Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/05/2025, 15:53
Behavioral task
behavioral1
Sample
2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe
-
Size
9.5MB
-
MD5
0187b29f338fa5329aecfdf4dd33458a
-
SHA1
da8b3f2af5e495daa6040b420dc4e0ac40d39c9b
-
SHA256
7edeb8b50717817a353d24aadcecec71fd9ed6648998384b723017d98d79a45b
-
SHA512
1257fcbe48c4e74adeaddb6957dd7702bc19ff6bdeed88500041f1f1db3f711c101e51e598e55f2c638af3a5cf3c48eaa0f76902193750e249913d7d0affdb54
-
SSDEEP
98304:kyyqWyWy0GyqWyWyMRPC1eHL5dGYSEYv1:31eHL5dEv1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe -
Executes dropped EXE 30 IoCs
pid Process 752 smss.exe 3096 smss.exe 1168 Gaara.exe 5404 smss.exe 4792 Gaara.exe 4844 csrss.exe 4444 smss.exe 388 Gaara.exe 2960 csrss.exe 1068 Kazekage.exe 964 smss.exe 1624 Gaara.exe 4968 csrss.exe 3312 Kazekage.exe 5760 system32.exe 5048 smss.exe 3452 Gaara.exe 2204 csrss.exe 1072 Kazekage.exe 4684 system32.exe 4648 system32.exe 3816 Kazekage.exe 3080 system32.exe 5380 csrss.exe 2248 Kazekage.exe 4880 system32.exe 5528 Gaara.exe 5848 csrss.exe 3368 Kazekage.exe 4240 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 752 smss.exe 3096 smss.exe 1168 Gaara.exe 5404 smss.exe 4792 Gaara.exe 4844 csrss.exe 4444 smss.exe 388 Gaara.exe 2960 csrss.exe 964 smss.exe 1624 Gaara.exe 4968 csrss.exe 5048 smss.exe 3452 Gaara.exe 2204 csrss.exe 5380 csrss.exe 5528 Gaara.exe 5848 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\T:\Desktop.ini 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\I:\Desktop.ini 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\R:\Desktop.ini 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\E:\Desktop.ini 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini system32.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: smss.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\X: 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\Q: 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\J: 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\H: 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\P: 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\N: 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\S: 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\E: 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\T: Gaara.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\H:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf system32.exe File opened for modification \??\R:\Autorun.inf 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\B:\Autorun.inf smss.exe File opened for modification \??\S:\Autorun.inf smss.exe File opened for modification C:\Autorun.inf Gaara.exe File opened for modification \??\H:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf Gaara.exe File created \??\P:\Autorun.inf Kazekage.exe File opened for modification \??\X:\Autorun.inf Kazekage.exe File created D:\Autorun.inf 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\X:\Autorun.inf 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\J:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf Gaara.exe File created \??\P:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf csrss.exe File created \??\O:\Autorun.inf csrss.exe File opened for modification F:\Autorun.inf Kazekage.exe File created \??\U:\Autorun.inf Kazekage.exe File opened for modification C:\Autorun.inf system32.exe File created \??\U:\Autorun.inf smss.exe File opened for modification D:\Autorun.inf csrss.exe File created \??\E:\Autorun.inf csrss.exe File opened for modification \??\J:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf system32.exe File opened for modification \??\O:\Autorun.inf system32.exe File created \??\Q:\Autorun.inf system32.exe File created \??\H:\Autorun.inf Gaara.exe File created D:\Autorun.inf csrss.exe File created \??\L:\Autorun.inf csrss.exe File opened for modification \??\Q:\Autorun.inf system32.exe File opened for modification \??\L:\Autorun.inf 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\X:\Autorun.inf system32.exe File opened for modification \??\K:\Autorun.inf 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\U:\Autorun.inf 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification F:\Autorun.inf smss.exe File created \??\J:\Autorun.inf csrss.exe File created \??\X:\Autorun.inf csrss.exe File opened for modification \??\L:\Autorun.inf Kazekage.exe File created \??\R:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File created \??\A:\Autorun.inf Gaara.exe File opened for modification F:\Autorun.inf Gaara.exe File opened for modification \??\I:\Autorun.inf system32.exe File created \??\J:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File created \??\U:\Autorun.inf 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File created \??\N:\Autorun.inf smss.exe File opened for modification \??\V:\Autorun.inf csrss.exe File opened for modification \??\G:\Autorun.inf Kazekage.exe File opened for modification \??\R:\Autorun.inf system32.exe File opened for modification \??\Z:\Autorun.inf system32.exe File created \??\Q:\Autorun.inf 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\N:\Autorun.inf smss.exe File opened for modification \??\E:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf Kazekage.exe File opened for modification \??\W:\Autorun.inf Kazekage.exe File created \??\S:\Autorun.inf 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\H:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf system32.exe File created \??\B:\Autorun.inf 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File created \??\N:\Autorun.inf 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\3-5-2025.exe 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe Kazekage.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
