Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/05/2025, 14:32
Behavioral task
behavioral1
Sample
2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe
-
Size
9.4MB
-
MD5
fb25d1b774c9dd6cd99a7f8f4659ec50
-
SHA1
75a1ceaa1691597ed1bc42eae48df4d71bfa1e82
-
SHA256
09d1d22cc8284e012be85683e41bfaac5dc11940d87dd13b7103322907fae508
-
SHA512
296e951524b2ab5f55d5a454aa6e6de10df29c767dd28ba5f9792f34c44abb7cb01f2ae1fd6b6c68f295f521cb0acce6270a56a4cad26e8cddbd8f779d4df7b1
-
SSDEEP
98304:cGyqWyWy0GyqWyWyMRPC1eHL5dGYSEYvA:Z1eHL5dEvA
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe -
Executes dropped EXE 30 IoCs
pid Process 3612 smss.exe 5560 smss.exe 5624 Gaara.exe 4416 smss.exe 3324 Gaara.exe 4988 csrss.exe 2400 smss.exe 3760 Gaara.exe 2160 csrss.exe 3164 Kazekage.exe 2764 smss.exe 3240 Gaara.exe 2856 csrss.exe 1448 Kazekage.exe 6100 Gaara.exe 1044 system32.exe 3776 csrss.exe 1468 Kazekage.exe 5336 system32.exe 6108 smss.exe 3796 Gaara.exe 4564 csrss.exe 2240 Kazekage.exe 2440 system32.exe 1416 system32.exe 4544 Kazekage.exe 2840 system32.exe 2456 csrss.exe 1600 Kazekage.exe 5024 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 3612 smss.exe 5560 smss.exe 5624 Gaara.exe 4416 smss.exe 3324 Gaara.exe 4988 csrss.exe 2400 smss.exe 3760 Gaara.exe 2160 csrss.exe 2764 smss.exe 3240 Gaara.exe 2856 csrss.exe 6100 Gaara.exe 3776 csrss.exe 6108 smss.exe 3796 Gaara.exe 4564 csrss.exe 2456 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" smss.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\I:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\Z:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\U:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini smss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: smss.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\W: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\A: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\E: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\V: system32.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\R: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\I: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\K: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\B: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\M: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\H: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\Z: 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\B: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\R:\Autorun.inf smss.exe File created \??\H:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf system32.exe File created \??\H:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created F:\Autorun.inf smss.exe File created \??\Z:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created \??\Z:\Autorun.inf smss.exe File created \??\Y:\Autorun.inf Gaara.exe File opened for modification \??\M:\Autorun.inf Kazekage.exe File created \??\S:\Autorun.inf system32.exe File created \??\P:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\U:\Autorun.inf smss.exe File opened for modification \??\J:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf csrss.exe File created \??\G:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created \??\I:\Autorun.inf smss.exe File created \??\M:\Autorun.inf Kazekage.exe File created \??\Q:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\R:\Autorun.inf smss.exe File opened for modification \??\G:\Autorun.inf Gaara.exe File opened for modification \??\K:\Autorun.inf Gaara.exe File created D:\Autorun.inf csrss.exe File opened for modification D:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\H:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\S:\Autorun.inf smss.exe File opened for modification \??\M:\Autorun.inf Gaara.exe File opened for modification \??\Q:\Autorun.inf Gaara.exe File created \??\V:\Autorun.inf Gaara.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File created \??\A:\Autorun.inf csrss.exe File opened for modification \??\B:\Autorun.inf csrss.exe File created \??\L:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf smss.exe File opened for modification \??\P:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\W:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created \??\G:\Autorun.inf smss.exe File created \??\L:\Autorun.inf smss.exe File created \??