Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/05/2025, 16:15
Behavioral task
behavioral1
Sample
2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe
-
Size
9.5MB
-
MD5
9a2c0fe849b2f07ee331696ffef50eb6
-
SHA1
978bf0fd570e699bd682d0519138c35234c8231a
-
SHA256
ff15808c643fcb662b8e4b34d40e7fb38e4719103fafde8f414bb99bcfc20fcf
-
SHA512
980df21153538148816002e00c6a2524e633e41f05c1ff5aa1603475b6304e7346fb3a124ae521cc3b357e0b0355ac91698a971f6436f902b94a4e7846fb839f
-
SSDEEP
98304:NyyqWyWy0GyqWyWyMRPC1eHL5dGYSEYvP:q1eHL5dEvP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe -
Executes dropped EXE 30 IoCs
pid Process 2732 smss.exe 1144 smss.exe 4732 Gaara.exe 5040 smss.exe 5052 Gaara.exe 3264 csrss.exe 4716 smss.exe 3748 Gaara.exe 2296 csrss.exe 5980 Kazekage.exe 896 smss.exe 5284 Gaara.exe 684 csrss.exe 444 Kazekage.exe 2144 system32.exe 4416 smss.exe 3048 Gaara.exe 864 csrss.exe 2816 Kazekage.exe 4292 system32.exe 2564 system32.exe 4172 Kazekage.exe 556 system32.exe 5776 csrss.exe 2480 Kazekage.exe 5044 system32.exe 5488 Gaara.exe 3156 csrss.exe 3004 Kazekage.exe 5752 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 2732 smss.exe 1144 smss.exe 4732 Gaara.exe 5040 smss.exe 5052 Gaara.exe 3264 csrss.exe 4716 smss.exe 3748 Gaara.exe 2296 csrss.exe 896 smss.exe 5284 Gaara.exe 684 csrss.exe 4416 smss.exe 3048 Gaara.exe 864 csrss.exe 5776 csrss.exe 5488 Gaara.exe 3156 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" system32.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification F:\Desktop.ini 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\H:\Desktop.ini 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\Y:\Desktop.ini 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\L:\Desktop.ini 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\S:\Desktop.ini 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini Gaara.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\J: 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\V: 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\Q: 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\U: 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\Z: 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\M: 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\S: 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\W: 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\L: 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\X: 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\E: 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\X: Kazekage.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Autorun.inf Kazekage.exe File opened for modification \??\I:\Autorun.inf Kazekage.exe File created \??\J:\Autorun.inf 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\S:\Autorun.inf smss.exe File opened for modification F:\Autorun.inf Gaara.exe File created \??\H:\Autorun.inf 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\N:\Autorun.inf 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\V:\Autorun.inf smss.exe File opened for modification D:\Autorun.inf system32.exe File opened for modification \??\U:\Autorun.inf smss.exe File opened for modification \??\P:\Autorun.inf Gaara.exe File created \??\M:\Autorun.inf csrss.exe File opened for modification \??\P:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf system32.exe File created \??\N:\Autorun.inf Gaara.exe File opened for modification \??\V:\Autorun.inf csrss.exe File created \??\A:\Autorun.inf Kazekage.exe File opened for modification \??\Z:\Autorun.inf system32.exe File created \??\E:\Autorun.inf system32.exe File opened for modification \??\O:\Autorun.inf system32.exe File opened for modification \??\E:\Autorun.inf 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\L:\Autorun.inf 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\Y:\Autorun.inf Gaara.exe File opened for modification \??\Y:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File created \??\P:\Autorun.inf 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\A:\Autorun.inf smss.exe File opened for modification \??\K:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf Gaara.exe File created \??\G:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf csrss.exe File opened for modification \??\R:\Autorun.inf system32.exe File opened for modification \??\B:\Autorun.inf 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File created \??\E:\Autorun.inf 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification F:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf smss.exe File created \??\M:\Autorun.inf smss.exe File created \??\S:\Autorun.inf smss.exe File created \??