Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/05/2025, 14:29
Behavioral task
behavioral1
Sample
2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe
-
Size
9.4MB
-
MD5
fb25d1b774c9dd6cd99a7f8f4659ec50
-
SHA1
75a1ceaa1691597ed1bc42eae48df4d71bfa1e82
-
SHA256
09d1d22cc8284e012be85683e41bfaac5dc11940d87dd13b7103322907fae508
-
SHA512
296e951524b2ab5f55d5a454aa6e6de10df29c767dd28ba5f9792f34c44abb7cb01f2ae1fd6b6c68f295f521cb0acce6270a56a4cad26e8cddbd8f779d4df7b1
-
SSDEEP
98304:cGyqWyWy0GyqWyWyMRPC1eHL5dGYSEYvA:Z1eHL5dEvA
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe -
Executes dropped EXE 30 IoCs
pid Process 4040 smss.exe 3060 smss.exe 2660 Gaara.exe 4080 smss.exe 2708 Gaara.exe 4828 csrss.exe 1288 smss.exe 3884 Gaara.exe 4304 csrss.exe 3004 Kazekage.exe 4568 smss.exe 1840 Gaara.exe 3512 csrss.exe 4644 Kazekage.exe 4780 system32.exe 4704 smss.exe 1032 Gaara.exe 1700 csrss.exe 2436 Kazekage.exe 2904 system32.exe 4456 system32.exe 4996 Kazekage.exe 4240 system32.exe 4624 csrss.exe 4184 Kazekage.exe 1096 system32.exe 2240 Gaara.exe 716 csrss.exe 3628 Kazekage.exe 2400 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 4040 smss.exe 3060 smss.exe 2660 Gaara.exe 4080 smss.exe 2708 Gaara.exe 4828 csrss.exe 1288 smss.exe 3884 Gaara.exe 4304 csrss.exe 4568 smss.exe 1840 Gaara.exe 3512 csrss.exe 4704 smss.exe 1032 Gaara.exe 1700 csrss.exe 4624 csrss.exe 2240 Gaara.exe 716 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" csrss.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\T:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\L:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\V:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\Y:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\B: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\G: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\J: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\H: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\Y: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\Q: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\V: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\X: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\P: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\A: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\Z: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\Y: csrss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\E:\Autorun.inf smss.exe File created \??\G:\Autorun.inf smss.exe File opened for modification \??\K:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf csrss.exe File opened for modification \??\O:\Autorun.inf Kazekage.exe File created \??\Y:\Autorun.inf Kazekage.exe File opened for modification \??\A:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created \??\M:\Autorun.inf system32.exe File created \??\Q:\Autorun.inf smss.exe File opened for modification \??\N:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created \??\Z:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\J:\Autorun.inf smss.exe File opened for modification \??\X:\Autorun.inf smss.exe File opened for modification \??\I:\Autorun.inf csrss.exe File opened for modification \??\B:\Autorun.inf Kazekage.exe File opened for modification \??\I:\Autorun.inf system32.exe File created \??\X:\Autorun.inf system32.exe File opened for modification F:\Autorun.inf smss.exe File created \??\R:\Autorun.inf csrss.exe File created \??\A:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created D:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created \??\X:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created \??\L:\Autorun.inf smss.exe File opened for modification \??\O:\Autorun.inf smss.exe File created \??\J:\Autorun.inf Kazekage.exe File opened for modification \??\P:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created D:\Autorun.inf Kazekage.exe File created \??\O:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf Gaara.exe File opened for modification \??\E:\Autorun.inf csrss.exe File opened for modification \??