\W:\Autorun.inf smss.exe File created \??\N:\Autorun.inf Gaara.exe File created \??\K:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf system32.exe File opened for modification \??\U:\Autorun.inf system32.exe File opened for modification \??\Z:\Autorun.inf system32.exe File opened for modification \??\S:\Autorun.inf Gaara.exe File created \??\O:\Autorun.inf csrss.exe File opened for modification \??\X:\Autorun.inf Kazekage.exe File created \??\G:\Autorun.inf system32.exe File created \??\E:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created \??\T:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created \??\E:\Autorun.inf Kazekage.exe File created \??\T:\Autorun.inf smss.exe File created \??\V:\Autorun.inf smss.exe File created \??\S:\Autorun.inf Kazekage.exe File created \??\Z:\Autorun.inf Kazekage.exe File opened for modification \??\R:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification F:\Autorun.inf csrss.exe File opened for modification \??\W:\Autorun.inf Kazekage.exe File opened for modification \??\P:\Autorun.inf 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\Z:\Autorun.inf smss.exe File opened for modification \??\I:\Autorun.inf csrss.exe File created \??\M:\Autorun.inf csrss.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\3-5-2025.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\ system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
resource yara_rule behavioral2/memory/4636-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b15e-11.dat upx behavioral2/files/0x001900000002b15c-31.dat upx behavioral2/memory/3612-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b15e-46.dat upx behavioral2/files/0x001900000002b162-57.dat upx behavioral2/memory/5560-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5560-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b15d-76.dat upx behavioral2/memory/5624-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b161-94.dat upx behavioral2/memory/4416-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b15e-123.dat upx behavioral2/files/0x001900000002b162-139.dat upx behavioral2/memory/3760-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b161-170.dat upx behavioral2/memory/3760-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b15f-180.dat upx behavioral2/memory/5624-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b162-184.dat upx behavioral2/memory/3240-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6100-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5336-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5624-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5624-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-546-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe smss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe system32.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File created C:\Windows\msvbvm60.dll 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\system\msvbvm60.dll 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe system32.exe File created C:\Windows\mscomctl.ocx smss.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3388 ping.exe 3656 ping.exe 3796 ping.exe 1624 ping.exe 2936 ping.exe 5420 ping.exe 2224 ping.exe 1384 ping.exe 3824 ping.exe 3036 ping.exe 5392 ping.exe 4668 ping.exe 4640 ping.exe 1968 ping.exe 5956 ping.exe 3608 ping.exe 2824 ping.exe 4984 ping.exe 4016 ping.exe 2172 ping.exe 2572 ping.exe 3184 ping.exe 2888 ping.exe 5732 ping.exe 1156 ping.exe 3832 ping.exe 4048 ping.exe 2480 ping.exe 5372 ping.exe 4116 ping.exe 780 ping.exe 6012 ping.exe 5840 ping.exe 2196 ping.exe 4196 ping.exe 4744 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Key created \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Key created \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Key created \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee csrss.exe Key created \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Key created \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Key created \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Control Panel\Desktop Gaara.