\Q:\Autorun.inf Gaara.exe File created \??\S:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\K:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf csrss.exe File created \??\R:\Autorun.inf Kazekage.exe File created \??\L:\Autorun.inf 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File created \??\L:\Autorun.inf Gaara.exe File opened for modification \??\S:\Autorun.inf Gaara.exe File created \??\Y:\Autorun.inf Gaara.exe File created \??\S:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf csrss.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe File opened for modification \??\K:\Autorun.inf 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File created \??\V:\Autorun.inf smss.exe File opened for modification \??\G:\Autorun.inf csrss.exe File created \??\V:\Autorun.inf csrss.exe File opened for modification \??\B:\Autorun.inf Kazekage.exe File created \??\T:\Autorun.inf system32.exe File created \??\M:\Autorun.inf 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\X:\Autorun.inf 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File created \??\X:\Autorun.inf 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification \??\Z:\Autorun.inf smss.exe File created \??\A:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf Gaara.exe File created \??\B:\Autorun.inf Gaara.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\3-5-2025.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\3-5-2025.exe 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe -
resource yara_rule behavioral2/memory/4512-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b1a4-11.dat upx behavioral2/files/0x001900000002b1a0-31.dat upx behavioral2/memory/2732-34-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001c00000002b1a5-49.dat upx behavioral2/memory/1144-70-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1144-73-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b1a1-75.dat upx behavioral2/memory/4732-76-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001c00000002b1a5-89.dat upx behavioral2/files/0x001900000002b1a6-92.dat upx behavioral2/files/0x001900000002b1a7-96.dat upx behavioral2/files/0x001c00000002b1a5-88.dat upx behavioral2/memory/5040-114-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5052-113-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5052-117-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b1a4-121.dat upx behavioral2/memory/3264-120-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001c00000002b1a5-128.dat upx behavioral2/files/0x001900000002b1a7-137.dat upx behavioral2/files/0x001900000002b1a7-136.dat upx behavioral2/files/0x001900000002b1a6-132.dat upx behavioral2/memory/3748-158-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2296-157-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2296-161-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5980-165-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4512-164-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2732-188-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4732-198-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/684-202-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b1a7-208.dat upx behavioral2/memory/2144-210-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3264-228-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3048-235-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2816-236-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4292-241-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5980-240-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4292-244-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2816-239-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/444-207-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4172-253-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/556-256-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2480-262-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2144-259-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5488-267-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3004-272-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5752-275-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2564-250-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5284-199-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5044-276-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\msvbvm60.dll 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\ Gaara.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe smss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\system\msvbvm60.dll 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe -
