Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/05/2025, 10:41
Behavioral task
behavioral1
Sample
2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe
Resource
win11-20250410-en
General
-
Target
2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe
-
Size
8.3MB
-
MD5
252daf427ff74462bacd78a31277eb08
-
SHA1
0eb53676e022d38ea20f2f2290f1781ea7edd527
-
SHA256
4a0a1ecc1e6ee951eda7f8b8944f551558384e7e6cf84b7e1348126271c572fe
-
SHA512
4a49e17b195d74f301cc336922790032bda92dd783f38d1c4f3368d7552dfe520899c6354388496b3fc71e9157fa5d1fd466ce1948ecbf8f521c7a500ba0268b
-
SSDEEP
49152:9GyqWyWy0GyqWyWyMRPC1eHc785diLvQ8b1gtj:9GyqWyWy0GyqWyWyMRPC1eHL5dGYSW
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe csrss.exe -
Executes dropped EXE 30 IoCs
pid Process 5068 smss.exe 2112 smss.exe 4164 Gaara.exe 2656 smss.exe 5948 Gaara.exe 3308 csrss.exe 436 smss.exe 1272 Gaara.exe 2944 csrss.exe 1636 Kazekage.exe 248 smss.exe 3088 Gaara.exe 5416 csrss.exe 2624 Kazekage.exe 5916 system32.exe 3964 smss.exe 5380 Gaara.exe 2304 csrss.exe 4980 Kazekage.exe 2636 system32.exe 6064 system32.exe 1432 Kazekage.exe 5504 system32.exe 3756 csrss.exe 1132 Kazekage.exe 1216 system32.exe 4032 Gaara.exe 4412 csrss.exe 1984 Kazekage.exe 4312 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 5068 smss.exe 2112 smss.exe 4164 Gaara.exe 2656 smss.exe 5948 Gaara.exe 3308 csrss.exe 436 smss.exe 1272 Gaara.exe 2944 csrss.exe 248 smss.exe 3088 Gaara.exe 5416 csrss.exe 3964 smss.exe 5380 Gaara.exe 2304 csrss.exe 3756 csrss.exe 4032 Gaara.exe 4412 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification F:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\M:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\U:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\Z:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\Y:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\O:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini Gaara.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\H: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\A: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Y: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\G: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\O: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Z: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\T: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\Q: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\P: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\I: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\K: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\V: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\X: smss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\J:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created \??\L:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created \??\Z:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created \??\S:\Autorun.inf Gaara.exe File opened for modification \??\Q:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created \??\P:\Autorun.inf smss.exe File created \??\M:\Autorun.inf Kazekage.exe File opened for modification \??\A:\Autorun.inf system32.exe File created \??\Q:\Autorun.inf system32.exe File opened for modification D:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created \??\O:\Autorun.inf smss.exe File created \??\L:\Autorun.inf Gaara.exe File created \??\O:\Autorun.inf csrss.exe File opened for modification \??\G:\Autorun.inf system32.exe File created \??\W:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf system32.exe File opened for modification \??\U:\Autorun.inf smss.exe File created \??\K:\Autorun.inf Kazekage.exe File opened for modification \??\X:\Autorun.inf smss.exe File opened for modification \??\T:\Autorun.inf csrss.exe File opened for modification \??\U:\Autorun.inf csrss.exe File opened for modification \??\A:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created \??\Z:\Autorun.inf smss.exe File opened for modification \??\Y:\Autorun.inf csrss.exe File created \??\Q:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Autorun.inf Gaara.exe File opened for modification C:\Autorun.inf system32.exe File opened for modification \??\S:\Autorun.inf system32.exe File created \??\O:\Autorun.inf Gaara.exe File created \??