resource yara_rule behavioral2/memory/3704-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b3ed-11.dat upx behavioral2/memory/752-32-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b3eb-31.dat upx behavioral2/memory/3096-70-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3096-73-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1168-76-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b3ec-75.dat upx behavioral2/memory/4792-114-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5404-113-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4792-117-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b3ed-119.dat upx behavioral2/memory/4844-121-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b3ee-128.dat upx behavioral2/memory/388-158-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2960-157-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2960-161-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3704-165-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1068-166-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b3ef-164.dat upx behavioral2/memory/752-189-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3312-205-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5760-209-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3452-232-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4844-227-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b3ee-217.dat upx behavioral2/files/0x001900000002b3f0-208.dat upx behavioral2/memory/1072-239-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3816-248-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3080-253-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5760-257-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2248-258-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2248-261-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4880-264-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5528-267-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5848-270-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3368-273-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4240-276-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4648-245-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4684-242-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4684-238-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1068-237-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1624-198-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1168-197-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\system\mscoree.dll 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\mscomctl.ocx 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\system\msvbvm60.dll 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe system32.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe smss.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4924 ping.exe 1488 ping.exe 1560 ping.exe 1388 ping.exe 5824 ping.exe 4208 ping.exe 3388 ping.exe 2340 ping.exe 4868 ping.exe 3040 ping.exe 2392 ping.exe 3500 ping.exe 4008 ping.exe 388 ping.exe 4636 ping.exe 5372 ping.exe 2932 ping.exe 4988 ping.exe 5884 ping.exe 1732 ping.exe 2868 ping.exe 5756 ping.exe 3068 ping.exe 1672 ping.exe 5144 ping.exe 4044 ping.exe 1368 ping.exe 2644 ping.exe 4248 ping.exe 2292 ping.exe 3680 ping.exe 444 ping.exe 2948 ping.exe 4348 ping.exe 1836 ping.exe 5028 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Internet Explorer\Main 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 2948 ping.exe 4636 ping.exe 1732 ping.exe 4924 ping.exe 4208 ping.exe 5884 ping.exe 2868 ping.exe 1560 ping.exe 3680 ping.exe 3500 ping.exe 5824 ping.exe 2292 ping.exe 3040 ping.exe 1672 ping.exe 4868 ping.exe 2932 ping.exe 4248 ping.exe 3388 ping.exe 388 ping.exe 1836 ping.exe 4044 ping.exe 444 ping.exe 2644 ping.exe 2340 ping.exe 4348 ping.exe 1488 ping.exe 1388 ping.exe 3068 ping.exe 4008 ping.exe 5372 ping.exe 2392 ping.exe 1368 ping.exe 4988 ping.exe 5028 ping.exe 5144 ping.exe 5756 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 1168 Gaara.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 4844 csrss.exe 1068 Kazekage.exe 1068 Kazekage.exe 1068 Kazekage.exe 1068 Kazekage.exe 1068 Kazekage.exe 1068 Kazekage.exe 1068 Kazekage.exe 1068 Kazekage.exe 1068 Kazekage.exe 1068 Kazekage.exe 1068 Kazekage.exe 1068 Kazekage.exe 1068 Kazekage.exe 1068 Kazekage.exe 1068 Kazekage.exe 1068 Kazekage.