System Location Discovery: System Language Discovery 1 TTPs 63 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 32 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2956 ping.exe 5132 ping.exe 3644 ping.exe 2564 ping.exe 4896 ping.exe 5080 ping.exe 5284 ping.exe 6068 ping.exe 1408 ping.exe 2188 ping.exe 1708 ping.exe 840 ping.exe 5936 ping.exe 1376 ping.exe 4768 ping.exe 4444 ping.exe 5720 ping.exe 3732 ping.exe 4812 ping.exe 4544 ping.exe 2020 ping.exe 6132 ping.exe 4136 ping.exe 5760 ping.exe 2840 ping.exe 1044 ping.exe 420 ping.exe 5544 ping.exe 5568 ping.exe 4164 ping.exe 3652 ping.exe 2784 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop smss.exe Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main csrss.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe -
Runs ping.exe 1 TTPs 32 IoCs
pid Process 1044 ping.exe 4896 ping.exe 2784 ping.exe 1408 ping.exe 1708 ping.exe 5284 ping.exe 2956 ping.exe 5568 ping.exe 6132 ping.exe 5936 ping.exe 3732 ping.exe 3652 ping.exe 4136 ping.exe 2020 ping.exe 2564 ping.exe 4164 ping.exe 5080 ping.exe 2840 ping.exe 4812 ping.exe 4544 ping.exe 840 ping.exe 3644 ping.exe 5544 ping.exe 1376 ping.exe 4768 ping.exe 4444 ping.exe 5760 ping.exe 420 ping.exe 5132 ping.exe 2188 ping.exe 5720 ping.exe 6068 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 3264 csrss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 2732 smss.exe 5980 Kazekage.exe 5980 Kazekage.exe 5980 Kazekage.exe 5980 Kazekage.exe 5980 Kazekage.exe 5980 Kazekage.exe 5980 Kazekage.exe 5980 Kazekage.exe 5980 Kazekage.exe 5980 Kazekage.exe 5980 Kazekage.exe 5980 Kazekage.exe 5980 Kazekage.exe 5980 Kazekage.exe 5980 Kazekage.exe 5980 Kazekage.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 4512 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe 2732 smss.exe 1144 smss.exe 4732 Gaara.exe 5040 smss.exe 5052 Gaara.exe 3264 csrss.exe 4716 smss.exe 3748 Gaara.exe 2296 csrss.exe 5980 Kazekage.exe 896 smss.exe 5284 Gaara.exe 684 csrss.exe 444 Kazekage.exe 2144 system32.exe 4416 smss.exe 3048 Gaara.exe 864 csrss.exe 2816 Kazekage.exe 4292 system32.exe 2564 system32.exe 4172 Kazekage.exe 556 system32.exe 5776 csrss.exe 2480 Kazekage.exe 5044 system32.exe 5488 Gaara.exe 3156 csrss.exe 3004 Kazekage.exe 5752 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4512 wrote to memory of 2732 4512 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe 79 PID 4512 wrote to memory of 2732 4512 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe 79 PID 4512 wrote to memory of 2732 4512 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe 79 PID 2732 wrote to memory of 1144 2732 smss.exe 80 PID 2732 wrote to memory of 1144 2732 smss.exe 80 PID 2732 wrote to memory of 1144 2732 smss.exe 80 PID 2732 wrote to memory of 4732 2732 smss.exe 81 PID 2732 wrote to memory of 4732 2732 smss.exe 81 PID 2732 wrote to memory of 4732 2732 smss.exe 81 PID 4732 wrote to memory of 5040 4732 Gaara.exe 82 PID 4732 wrote to memory of 5040 4732 Gaara.exe 82 PID 4732 wrote to memory of 5040 4732 Gaara.exe 82 PID 4732 wrote to memory of 5052 4732 Gaara.exe 83 PID 4732 wrote to memory of 5052 4732 Gaara.exe 83 PID 4732 wrote to memory of 5052 4732 Gaara.exe 83 PID 4732 wrote to memory of 3264 4732 Gaara.exe 84 PID 4732 wrote to memory of 3264 4732 Gaara.exe 84 PID 4732 wrote to memory of 3264 4732 Gaara.exe 84 PID 3264 wrote to memory of 4716 3264 csrss.exe 85 PID 3264 wrote to memory of 4716 3264 csrss.exe 85 PID 3264 wrote to memory of 4716 3264 csrss.exe 85 PID 3264 wrote to memory of 3748 3264 csrss.exe 86 PID 3264 wrote to memory of 3748 3264 csrss.exe 86 PID 3264 wrote to memory of 3748 3264 csrss.exe 86 PID 3264 wrote to memory of 2296 3264 csrss.exe 87 PID 3264 wrote to memory of 2296 3264 csrss.exe 87 PID 3264 wrote to memory of 2296 3264 csrss.exe 87 PID 3264 wrote to memory of 5980 3264 csrss.exe 88 PID 3264 wrote to memory of 5980 3264 csrss.exe 88 PID 3264 wrote to memory of 5980 3264 csrss.exe 88 PID 5980 wrote to memory of 896 5980 Kazekage.exe 89 PID 5980 wrote to memory of 896 5980 Kazekage.exe 89 PID 5980 wrote to memory of 896 5980 Kazekage.exe 89 PID 5980 wrote to memory of 5284 5980 Kazekage.exe 90 PID 5980 wrote to memory of 5284 5980 Kazekage.exe 90 PID 5980 wrote to memory of 5284 5980 Kazekage.exe 90 PID 5980 wrote to memory of 684 5980 Kazekage.exe 91 PID 5980 wrote to memory of 684 5980 Kazekage.exe 91 PID 5980 wrote to memory of 684 5980 Kazekage.exe 91 PID 5980 wrote to memory of 444 5980 Kazekage.exe 92 PID 5980 wrote to memory of 444 5980 Kazekage.exe 92 PID 5980 wrote to memory of 444 5980 Kazekage.exe 92 PID 5980 wrote to memory of 2144 5980 Kazekage.exe 93 PID 5980 wrote to memory of 2144 5980 Kazekage.exe 93 PID 5980 wrote