\G:\Autorun.inf Kazekage.exe File opened for modification \??\S:\Autorun.inf Kazekage.exe File created \??\Z:\Autorun.inf Kazekage.exe File created \??\O:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\S:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\H:\Autorun.inf system32.exe File created \??\H:\Autorun.inf system32.exe File opened for modification \??\M:\Autorun.inf Gaara.exe File opened for modification \??\Z:\Autorun.inf csrss.exe File opened for modification F:\Autorun.inf Kazekage.exe File created \??\R:\Autorun.inf Kazekage.exe File created D:\Autorun.inf smss.exe File created \??\P:\Autorun.inf system32.exe File created \??\S:\Autorun.inf system32.exe File created \??\H:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created \??\X:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf csrss.exe File created \??\G:\Autorun.inf smss.exe File opened for modification \??\T:\Autorun.inf smss.exe File opened for modification \??\X:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf Kazekage.exe File opened for modification \??\U:\Autorun.inf Kazekage.exe File created \??\V:\Autorun.inf Kazekage.exe File created \??\Y:\Autorun.inf Kazekage.exe File created \??\T:\Autorun.inf system32.exe File opened for modification \??\W:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf smss.exe File created \??\J:\Autorun.inf Kazekage.exe File created \??\N:\Autorun.inf system32.exe File opened for modification \??\H:\Autorun.inf smss.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe -
resource yara_rule behavioral2/memory/5832-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002afec-11.dat upx behavioral2/files/0x001900000002afea-31.dat upx behavioral2/memory/5068-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002afed-49.dat upx behavioral2/files/0x001900000002afee-53.dat upx behavioral2/memory/2112-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002afeb-76.dat upx behavioral2/files/0x001900000002afec-85.dat upx behavioral2/files/0x001900000002afed-89.dat upx behavioral2/files/0x001900000002afef-97.dat upx behavioral2/memory/5948-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5948-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5832-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002afee-172.dat upx behavioral2/memory/1636-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/248-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002afef-140.dat upx behavioral2/files/0x001900000002afed-132.dat upx behavioral2/memory/5916-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002afef-221.dat upx behavioral2/memory/3964-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5380-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6064-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5504-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5916-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5832-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5916-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5916-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5832-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002afed-555.dat upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created C:\Windows\msvbvm60.dll 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\mscomctl.ocx 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\ Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\ smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\ system32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5912 ping.exe 5824 ping.exe 4704 ping.exe 1940 ping.exe 5420 ping.exe 5992 ping.exe 2964 ping.exe 4160 ping.exe 5304 ping.exe 4332 ping.exe 112 ping.exe 1512 ping.exe 4972 ping.exe 3108 ping.exe 4060 ping.exe 4052 ping.exe 2952 ping.exe 6036 ping.exe 3500 ping.exe 3692 ping.exe 4420 ping.exe 2320 ping.exe 1228 ping.exe 4848 ping.exe 1596 ping.exe 1396 ping.exe 5380 ping.exe 1952 ping.exe 4908 ping.exe 4200 ping.exe 3192 ping.exe 1912 ping.exe 5896 ping.exe 2212 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop csrss.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop smss.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Control Panel\Screen Saver.Marquee csrss.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Internet Explorer\Main 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Kazekage.