\R:\Autorun.inf csrss.exe File created \??\K:\Autorun.inf Kazekage.exe File created \??\P:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created \??\T:\Autorun.inf smss.exe File created \??\W:\Autorun.inf Gaara.exe File opened for modification \??\E:\Autorun.inf Kazekage.exe File opened for modification \??\K:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf system32.exe File created \??\H:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf Gaara.exe File created D:\Autorun.inf csrss.exe File opened for modification \??\H:\Autorun.inf csrss.exe File opened for modification \??\M:\Autorun.inf csrss.exe File opened for modification \??\X:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf Kazekage.exe File created \??\I:\Autorun.inf system32.exe File opened for modification \??\G:\Autorun.inf smss.exe File opened for modification \??\Y:\Autorun.inf Gaara.exe File opened for modification C:\Autorun.inf csrss.exe File opened for modification \??\W:\Autorun.inf csrss.exe File opened for modification \??\H:\Autorun.inf Kazekage.exe File created \??\U:\Autorun.inf system32.exe File opened for modification \??\J:\Autorun.inf Kazekage.exe File created F:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created \??\K:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\M:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File created \??\M:\Autorun.inf csrss.exe File created \??\X:\Autorun.inf csrss.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\3-5-2025.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\ smss.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe -
resource yara_rule behavioral2/memory/4576-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002afef-11.dat upx behavioral2/memory/4040-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002afed-31.dat upx behavioral2/files/0x001900000002aff0-49.dat upx behavioral2/memory/3060-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001c00000002afee-76.dat upx behavioral2/files/0x001900000002aff6-96.dat upx behavioral2/memory/4080-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002afef-120.dat upx behavioral2/memory/2708-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002aff3-173.dat upx behavioral2/memory/4576-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002aff6-183.dat upx behavioral2/memory/4040-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002aff0-229.dat upx behavioral2/memory/4828-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x0001000000000031-513.dat upx behavioral2/memory/4780-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-588-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe smss.exe File created C:\Windows\system\msvbvm60.dll 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\ 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\mscomctl.ocx 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4724 ping.exe 1996 ping.exe 2596 ping.exe 4328 ping.exe 4672 ping.exe 4304 ping.exe 1768 ping.exe 548 ping.exe 3356 ping.exe 3472 ping.exe 4616 ping.exe 716 ping.exe 768 ping.exe 2484 ping.exe 2676 ping.exe 4424 ping.exe 2312 ping.exe 3000 ping.exe 4628 ping.exe 1332 ping.exe 3928 ping.exe 3508 ping.exe 5072 ping.exe 1768 ping.exe 4252 ping.exe 4992 ping.exe 3520 ping.exe 8 ping.exe 3916 ping.exe 3928 ping.exe 2000 ping.exe 2280 ping.exe 3060 ping.exe 4820 ping.exe 1508 ping.exe 3124 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Control Panel\Screen Saver.Marquee csrss.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Internet Explorer\Main 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 2596 ping.exe 2676 ping.exe 2312 ping.exe 3472 ping.exe 4820 ping.exe 3356 ping.exe 3520 ping.exe 2484 ping.exe 1332 ping.exe 1768 ping.exe 3000 ping.exe 3928 ping.exe 3508 ping.exe 4724 ping.exe 716 ping.exe 548 ping.exe 4616 ping.exe 4252 ping.exe 2280 ping.exe 1508 ping.exe 3124 ping.exe 2000 ping.exe 1768 ping.exe 3928 ping.exe 4328 ping.exe 4424 ping.exe 4628 ping.exe 768 ping.exe 4672 ping.exe 3916 ping.exe 3060 ping.exe 5072 ping.exe 1996 ping.exe 4992 ping.exe 8 ping.exe 4304 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 2660 Gaara.