to memory of 2144 5980 Kazekage.exe 93 PID 2144 wrote to memory of 4416 2144 system32.exe 94 PID 2144 wrote to memory of 4416 2144 system32.exe 94 PID 2144 wrote to memory of 4416 2144 system32.exe 94 PID 2144 wrote to memory of 3048 2144 system32.exe 95 PID 2144 wrote to memory of 3048 2144 system32.exe 95 PID 2144 wrote to memory of 3048 2144 system32.exe 95 PID 2144 wrote to memory of 864 2144 system32.exe 96 PID 2144 wrote to memory of 864 2144 system32.exe 96 PID 2144 wrote to memory of 864 2144 system32.exe 96 PID 2144 wrote to memory of 2816 2144 system32.exe 97 PID 2144 wrote to memory of 2816 2144 system32.exe 97 PID 2144 wrote to memory of 2816 2144 system32.exe 97 PID 2144 wrote to memory of 4292 2144 system32.exe 98 PID 2144 wrote to memory of 4292 2144 system32.exe 98 PID 2144 wrote to memory of 4292 2144 system32.exe 98 PID 3264 wrote to memory of 2564 3264 csrss.exe 99 PID 3264 wrote to memory of 2564 3264 csrss.exe 99 PID 3264 wrote to memory of 2564 3264 csrss.exe 99 PID 4732 wrote to memory of 4172 4732 Gaara.exe 100 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4512 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2732 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1144
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4732 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5040
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5052
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3264 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4716
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3748
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2296
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5980 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:896
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5284
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:684
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:444
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2144 -
C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4416
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3048
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:864
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2816
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4292
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4544
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5544
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5720
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4768
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4136
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2784
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3644
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5132
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1376
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1708
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5284
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6068
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2564
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5568
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4812
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4896
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5936
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3652
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5080
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4172
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:556
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2840
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:420
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2188
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6132
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4444
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3732
-
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5776
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2480
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5044
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:840
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5760
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2564
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4164
-
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5488
-
-
C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3156
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3004
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5752
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1408
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2956
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1044