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Internet Explorer\Main 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1454956602-4007834095-2135319884-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 4116 ping.exe 5392 ping.exe 4744 ping.exe 2936 ping.exe 3388 ping.exe 2172 ping.exe 4640 ping.exe 1968 ping.exe 3824 ping.exe 2480 ping.exe 3608 ping.exe 2224 ping.exe 780 ping.exe 5956 ping.exe 3036 ping.exe 4668 ping.exe 5732 ping.exe 2824 ping.exe 4984 ping.exe 3832 ping.exe 2196 ping.exe 3184 ping.exe 1156 ping.exe 1384 ping.exe 1624 ping.exe 4048 ping.exe 5372 ping.exe 2888 ping.exe 3796 ping.exe 6012 ping.exe 5420 ping.exe 5840 ping.exe 4196 ping.exe 2572 ping.exe 3656 ping.exe 4016 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 4988 csrss.exe 3164 Kazekage.exe 3164 Kazekage.exe 3164 Kazekage.exe 3164 Kazekage.exe 3164 Kazekage.exe 3164 Kazekage.exe 3164 Kazekage.exe 3164 Kazekage.exe 3164 Kazekage.exe 3164 Kazekage.exe 3164 Kazekage.exe 3164 Kazekage.exe 3164 Kazekage.exe 3164 Kazekage.exe 3164 Kazekage.exe 3164 Kazekage.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 3612 smss.exe 5560 smss.exe 5624 Gaara.exe 4416 smss.exe 3324 Gaara.exe 4988 csrss.exe 2400 smss.exe 3760 Gaara.exe 2160 csrss.exe 3164 Kazekage.exe 2764 smss.exe 3240 Gaara.exe 2856 csrss.exe 1448 Kazekage.exe 6100 Gaara.exe 1044 system32.exe 3776 csrss.exe 1468 Kazekage.exe 5336 system32.exe 6108 smss.exe 3796 Gaara.exe 4564 csrss.exe 2240 Kazekage.exe 2440 system32.exe 1416 system32.exe 4544 Kazekage.exe 2840 system32.exe 2456 csrss.exe 1600 Kazekage.exe 5024 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4636 wrote to memory of 3612 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 78 PID 4636 wrote to memory of 3612 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 78 PID 4636 wrote to memory of 3612 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 78 PID 3612 wrote to memory of 5560 3612 smss.exe 79 PID 3612 wrote to memory of 5560 3612 smss.exe 79 PID 3612 wrote to memory of 5560 3612 smss.exe 79 PID 3612 wrote to memory of 5624 3612 smss.exe 80 PID 3612 wrote to memory of 5624 3612 smss.exe 80 PID 3612 wrote to memory of 5624 3612 smss.exe 80 PID 5624 wrote to memory of 4416 5624 Gaara.exe 81 PID 5624 wrote to memory of 4416 5624 Gaara.exe 81 PID 5624 wrote to memory of 4416 5624 Gaara.exe 81 PID 5624 wrote to memory of 3324 5624 Gaara.exe 82 PID 5624 wrote to memory of 3324 5624 Gaara.exe 82 PID 5624 wrote to memory of 3324 5624 Gaara.exe 82 PID 5624 wrote to memory of 4988 5624 Gaara.exe 83 PID 5624 wrote to memory of 4988 5624 Gaara.exe 83 PID 5624 wrote to memory of 4988 5624 Gaara.exe 83 PID 4988 wrote to memory of 2400 4988 csrss.exe 84 PID 4988 wrote to memory of 2400 4988 csrss.exe 84 PID 4988 wrote to memory of 2400 4988 csrss.exe 84 PID 4988 wrote to memory of 3760 4988 csrss.exe 85 PID 4988 wrote to memory of 3760 4988 csrss.exe 85 PID 4988 wrote to memory of 3760 4988 csrss.exe 85 PID 4988 wrote to memory of 2160 4988 csrss.exe 86 PID 4988 wrote to memory of 2160 4988 csrss.exe 86 PID 4988 wrote to memory of 2160 4988 csrss.exe 86 PID 4988 wrote to memory of 3164 4988 csrss.exe 87 PID 4988 wrote to memory of 3164 4988 csrss.exe 87 PID 4988 wrote to memory of 3164 4988 csrss.exe 87 PID 3164 wrote to memory of 2764 3164 Kazekage.exe 88 PID 3164 wrote to memory of 2764 3164 Kazekage.exe 88 PID 3164 wrote to memory of 2764 3164 Kazekage.exe 88 PID 3164 wrote to memory of 3240 3164 Kazekage.exe 89 PID 3164 wrote to memory of 3240 3164 Kazekage.exe 89 PID 3164 wrote to memory of 3240 3164 Kazekage.exe 89 PID 3164 wrote to memory of 2856 3164 Kazekage.exe 90 PID 3164 wrote to memory of 2856 3164 Kazekage.exe 90 PID 3164 wrote to memory of 2856 3164 Kazekage.exe 90 PID 3164 wrote to memory of 1448 3164 Kazekage.exe 91 PID 3164 wrote to memory of 1448 3164 Kazekage.exe 91 PID 3164 wrote to memory of 1448 3164 Kazekage.exe 91 PID 4636 wrote to memory of 6100 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 92 PID 4636 wrote to memory of 6100 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 92 PID 4636 wrote to memory of 6100 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 92 PID 3164 wrote to memory of 1044 3164 Kazekage.exe 93 PID 3164 wrote to memory of 1044 3164 Kazekage.exe 93 PID 3164 wrote to memory of 1044 3164 Kazekage.exe 93 PID 4636 wrote to memory of 3776 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 94 PID 4636 wrote to memory of 3776 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 