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4828 csrss.exe 4780 system32.exe 4780 system32.exe 4780 system32.exe 4780 system32.exe 4780 system32.exe 4780 system32.exe 4780 system32.exe 4780 system32.exe 4780 system32.exe 4780 system32.exe 4780 system32.exe 4780 system32.exe 4780 system32.exe 4780 system32.exe 4780 system32.exe 4780 system32.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 4576 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4040 smss.exe 3060 smss.exe 2660 Gaara.exe 4080 smss.exe 2708 Gaara.exe 4828 csrss.exe 1288 smss.exe 3884 Gaara.exe 4304 csrss.exe 3004 Kazekage.exe 4568 smss.exe 1840 Gaara.exe 3512 csrss.exe 4644 Kazekage.exe 4780 system32.exe 4704 smss.exe 1032 Gaara.exe 1700 csrss.exe 2436 Kazekage.exe 2904 system32.exe 4456 system32.exe 4996 Kazekage.exe 4240 system32.exe 4624 csrss.exe 4184 Kazekage.exe 1096 system32.exe 2240 Gaara.exe 716 csrss.exe 3628 Kazekage.exe 2400 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4576 wrote to memory of 4040 4576 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 81 PID 4576 wrote to memory of 4040 4576 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 81 PID 4576 wrote to memory of 4040 4576 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 81 PID 4040 wrote to memory of 3060 4040 smss.exe 82 PID 4040 wrote to memory of 3060 4040 smss.exe 82 PID 4040 wrote to memory of 3060 4040 smss.exe 82 PID 4040 wrote to memory of 2660 4040 smss.exe 83 PID 4040 wrote to memory of 2660 4040 smss.exe 83 PID 4040 wrote to memory of 2660 4040 smss.exe 83 PID 2660 wrote to memory of 4080 2660 Gaara.exe 85 PID 2660 wrote to memory of 4080 2660 Gaara.exe 85 PID 2660 wrote to memory of 4080 2660 Gaara.exe 85 PID 2660 wrote to memory of 2708 2660 Gaara.exe 86 PID 2660 wrote to memory of 2708 2660 Gaara.exe 86 PID 2660 wrote to memory of 2708 2660 Gaara.exe 86 PID 2660 wrote to memory of 4828 2660 Gaara.exe 87 PID 2660 wrote to memory of 4828 2660 Gaara.exe 87 PID 2660 wrote to memory of 4828 2660 Gaara.exe 87 PID 4828 wrote to memory of 1288 4828 csrss.exe 88 PID 4828 wrote to memory of 1288 4828 csrss.exe 88 PID 4828 wrote to memory of 1288 4828 csrss.exe 88 PID 4828 wrote to memory of 3884 4828 csrss.exe 89 PID 4828 wrote to memory of 3884 4828 csrss.exe 89 PID 4828 wrote to memory of 3884 4828 csrss.exe 89 PID 4828 wrote to memory of 4304 4828 csrss.exe 90 PID 4828 wrote to memory of 4304 4828 csrss.exe 90 PID 4828 wrote to memory of 4304 4828 csrss.exe 90 PID 4828 wrote to memory of 3004 4828 csrss.exe 91 PID 4828 wrote to memory of 3004 4828 csrss.exe 91 PID 4828 wrote to memory of 3004 4828 csrss.exe 91 PID 3004 wrote to memory of 4568 3004 Kazekage.exe 92 PID 3004 wrote to memory of 4568 3004 Kazekage.exe 92 PID 3004 wrote to memory of 4568 3004 Kazekage.exe 92 PID 3004 wrote to memory of 1840 3004 Kazekage.exe 93 PID 3004 wrote to memory of 1840 3004 Kazekage.exe 93 PID 3004 wrote to memory of 1840 3004 Kazekage.exe 93 PID 3004 wrote to memory of 3512 3004 Kazekage.exe 94 PID 3004 wrote to memory of 3512 3004 Kazekage.exe 94 PID 3004 wrote to memory of 3512 3004 Kazekage.exe 94 PID 3004 wrote to memory of 4644 3004 Kazekage.exe 95 PID 3004 wrote to memory of 4644 3004 Kazekage.exe 95 PID 3004 wrote to memory of 4644 3004 Kazekage.exe 95 PID 3004 wrote to memory of 4780 3004 Kazekage.exe 96 PID 3004 wrote to memory of 4780 3004 Kazekage.exe 96 PID 3004 wrote to memory of 4780 3004 Kazekage.exe 96 PID 4780 wrote to memory of 4704 4780 system32.exe 97 PID 4780 wrote to memory of 4704 4780 system32.exe 97 PID 4780 wrote to memory of 4704 4780 system32.exe 97 PID 4780 wrote to memory of 1032 4780 system32.exe 98 PID 4780 wrote to memory of 1032 4780 system32.exe 98 PID 4780 wrote to memory of 1032 4780 system32.exe 98 PID 4780 wrote to memory of 1700 4780 system32.exe 99 PID 4780 wrote to memory of 1700 4780 system32.exe 99 PID 4780 wrote to memory of 1700 4780 system32.exe 99 PID 4780 wrote to memory of 2436 4780 