd7ae5b399ffd40202e2ce728650591219b7529fd94502b16234035e97ade7678154e71ef9c0660d082bb6d04cbb4e2f19b29c6ad23f53cc0
-
Filesize
9.5MB
MD56962f9a962dbd4ac388c4956d25e6ab0
SHA1d1e1d287985af84fff31b5ba79e0e7809ee561bf
SHA25669b2526fdc0f7f01408505028045fc0afae694dc65a73190494364cf77da798b
SHA512603c4f4a468de6e96c5ac32f018d062f24abcb93a4be8652a8695a29287fa12e19f0fa2147e42b57cd2435158cacb6bc00d2bf42f3cfa7b6596f2dc7d7f0c92c
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
9.5MB
MD5e4d8798f8e93eb69fe60951654e3451e
SHA11a85ae7a6bf4eacda8690a925867c2aa7da1e9a7
SHA256cdea2ee4adc6df90bc17705dbacb6dcd77027c132fb3998e2fdecc90ab7f5d7b
SHA5127d7078792331cdb8f18df5b0766e6b1d4c24d5baea09dc11070a9bf80a96f599af3f2b17374c4807bb4a24593b1c757d752c7e2db03b571184f2842ea5c2e65d
-
Filesize
9.5MB
MD50b409d3f3de38f93241a1e830f9c38c5
SHA198586eb950b0fb37bf661c5abada360788da79f9
SHA256f9cb8a4a47498c7c579e2dfd5f9586f5ad95cb6eae7c2b69249adb6b59728435
SHA512f594960d44c9ae7f25be113bbee763b328d9cbf2475f9efac6fd65f1036af5dc5fbf648ed56eb96eed61fefcb9374a55aafc96dcc7f7b3f59bbefca1360be3c3
-
Filesize
9.5MB
MD5c324b6ff61885bac5f8b04660a0e82d0
SHA1900b74ffeccd7b5607cd56caf49b7a099fddd0a0
SHA256a2a9270ff97c05473fdfe98c2cc0da4e5fc1533f3609d381fc962d6085ab8106
SHA512bcfe41448482fd21b1a5ef3e5a6e63fc7d281e3139c9b1e5b33c7da380279f8c83279f4d41026b33dc79909c7997133a051b56aabe980cdef530b6993830bf2d
-
Filesize
9.5MB
MD50bd40172cb653b9edbe1818e787d29de
SHA109c39a2561ec3f52945d7d9f933e0e93ea80f4f7
SHA25616f2edd70d0119cc812166db77521bd5c181d2b7c7ed3450facb70c34596b687
SHA512187fa37b4b1d71745f79f1dfd1888569380935d8c91e7f6af560b7ba5893efa6f5d6de21162ce86873cd6222d1f28f7cca566504f0923eb9449d54d51a563e6c
-
Filesize
9.5MB
MD52cfefa6b88e34407278a8449fbc88f6a
SHA18d8125614884e350926b58d7715e4ab5b2e239ff
SHA2566c6511215bef76c30fbe0b35c26916190f53e6ab1316b6ac6254b3196ccddbf7
SHA5126cd8c1b2583ddbc6d4e6510d15430b8ec45914e86f9e0a2fcc310e52d8fc1298ff139535c239cd7b16f55a7bb82f4ce3e9991330967d4263aec51fca2e823c11
-
Filesize
9.5MB
MD5ac4e730d42403daa18054aae241b53f5
SHA16acc36e05b334067f9d15f6b5bcaa0a19969c190
SHA256d03dd129516c7fabe8c64a17a772949821b7c3a157aa48c759289195d93d46f9
SHA512a3caaf675f0b9b9ad33f17e3bd598199fcfb04d38cfcf584a3a318d2e39f4e221d819861a8321f1955f93afc45842c503a81424636e4356d3f83240a801851ac
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a