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 3704 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe 752 smss.exe 3096 smss.exe 1168 Gaara.exe 5404 smss.exe 4792 Gaara.exe 4844 csrss.exe 4444 smss.exe 388 Gaara.exe 2960 csrss.exe 1068 Kazekage.exe 964 smss.exe 1624 Gaara.exe 4968 csrss.exe 3312 Kazekage.exe 5760 system32.exe 5048 smss.exe 3452 Gaara.exe 2204 csrss.exe 1072 Kazekage.exe 4684 system32.exe 4648 system32.exe 3816 Kazekage.exe 3080 system32.exe 5380 csrss.exe 2248 Kazekage.exe 4880 system32.exe 5528 Gaara.exe 5848 csrss.exe 3368 Kazekage.exe 4240 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3704 wrote to memory of 752 3704 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe 78 PID 3704 wrote to memory of 752 3704 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe 78 PID 3704 wrote to memory of 752 3704 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe 78 PID 752 wrote to memory of 3096 752 smss.exe 79 PID 752 wrote to memory of 3096 752 smss.exe 79 PID 752 wrote to memory of 3096 752 smss.exe 79 PID 752 wrote to memory of 1168 752 smss.exe 80 PID 752 wrote to memory of 1168 752 smss.exe 80 PID 752 wrote to memory of 1168 752 smss.exe 80 PID 1168 wrote to memory of 5404 1168 Gaara.exe 81 PID 1168 wrote to memory of 5404 1168 Gaara.exe 81 PID 1168 wrote to memory of 5404 1168 Gaara.exe 81 PID 1168 wrote to memory of 4792 1168 Gaara.exe 82 PID 1168 wrote to memory of 4792 1168 Gaara.exe 82 PID 1168 wrote to memory of 4792 1168 Gaara.exe 82 PID 1168 wrote to memory of 4844 1168 Gaara.exe 83 PID 1168 wrote to memory of 4844 1168 Gaara.exe 83 PID 1168 wrote to memory of 4844 1168 Gaara.exe 83 PID 4844 wrote to memory of 4444 4844 csrss.exe 84 PID 4844 wrote to memory of 4444 4844 csrss.exe 84 PID 4844 wrote to memory of 4444 4844 csrss.exe 84 PID 4844 wrote to memory of 388 4844 csrss.exe 85 PID 4844 wrote to memory of 388 4844 csrss.exe 85 PID 4844 wrote to memory of 388 4844 csrss.exe 85 PID 4844 wrote to memory of 2960 4844 csrss.exe 86 PID 4844 wrote to memory of 2960 4844 csrss.exe 86 PID 4844 wrote to memory of 2960 4844 csrss.exe 86 PID 4844 wrote to memory of 1068 4844 csrss.exe 87 PID 4844 wrote to memory of 1068 4844 csrss.exe 87 PID 4844 wrote to memory of 1068 4844 csrss.exe 87 PID 1068 wrote to memory of 964 1068 Kazekage.exe 88 PID 1068 wrote to memory of 964 1068 Kazekage.exe 88 PID 1068 wrote to memory of 964 1068 Kazekage.exe 88 PID 1068 wrote to memory of 1624 1068 Kazekage.exe 89 PID 1068 wrote to memory of 1624 1068 Kazekage.exe 89 PID 1068 wrote to memory of 1624 1068 Kazekage.exe 89 PID 1068 wrote to memory of 4968 1068 Kazekage.exe 90 PID 1068 wrote to memory of 4968 1068 Kazekage.exe 90 PID 1068 wrote to memory of 4968 1068 Kazekage.exe 90 PID 1068 wrote to memory of 3312 1068 Kazekage.exe 91 PID 1068 wrote to memory of 3312 1068 Kazekage.exe 91 PID 1068 wrote to memory of 3312 1068 Kazekage.exe 91 PID 1068 wrote to memory of 5760 1068 Kazekage.exe 92 PID 1068 wrote to memory of 5760 1068 Kazekage.exe 92 PID 1068 wrote to memory of 5760 1068 Kazekage.exe 92 PID 5760 wrote to memory of 5048 5760 system32.exe 93 PID 5760 wrote to memory of 5048 5760 system32.exe 93 PID 5760 wrote to memory of 5048 5760 system32.exe 93 PID 5760 wrote to memory of 3452 5760 system32.exe 94 PID 5760 wrote to memory of 3452 5760 system32.exe 94 PID 5760 wrote to memory of 3452 5760 system32.exe 94 PID 5760 wrote to memory of 2204 5760 system32.exe 95 PID 5760 wrote to memory of 2204 5760 system32.exe 95 PID 5760 wrote to memory of 2204 5760 system32.exe 95 PID 5760 wrote to memory of 1072 5760 system32.exe 96 PID 5760 wrote to memory of 1072 5760 system32.exe 96 PID 5760 wrote to memory of 1072 5760 system32.exe 96 PID 5760 wrote to memory of 4684 5760 system32.exe 97 PID 5760 wrote to memory of 4684 5760 system32.exe 97 PID 5760 wrote to memory of 4684 5760 system32.exe 97 PID 4844 wrote to memory of 4648 4844 csrss.exe 98 PID 4844 wrote to memory of 4648 4844 csrss.exe 98 PID 4844 wrote to memory of 4648 4844 csrss.exe 98 PID 1168 wrote to memory of 3816 1168 Gaara.exe 99 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3704 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:752 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3096
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1168 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5404
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4792
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4844 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4444
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:388
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2960
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1068 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:964
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1624
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4968
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3312
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5760 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5048
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3452
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2204
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1072
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4684
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:388
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4348
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3040
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4044