system32.exe 100 PID 4780 wrote to memory of 2436 4780 system32.exe 100 PID 4780 wrote to memory of 2436 4780 system32.exe 100 PID 4780 wrote to memory of 2904 4780 system32.exe 101 PID 4780 wrote to memory of 2904 4780 system32.exe 101 PID 4780 wrote to memory of 2904 4780 system32.exe 101 PID 4828 wrote to memory of 4456 4828 csrss.exe 131 PID 4828 wrote to memory of 4456 4828 csrss.exe 131 PID 4828 wrote to memory of 4456 4828 csrss.exe 131 PID 2660 wrote to memory of 4996 2660 Gaara.exe 103 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4576 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4040 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3060
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2660 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4080
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4828 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1288
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3884
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4304
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3004 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4568
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1840
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3512
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4644
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4780 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4704
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1032
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1700
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2436
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2904
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3124
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3928
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3472
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3928
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3916
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3520
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1508
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2596
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2312
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:548
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4304
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4424
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4456
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3060
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4820 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3628
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5072
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:716
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4672
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4996
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4240
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2280
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1768 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4456
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3356
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1768
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4992
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4328
-
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4624
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4184
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1096
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1332
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:768
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4724
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2676
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3000
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4252
-
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2240
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:716
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3628
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2400