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 5824 ping.exe 1228 ping.exe 1596 ping.exe 1952 ping.exe 4704 ping.exe 6036 ping.exe 5380 ping.exe 4908 ping.exe 3192 ping.exe 2212 ping.exe 4420 ping.exe 2320 ping.exe 5896 ping.exe 2952 ping.exe 5912 ping.exe 5420 ping.exe 5304 ping.exe 4052 ping.exe 4332 ping.exe 1512 ping.exe 5992 ping.exe 3108 ping.exe 4848 ping.exe 3500 ping.exe 1396 ping.exe 4060 ping.exe 1912 ping.exe 112 ping.exe 2964 ping.exe 4972 ping.exe 4200 ping.exe 4160 ping.exe 1940 ping.exe 3692 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 1636 Kazekage.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5068 smss.exe 5068 smss.exe 5068 smss.exe 5068 smss.exe 5068 smss.exe 5068 smss.exe 5068 smss.exe 5068 smss.exe 5068 smss.exe 5068 smss.exe 5068 smss.exe 5068 smss.exe 5068 smss.exe 5068 smss.exe 5068 smss.exe 5068 smss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 5068 smss.exe 2112 smss.exe 4164 Gaara.exe 2656 smss.exe 5948 Gaara.exe 3308 csrss.exe 436 smss.exe 1272 Gaara.exe 2944 csrss.exe 1636 Kazekage.exe 248 smss.exe 3088 Gaara.exe 5416 csrss.exe 2624 Kazekage.exe 5916 system32.exe 3964 smss.exe 5380 Gaara.exe 2304 csrss.exe 4980 Kazekage.exe 2636 system32.exe 6064 system32.exe 1432 Kazekage.exe 5504 system32.exe 3756 csrss.exe 1132 Kazekage.exe 1216 system32.exe 4032 Gaara.exe 4412 csrss.exe 1984 Kazekage.exe 4312 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5832 wrote to memory of 5068 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 82 PID 5832 wrote to memory of 5068 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 82 PID 5832 wrote to memory of 5068 5832 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 82 PID 5068 wrote to memory of 2112 5068 smss.exe 84 PID 5068 wrote to memory of 2112 5068 smss.exe 84 PID 5068 wrote to memory of 2112 5068 smss.exe 84 PID 5068 wrote to memory of 4164 5068 smss.exe 85 PID 5068 wrote to memory of 4164 5068 smss.exe 85 PID 5068 wrote to memory of 4164 5068 smss.exe 85 PID 4164 wrote to memory of 2656 4164 Gaara.exe 86 PID 4164 wrote to memory of 2656 4164 Gaara.exe 86 PID 4164 wrote to memory of 2656 4164 Gaara.exe 86 PID 4164 wrote to memory of 5948 4164 Gaara.exe 87 PID 4164 wrote to memory of 5948 4164 Gaara.exe 87 PID 4164 wrote to memory of 5948 4164 Gaara.exe 87 PID 4164 wrote to memory of 3308 4164 Gaara.exe 88 PID 4164 wrote to memory of 3308 4164 Gaara.exe 88 PID 4164 wrote to memory of 3308 4164 Gaara.exe 88 PID 3308 wrote to memory of 436 3308 csrss.exe 90 PID 3308 wrote to memory of 436 3308 csrss.exe 90 PID 3308 wrote to memory of 436 3308 csrss.exe 90 PID 3308 wrote to memory of 1272 3308 csrss.exe 91 PID 3308 wrote to memory of 1272 3308 csrss.exe 91 PID 3308 wrote to memory of 1272 3308 csrss.exe 91 PID 3308 wrote to memory of 2944 3308 csrss.exe 92 PID 3308 wrote to memory of 2944 3308 csrss.exe 92 PID 3308 wrote to memory of 2944 3308 csrss.exe 92 PID 3308 wrote to memory of 1636 3308 csrss.exe 93 PID 3308 wrote to memory of 1636 3308 csrss.exe 93 PID 3308 wrote to memory of 1636 3308 csrss.exe 93 PID 1636 wrote to memory of 248 1636 Kazekage.exe 94 PID 1636 wrote to memory of 248 1636 Kazekage.exe 94 PID 1636 wrote to memory of 248 1636 Kazekage.exe 94 PID 1636 wrote to memory of 3088 1636 Kazekage.exe 95 PID 1636 wrote to memory of 3088 1636 Kazekage.exe 95 PID 1636 wrote to memory of 3088 1636 Kazekage.exe 95 PID 1636 wrote to memory of 5416 1636 Kazekage.exe 96 PID 1636 wrote to memory of 5416 1636 Kazekage.exe 96 PID 1636 wrote to memory of 5416 1636 Kazekage.exe 96 PID 1636 wrote to memory of 2624 1636 Kazekage.exe 97 PID 1636 wrote to memory of 2624 1636 Kazekage.exe 97 PID 1636 wrote to memory of 2624 1636 Kazekage.exe 97 PID 1636 wrote to memory of 5916 1636 Kazekage.exe 98 PID 1636 wrote to memory of 5916 1636 Kazekage.exe 98 PID 1636 wrote to memory of 5916 1636 Kazekage.exe 98 PID 5916 wrote to memory of 3964 5916 system32.exe 99 PID 5916 wrote to memory of 3964 5916 system32.exe 99 PID 5916 wrote to memory of 3964 5916 system32.exe 99 PID 5916 wrote to memory of 5380 5916 system32.exe 100 PID 5916 wrote to memory of 5380 5916 system32.exe 100 PID 5916 wrote to memory of 5380 5916 system32.exe 100 PID 5916 wrote to memory of 2304 5916 system32.exe 101 