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3500
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3068
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4868
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4924
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1836
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5372
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1388
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:444
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4648
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3388
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2340
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1732
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2868
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4988
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5028
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3816
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3080
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4248
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4008
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4636
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5144
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3680
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1560
-
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5380
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2248
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4880
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2948
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1672
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2292
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5884
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2932
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1368
-
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5528
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5848
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3368
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4240
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2644
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5824
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1488
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4208
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2392
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\smss.exe1⤵PID:2264
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\Gaara.exe1⤵PID:2028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 3-5-2025.exe1⤵PID:1896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2980
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
9.5MB
MD528f4130b7e83e58ae2d00a990c7095e6
SHA137b20eaab370104263a36583c451ae2003e179d6
SHA256ef6676e8f4fd86a741e16b13c3039f8201b6dff9b57aa16a74f0e32e01b7581a
SHA512e60ef2bf2899e7c3165b382b6daf542c0361c1af30130113f17bf75b0b9d471bdbd3d9b2770c6106499c582e16c9b4746ac6ba4edba3e36e1398ce79c38a8dab
-
Filesize
9.5MB
MD50187b29f338fa5329aecfdf4dd33458a
SHA1da8b3f2af5e495daa6040b420dc4e0ac40d39c9b
SHA2567edeb8b50717817a353d24aadcecec71fd9ed6648998384b723017d98d79a45b
SHA5121257fcbe48c4e74adeaddb6957dd7702bc19ff6bdeed88500041f1f1db3f711c101e51e598e55f2c638af3a5cf3c48eaa0f76902193750e249913d7d0affdb54
-
Filesize
9.5MB
MD50849c02e56b7c48dec2a760d1c81e054
SHA1d877f1aef77917904dd1df746d1abf10cabace3d
SHA2568b88465800e16f96f800b19db2a8aa6b37f35c4f3a8f4b8e74b7b18947d6bac6
SHA5124190047631f72c3169ec7a64994a1c06549cfa442010472247fa770fbe83fbcbe9d860f119da46acb56e0b43f96068b25c28ebbd1feb1db29223576b35af74a6
-
Filesize
9.5MB
MD5936e54bd930785ef0bbefb22aacda9db
SHA1eca6fa1ff092810c0fcd8e6717c5255120169659
SHA256d43bd624583725171cfff0649a0e47dc76f5f5e1c352e0ca23304e4445bc92f1
SHA512abbec998c0133bf5f23bc819bdda79105a7a4fca217f281401b202412b939c7b6f76ef0713f1e15aa4e3fe4c0e088675de400b2e1b050b504ed6e2d451eea1c5
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
1.6MB
MD59b4da9153f28d12d002e698ebee06cad
SHA156382d6af2abd1ceec7d25d5c47aa22e239a0e0d
SHA25611965def89a07922b45174ed42b6a1a23049073011b6c8cefb7b81818d8a86fd
SHA5128cc1f1e9c6423c5e9c628eefced3784bcd4ae5f26194c8ab1ee5be15ca8fa740924e4c8086c500e8d24fe50e3c914b4015566d988c56e86d052da9c00650d962
-
Filesize
9.5MB
MD57caaff6fa157db47c5063b7b89c087fb
SHA11b4b5514d68421ff3cce8d7b8b71ed837bbda229
SHA256cf238294b4fa7247cef5a4d67f04a829b4db71017c606fd858230da8725651c4
SHA512278da0d993806027f37a6ba4fd118f451ea1543c8c9783cfd5ac3899a5e4efec0c9dd37b7d7081be5a3b0384864d08a3b009bd0d93c9837c27d8cf9af35f10a4
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
9.5MB
MD5825747316fd6084a52fb1d6843c4c671
SHA1316da0d986397eb829ddddec8bcd8af453d2e4a7
SHA256397b9c62df4bd981b8379a19987ca1d7d73fef1df0c86822434855c760900c4d
SHA5123c071e6d1b55329470f9cbc28506450f8189bc9fcca0761bb227399c874b5cfab6a0cbaabe3c849dc2bab59058642db36d48fec57f673d8e948b9b615eb832e1
-
Filesize
9.5MB
MD5df8079fe7a1db331c68bea29f87de1fe
SHA1bad3a7afe4497bff1a9bd4ffe8f35f06bddf4521
SHA2567571b7107318eaf1e99cda8fc1bc048ed8301bba9d70f78395d7ff56d9e646ac
SHA512b174aedf9b6b068212885e77ec75a86e2334e99f907187fe669d50318dbec1e305c73aa72c716911a10779d6f74b72b3c3070c35696c5cbebdb6ed049dd43114
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a