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2000
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4628
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3508
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2484
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1996
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\smss.exe1⤵PID:3480
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\Gaara.exe1⤵PID:352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 3-5-2025.exe1⤵PID:2368
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4596
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
9.4MB
MD56159f0d9c424f0ea31dc5ecac105e25d
SHA1d129bd2d2a3a0a4acd66d68977c822b8e0bd03cc
SHA256c9a201c26080ee7f2d08d66f93af6c53fc5e5bd2ce90057239d010f7b730b32e
SHA512c0c7974b48e49a85404912bb65c91de3e43c583e64d2c2f9aca026bd1680afc3a5e0e600dd8ccc38053ec873d6c3266f855e8d9c3db24606ffc1ad6f2833d9b8
-
Filesize
9.4MB
MD5fb25d1b774c9dd6cd99a7f8f4659ec50
SHA175a1ceaa1691597ed1bc42eae48df4d71bfa1e82
SHA25609d1d22cc8284e012be85683e41bfaac5dc11940d87dd13b7103322907fae508
SHA512296e951524b2ab5f55d5a454aa6e6de10df29c767dd28ba5f9792f34c44abb7cb01f2ae1fd6b6c68f295f521cb0acce6270a56a4cad26e8cddbd8f779d4df7b1
-
Filesize
9.4MB
MD5702bb50355e6ad028b365567c0594dbc
SHA113bccc8662cbb40888fef8b27fe3de4704729f8e
SHA25612bc0be6d89b8a04925bc18c232629c7886adadf079d23652831732deed2d46c
SHA512c9accec02641241456501d5f807107072f1a957b3dd91713cf83f68f663195269424bfd2f95eb8a10e2bf428c0af907844b7d8f85a2658a7a563035021de3b21
-
Filesize
9.4MB
MD5eab670c5f02b99203b53780d20142e38
SHA1c492e25cd3cb167f4157d72dd412b16466c97d4d
SHA256695c3dd03fe5c5b6c86399abef35ce62ad73bea24fe8ec49467170a072057a9f
SHA512042e97e7b6ab81b0f7d887ece07118a74109704c026f86ed48ddb2efac01c0657372a3bc4c5c1dc7175286f544a08d3f87ee99d53d80cf7f59bfaa7172cc70ac
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
9.4MB
MD57beb48092a5a1fc94ae1495724179759
SHA175a06466009ec3afcc75fed38af9b42ff91a704c
SHA25658523c3e7a29bb324d06c5b43059111220ea99682351a65dfbe3448f0fc0b667
SHA512e6b5de1c874ff6a5f58e28be1fec9921529de7ea1697c0bf89680ab2bd81606ecb1bb30c85189a224e95b48d5d0fcf49a1f5dbe55f3969fdc4251fbf1c421388
-
Filesize
2.4MB
MD5bc1f9733f0331f31dfafaf4f2bd01b82
SHA1b10a21c71e9a27f1b0e42c65ba70f45c668d83bc
SHA256bf3a6af2c120d3699d140b6bd943032dca62c2a4b358aa840924f4abeebb6353
SHA512c7fb9cdf50c03fa6bd5ad0426908ebde8e7de7a2f4ff0d28f058e0af8a0cca79daaa786f036e935e22e5125ad9b9e6858b706c941ba7a5bce87a3edc1e648ef5
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
9.4MB
MD52d2f76de9a817ccb48157b679a4d2455
SHA1993ac9f16e0d35614ba9dbdaf4992aa72a28828d
SHA25670add32f53d6f363de42792a228327d8897a83d3ba5793f0abf52bf55574fae4
SHA5128981eaf499c715af9027d3ae7f52ec2adc3f9af274247d14f3da8992d72ca4ebe73e0ad27e1a040456eb9d8f376460185503a7c02a1c96eec9719e08a1a4d4c9
-
Filesize
9.4MB
MD58c8eb54795acc86344fe2019ef4bab60
SHA19b91f8fca24fe044c502d285658d7873c152e248
SHA256e4e88ed9eccc57c1f8e523aa96e6b18ce1900004b13d68c5386aad00866990fe
SHA512683b273cd1a4ce8cf6849abb57b1a42aad0be40ae2cf641fa69245d8fae20a5027a4097dc586fcc4b4d8dc63eb671210ddb840feaadbf4f04d7c353e5ea2f854
-
Filesize
832KB
MD5dc739c3795d133358a9cfd96022d0ca2
SHA11dab8b97760ddca93c92043c5a054f77bb80e2e9
SHA256eef59916c1570fbcbaba47da00f505a8f62e20428eb0107cbe46b2c78bc85a28
SHA51231b03eb37e4786eb7bda68e0639325107e2a992a1eeae9fb5b37675af30057880a9eadaebba0ef1d3d592d045d640dedc06a4f2e7e55d70f648159b84eda3ba6
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.3MB
MD5229f878923da3f8a4b1f55fbe19676f4
SHA17ce8614337d8d1c3f342cdb9438d6c6207cd5090
SHA256a333291c65e432df6e44f8a04779a0962bf61b815a051fb6b1761b23a82af98d
SHA51285b50d24332f84e372e24ec455553fa9e30b7b59ee32f8953313856e8720e6f347856386f614c6b5011f0763dc29d8c3fa2a5c8d565b9c1115479a6303e0994c
-
Filesize
9.4MB
MD5ef0b709dfbcf5d4448eb11ad65f4d5c0
SHA175e9995fddf525bf0df76b6c7f6d11371b984e14
SHA256e4162f452924d08fdf4f91a893e3af8d18e57b717ed1431313ef17f7b6d196eb
SHA5123d2f31ab734fe048490514f9f6d3ba7100a335142f4545b1c9b46d8a723cd0aec515cfae5a0d72566c8c50052b8108fb1633a6c3bafe8ff7716cf05fb0ec8f5e