PID 5916 wrote to memory of 2304 5916 system32.exe 101 PID 5916 wrote to memory of 2304 5916 system32.exe 101 PID 5916 wrote to memory of 4980 5916 system32.exe 102 PID 5916 wrote to memory of 4980 5916 system32.exe 102 PID 5916 wrote to memory of 4980 5916 system32.exe 102 PID 5916 wrote to memory of 2636 5916 system32.exe 103 PID 5916 wrote to memory of 2636 5916 system32.exe 103 PID 5916 wrote to memory of 2636 5916 system32.exe 103 PID 3308 wrote to memory of 6064 3308 csrss.exe 104 PID 3308 wrote to memory of 6064 3308 csrss.exe 104 PID 3308 wrote to memory of 6064 3308 csrss.exe 104 PID 4164 wrote to memory of 1432 4164 Gaara.exe 105 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5832 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5068 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2112
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4164 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2656
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5948
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3308 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:436
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1272
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2944
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1636 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:248
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3088
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5416
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2624
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5916 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3964
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5380
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2304
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4980
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2636
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1512
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5380
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3108
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4160
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2212
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5304
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5420
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1396
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5824
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2952
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1912
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4060
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6064
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3500
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:112
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4972
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4200
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3692
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4848
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1432
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5504
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4332
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6036
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4908
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5896
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3756
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1132
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1216
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4420
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2964
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1952
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1228
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1940
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4032
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4412
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1984
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4312
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1596
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5912
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5992
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2320
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4704