94 PID 4636 wrote to memory of 3776 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 94 PID 4636 wrote to memory of 1468 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 95 PID 4636 wrote to memory of 1468 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 95 PID 4636 wrote to memory of 1468 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 95 PID 4636 wrote to memory of 5336 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 96 PID 4636 wrote to memory of 5336 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 96 PID 4636 wrote to memory of 5336 4636 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe 96 PID 1044 wrote to memory of 6108 1044 system32.exe 97 PID 1044 wrote to memory of 6108 1044 system32.exe 97 PID 1044 wrote to memory of 6108 1044 system32.exe 97 PID 1044 wrote to memory of 3796 1044 system32.exe 98 PID 1044 wrote to memory of 3796 1044 system32.exe 98 PID 1044 wrote to memory of 3796 1044 system32.exe 98 PID 1044 wrote to memory of 4564 1044 system32.exe 99 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4636 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3612 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5560
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5624 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4416
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3324
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4988 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2400
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3760
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2160
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3164 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2764
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3240
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2856
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1448
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1044 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6108
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3796
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4564
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2240
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2440
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4640
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2888
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1968
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3824
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3036
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5840
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3184
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4744
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2196
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:780
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5420
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3608
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1416
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4668
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2224
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1624
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2936
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6012
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4016
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4544
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2840
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5392
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4116
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3832
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2824
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4048
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5956
-
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2456
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1600
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5024
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2572
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3656
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1384
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3796
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4984
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2172