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\Gaara.exe1⤵PID:5424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 3-5-2025.exe1⤵PID:1864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\smss.exe1⤵PID:5104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:868
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
9.5MB
MD5a10cbf16ca9be16057e2d5d744ff5025
SHA18e43e546cb554f6c455ac1778703ad6cd97776ec
SHA2569f8be177848650d9ae91930e0bdc40060094a07438053805eefc9d4e4ac51e8f
SHA5128b88bfd8bd8619f97344254c14e244bb30d5dadde2e1130b00733f2d116087134a3aa6e7d2da40df832f7eea14627f0805780394e3216c8ca041e2a5cd1c76da
-
Filesize
9.5MB
MD59a2c0fe849b2f07ee331696ffef50eb6
SHA1978bf0fd570e699bd682d0519138c35234c8231a
SHA256ff15808c643fcb662b8e4b34d40e7fb38e4719103fafde8f414bb99bcfc20fcf
SHA512980df21153538148816002e00c6a2524e633e41f05c1ff5aa1603475b6304e7346fb3a124ae521cc3b357e0b0355ac91698a971f6436f902b94a4e7846fb839f
-
Filesize
9.5MB
MD50f3ab06583eb960f04d48abc40e9881b
SHA142bc832b5017d2e3b3c32340d9cf1dbecdb11fde
SHA256ee510a36f6b395ae7df49850284e9bf2a738900584f99813f72e027ed948bcf9
SHA5121092ab7bfb88ddcb075fa032710b13db01b50615a7559a5eaa7e0086bde2e1ca44603aad706de12ad0df888106379735b4f450759fae7e9f29e9bcf828647d28
-
Filesize
9.5MB
MD50b5e265fb041af0cea926e6d6aa1f13b
SHA17f3ab1e11e705ebee7936fa7cd22ab8c89448a61
SHA256d41e03db77707d4ec5dfd8d4dae356906ee01fa860dfd2b26887d4ae5d3183be
SHA5120119004ba646eb09a08f6513cb26b2e4dff20c722d9467d6aca76821742dd269caf9fd05226138a973a4d71c4f1e76c8a1754c0ed0078d736e099c85c6de431c
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
2.6MB
MD526eadb4e283adc3c3db055bd466347dc
SHA1137c65f2a46205e4f0391dc686f6836b47518e70
SHA2565650851845e73549d0d16eaee10568a28a967d14b938ae3ede19b3d9a91f3b8c
SHA51262e862a99bfac4edb83d90aea224cf6bdc6ddf94b2a90aea0f39e4d5a4a6664db2a551bb6db6fc1b1f8bd7009ce043cac1f43a6717e52fbdecde637cb09f46fa
-
Filesize
9.3MB
MD55179272473209922fb67b955074a0d42
SHA151dbbf1e056477a0c31073648594a81bf2488e20
SHA256bd896bb1822b7da4795bc0d0874b8a1af2e8fad5bd426d0d4d2da93297258dff
SHA512930d771c82bc06419c784815a2822f13ca9efb46ca0523cddcbc846e436c1348b18784fa7ac470629f6b1b338cb13a01454ec0b7d01f823e7bb8daf80c12ced9
-
Filesize
4.2MB
MD51307faa2c34af81b5a47218a4499f82f
SHA12f4f1cfdce026ecded79ef5f1c98dd2118d127b3
SHA256c385d12e9d2982e08198ce7d1df09c9901458ec82716f484d0d28fd1de4bcd11
SHA5123d72898fd2a8fe53f2e2984825d09d83f28c00149984af986b06e316851e4f27ee28da7a90785173920a390dbcb4b491d11aedb9d8bb30c306c6f54a377b038b
-
Filesize
3.0MB
MD5d44dfeea1255be02b13e9e731c13bb8f
SHA16103cab4353e7cc49dd6a9b54210a53bbdff330c
SHA256264e8364c6625e75ee7b261dbec32983ca7de19b4a1ff2fdf39e32a03750f75a
SHA5127caba4fc79bd3c31977404e6cbd730bc99ebf12226b27fced48b15eeb1b0491d78fd5435579828ada24bf6d3b71dc1f0f02939aa82d0025b3bb8706e4baef1fa
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
9.5MB
MD5dfe5f86547d75ae61759720a22338b02
SHA19ad0005f906b8dae2a6245f3b06bd8e0243c5cbf
SHA256076cd573e6fc695ce6400d72d882f47ecb82a9a81cf5cf50eabe669253405e1b
SHA5124bce4b79e8cacf5c3c8cc882da59fc414ebef444d4d3e9073545a99adf08853710e271520e893b0b26d2e8627dd795de868f0db0462c07e9fac06ee8a29ae0c5
-
Filesize
9.5MB
MD513b02c2648500379578ece8015414ca1
SHA1d455a5c97903c9cc7564604dcae3e331efe82317
SHA256119ac29726b5c74096a008ab8a161dd83e238bcef6197ebb348cec4c52b12387
SHA51259e3c116d07ac9a75e7b3010fe167799f0b68c0010c65815104f7f35af6ab584507ef1ac9c9699547c8c48acc63a7c1f91fd047885327bcbbe26144b3bf1eea0
-
Filesize
2.9MB
MD579a213cc2f9bdfd6ad705bf51177d582
SHA1fcecbfcb888abad0957e0ac17093372286f199b2
SHA256ef6d4cbd61e606227baa76f4450d77c76acf6f922cb5196517f694a31cae4628
SHA5127145125ac3bb8577bdfd1fac8886660f6a2a397d6c2c808d1fb39b5edd9ceca4488cdf49e60c099d4142455485b1153c1dcaa57bb4e337eae54dab35ea2dedfc
-
Filesize
2.8MB
MD5e1298c0dbe664e5931155b6c512e2ea3
SHA19a0b0aecc26975c24d6b394e411f9072a9728560
SHA256f6bf85e4bef693d68654b628bc7c8491479c0971a4243ef3d8e8753a42988497
SHA512910f84b43b2a23c29164a26395bfeba4272a096cd37f54d03d1a708328fbbc6cc8213b218e28db90e17fc0272c8850ccb488cb53dc837ad2e0614c0dd36cbd9b
-
Filesize
9.5MB
MD5ae95b1ee66375a286a0e77f2c4d4b607
SHA137a24453e683d69f267ca97fb39f9cf8b081871b
SHA256bbf24a03d51fb62eef061bfb94642d4e25193875b5d19cf63d721b0f156af12f
SHA512fa386932262338d302dfe2bc42eb8c6ab190a3ce1dedc5910ffd6a4c4dc31a0b9f4f0e72756700447a637aa2bf30ec90accaa369dd1c20c043b3a7405e578cff
-
Filesize
9.5MB
MD505fa0276148eb4a89dad7549840da3d7
SHA162f498c172952233a93057049401d6b0fd9871b3
SHA256779989032e6bf9d0a9b43f0342be584118717f90cf8b6ee146730b8c1fb13ad7
SHA512f68fed2685ce5903d33e9f1b605ead05b97f38251f6b2497c3079367a66b81a2486db73e8cf002f3fbaf94e55db4b3b46dbc24e890d4da4c7a40c7ecb50f313c
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a