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:4568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:5220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2384
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
8.3MB
MD5e8dc2b1bfbd5605f45a96ef6b3686c8f
SHA1fb630ec8c55d16234b42e4429059ac2bfb87025c
SHA2561479368c4bd7bacc216ba091ab5ed142da1500f5160ffc0e61bcf5401270f56c
SHA512bac15def343198899159943d2d14eabab74d4f9028f659b0ea52a00fad3c195dee42fa1aecca76f70cb7e7b748a95a73148f31b0fe7f7f266c3f15ed62d4ce19
-
Filesize
8.3MB
MD5252daf427ff74462bacd78a31277eb08
SHA10eb53676e022d38ea20f2f2290f1781ea7edd527
SHA2564a0a1ecc1e6ee951eda7f8b8944f551558384e7e6cf84b7e1348126271c572fe
SHA5124a49e17b195d74f301cc336922790032bda92dd783f38d1c4f3368d7552dfe520899c6354388496b3fc71e9157fa5d1fd466ce1948ecbf8f521c7a500ba0268b
-
Filesize
8.3MB
MD5c7ffa4f78867026c22a52363c72c4936
SHA152553a053554f6295b528e9965339b3e6e6df8ee
SHA256fcfabb753a8cbd4479d84265c13100a17d05eacd0f2fd2cc53caa23731f0393e
SHA51233ffb68b50316becec8a68ca4e83ea46d24e4061bd2fcc14d535661863aee416031108290f6843d03a3e73ededa463f296a35c3e4a7ea8f1fa82a280ead0b08c
-
Filesize
8.3MB
MD56c95fb4b7fded5f4ae9924ddc3c0b9ba
SHA1fee63b98d7720853ce1c5b8456b90cbcb9a16dc2
SHA256b91510ba6b74e4e66ef66a8ffd8731a6df4e6c0b040cc4a82b9e356b41939480
SHA51229018d312c08891336e1da1d3d21a21304e7abf13a5018800d0c714a90b09b23f39c2ccc8b1170110b9f8c4f4c3ed604dd66525e7d8f117a9c5ce002a0304c08
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
8.3MB
MD53f12f7e5577ff2d2e24ca42b1bbc9b81
SHA1584f7dfb75914c75b39301b1d9a35da2fee4fc1c
SHA2560123a56e5c084a40df322f1065d8b4fcaed682f1fbe17c6ca9ad920f6eb29d09
SHA5127fdaa543471d4d70b64f20a84808023cd37b227c0f93c78bab9ae2baf36305faf3db2915581ab889d6bade7ca2f3446c4d6745bee121c253ff737f510b9a0943
-
Filesize
1.7MB
MD52b92b56baf07a7f08d10ef9af2f5603b
SHA1f46f3da9cbc6543e1fc90c9c1b5d10befb8be7e6
SHA25686b73bd82d844f06e02d1ef48f2436aae7afaa34a8773ba7798f7c6f6d7db627
SHA512d5ffb165dc848e5c543fc684f31e6ef4e903148ffeea2d0d3d3d48807411437615a41a437d8c6687661d864b06a90675ff3c7f3021f429104f4ccadd412fccc7
-
Filesize
8.3MB
MD537c7da74c018b06bd00844c4e9e0cb8f
SHA1c1b51e4197bc9f06e9493f43a20853670939fd28
SHA256694d8728672fd7bf566b4b634c767888f8e8093bf612c26b5b0bef891751c2f9
SHA5127a5e00ef1d350bfc4cc039bca1bc131f6d409d85106aa4a6e053a83c9ef682fccbcb6d42c79ff636d464faaff431fd58a9a0794aae68c426e970cf61a7faa92a
-
Filesize
8.3MB
MD5376bc954cc17464bd62f55641514a04e
SHA1e8fa19629db983dace3cdd4042e24b0ffcd6dacc
SHA256ead2618cc30c43c15f399546700a04bf3cfcfcd08d46c1fb904d48aeecf862d4
SHA512d09c41d894313291319381bb0415ca6aab2d19f817b97e59e123e264837831539d53bbecba2dd4480b95eb52b0356f0969759ad42d74d8b236d3267d084bea85
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
8.3MB
MD5b51db953badc1c833ec2ead06bd36e6c
SHA16e102d7ad3b5be31d2c32fc77ca331fb6989de43
SHA2569b2ceee7624838b1ba565771f15c3b9fe55188c02783202f03884907bc98acd5
SHA512955d66e85a9affac353a3ea6992b7a3c629bda7c56a1a95bf9c50b3a9d3a9649e032420d59e03859601ff4621f4e72da58a5085e4b6fb2e4dc077674171051ec
-
Filesize
8.3MB
MD50d36bcb9419f6b39b49428fd656be12a
SHA1c67f112b892dfe976603c8bbf589fe0ebb5f981f
SHA256b067eb0a8be62a7247f168b4e5d8938df77847389bbb7d25f05e361c98f5418e
SHA512e1289785d899cbee4e07b6159a7291a4fe8014b7fdf9fa953238e9284c5bc0c646b0a0090ad3ae1d17fc2f8159ef2e4722071018ffe40748e36fbbd9cfb17897
-
Filesize
8.3MB
MD58621f886fc56434babac20a0ed9a1556
SHA19ae3a71c0ad0a7119fd9834b533b6ad140c0fffa
SHA2561d0bf32a494659e3b517ed459a89c441eca66e62abd816a22ac68723bcc3e956
SHA512815df0cea6f306da0a62ceccc900d393302391e1bf79c0284045056fec5b4d8b152a377b6c67c794ce0ca08b05542ca183504f7814ebbb13bd35ef3784431959
-
Filesize
8.3MB
MD52a20f7c65879b00fe087e37608e98e2d
SHA1cff46cb0c728cace94c1f28e9d4ef1a197fe290c
SHA256420578404a0b512ae2f84d5a2fc7520b4b23225ad2a29abbd0bc5175b506b3d8
SHA512931db9066cae0b0ed5036b833192d4873a9b98c6267d7ab199bb0030306602277887b8d04f0705d6988aabe6038ee83f2e089d6b3a42e7ca220dcd30d8b49dd2
-
Filesize
8.3MB
MD5b790dd19bf1efd6c501b4e8fa7efcda1
SHA10790f62a257d1ce8f43d133a365ccc5847e91a65
SHA256d5963dffc4012c57d5ebbf4353a58aa57836c0430d3ad5e4ac9d0558563251f3
SHA5127010608a69a3071793a1c653a36549a1c148f22821ddeb37dd565606df248712d779049d789164850e432c0e891c6999fd900a81665bd6f7d556d5d9eb41512c
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a