-
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6100
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3776
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1468
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5336
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5372
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4196
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5732
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1156
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3388
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\smss.exe1⤵PID:3004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\Gaara.exe1⤵PID:1800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 3-5-2025.exe1⤵PID:5444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:5536
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
9.4MB
MD50ba4a4815113cd548a39c798d9f38b10
SHA118c1708cac8e0da6a62b3755f53df946ceff4519
SHA25646e711ee875a74f9f2804737fe99509ca715305a05b100b808e8da0796f1ccfe
SHA5124ceb82ca5cf1a7ef41f25ef7c7d1e41da3fab8e5333955cc72876cb57c14941f30d39b493963cc4b11ae534bc33b326f8cf486f4a70dac193c7699b3425952f7
-
Filesize
9.4MB
MD5fb25d1b774c9dd6cd99a7f8f4659ec50
SHA175a1ceaa1691597ed1bc42eae48df4d71bfa1e82
SHA25609d1d22cc8284e012be85683e41bfaac5dc11940d87dd13b7103322907fae508
SHA512296e951524b2ab5f55d5a454aa6e6de10df29c767dd28ba5f9792f34c44abb7cb01f2ae1fd6b6c68f295f521cb0acce6270a56a4cad26e8cddbd8f779d4df7b1
-
Filesize
9.4MB
MD5a8c5e07f540392779bad7fab26e3b259
SHA1d57644ff6a590c464a8f1e6af000ebc1e00e1479
SHA256dbf60b1e3de010084576ca6e733c9bf30d4465f1aca0af1a91bd8bce9fda93eb
SHA512f945bb3d86cc0296b3cfb775f378b6007995e7175105d40529ea458499c5324fe2cfacf9e4bc02f1d3d11d58c6ae45ffcffcef364f1fbfba169cfc13d025521a
-
Filesize
9.4MB
MD577d0cf07d3daad6f09c53ef86e08f242
SHA12456449c93cf1acbf07e6fe40de38db69766cda8
SHA2560cc2f34663b2da6879198c42e782b387db89819a3a77a66ebecb9b8265aa1a8f
SHA512df56303428c35b3b28b022d288147d5bc0f694b17c68babacedc07291565e8aa7d4272eb11e78b173ce709502e039459fe39a68b1aa594c236499f432b68d5f2
-
Filesize
9.4MB
MD58ee00d4da1d1ae0d555c696fb01deb4e
SHA1ca1e7be0243f3daec1ee35153b7fca72b89fad9a
SHA256d621c752bb4f278dbf5a062a03d0860418c38c12e077ab335724c7505ba4ea66
SHA512fd8dc1901d7c5851858e3e8d82f9b62c350744dd12feaf80d8620fd634b959b532893f217de0d6c49f5100383c8e52ef9fb6bf241ce92b97296750ccb19dfdc8
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
9.4MB
MD5fefcd1520a7096d542f9e3655fe0795b
SHA1986a003b5ffcf5ef04a0043260d059476b923251
SHA256b9c092688930226a4367060d5f58105a78c430ef2afe7957beb152425102a638
SHA5125b842e95c2dbaacd0d381da829d092d42e98609351ee5327805b8612e6827e1f6de7eb3c488a3ab6cae8f80e88c13d341e07bf0cb2b073b732a577505ebc4183
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
9.4MB
MD531580819dd8d76d714b0ccb0dbcbbfd8
SHA1c5ec9d823a6377c20da65664d8d019d425baf646
SHA25675e74650740942e23ca5d3914fcda1abd2968300ca09f676d80720f8321a61b0
SHA51253c496aecbf819b950d2752658dc4befad3dd56f231d0cc9c1c41590ca24f82e47cb50b39a979f34e3d3e33f607d397dd2450e2b1e4e72dea1e77e282b4c9b3b
-
Filesize
9.4MB
MD5de57edd2bfb973ecb5e25300ff5012e7
SHA1e15f50d3e9907f6ee93db9607a67a769c57b1fd0
SHA256173ecc21188d8ba60302e89323a78d170257a23fe762d840a5ee7ab1de8aa021
SHA51253fd33654b91190c341c1cd121c4eda320666513f26ab4c35824eed763ffe16a1e284815b72b43cdf0b322947ea4fd0a0555ec68cc4d671955aeea5c581bedca
-
Filesize
9.4MB
MD516b92ba36aa694a213e5f358c831425d
SHA1ac9b7c7f5a0eae7fa60cd81c293baddd2718edd6
SHA256c105ea094f101b0800fda09f78a17d8347b70e1d6ffdaabf45e6b19b72ad34f7
SHA5121634e820a83cd681888d924af644e6d47874b1b96bf78a6baa21d167a9cc9df3d439a1a01c09240e91507662930c7b7db8bf09282e777cd9ae91a2cd05bb5d29
-
Filesize
9.4MB
MD5a81bb4521b49308086adb9094d9bfc37
SHA11e3e87f90b8158500d9bd7c984288dbc1bb9db75
SHA2564cec4b24711943c02c4438da691026d875325f1ff4618523c75a184cbc490e2b
SHA512aa757bfb0856b5b182c7fd29794072755f99e8f25ba74814f8115bd687146b85025c95b4dc5d31be3893354aa40b9d7184ee8be1a311eb70dbf6e23e5893a118
-
Filesize
9.4MB
MD5abee3768a075212885ebd91e1c405c2c
SHA19ade6d7d9835365d6f06865a3fdf31fbe9b5de56
SHA25692248b1bcc7e03a0387564190e9c22bafbb698d2079b847cad5aa3e3b03e779f
SHA51272263b8934fe275ba83f8b6612616d5749df9a2d5c4b3e03c12626404b355e50ac50c62380ffeb45b277a09165f289206d5eb44fcda336ec721792ac2a39b38e
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a