ffb44a5388958cda3be00af5170e3fa51c5bc59e7b6ea659836417a17594d18c

Analysis

max time kernel
170s
max time network
145s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NINJA.exe
Size

817KB
MD5

9e870f801dd759298a34be67b104d930
SHA1

c770dab38fce750094a42b1d26311fe135e961ba
SHA256

6f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b
SHA512

f0719d751e71229369ba9c49eee649e130f8eed7e7b662c724f8e7b25a950d77d4ba69aa967394d007561383ca64b95bcb0f466dfc7e1d4e00bf9e3829c957bf
SSDEEP

24576:5sGzuMNu2HWJD2U1zANRGTfllqapvYaqom:5tLezwRW3vJ

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SBADLH.lnk	NINJA.exe

Executes dropped EXE 2 IoCs

pid	Process
2164	system.exe
2820	system.exe

Loads dropped DLL 1 IoCs

pid	Process
3068	NINJA.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\SBADLH = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\system.exe\""	NINJA.exe

AutoIT Executable 17 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral27/memory/3068-9-0x00000000002F0000-0x00000000004AD000-memory.dmp	autoit_exe
behavioral27/memory/3068-10-0x00000000002F0000-0x00000000004AD000-memory.dmp	autoit_exe
behavioral27/memory/3068-12-0x00000000002F0000-0x00000000004AD000-memory.dmp	autoit_exe
behavioral27/memory/3068-13-0x00000000002F0000-0x00000000004AD000-memory.dmp	autoit_exe
behavioral27/memory/2164-17-0x0000000000340000-0x00000000004FD000-memory.dmp	autoit_exe
behavioral27/memory/3068-18-0x00000000002F0000-0x00000000004AD000-memory.dmp	autoit_exe
behavioral27/memory/3068-19-0x00000000002F0000-0x00000000004AD000-memory.dmp	autoit_exe
behavioral27/memory/3068-20-0x00000000002F0000-0x00000000004AD000-memory.dmp	autoit_exe
behavioral27/memory/3068-22-0x00000000002F0000-0x00000000004AD000-memory.dmp	autoit_exe
behavioral27/memory/3068-23-0x00000000002F0000-0x00000000004AD000-memory.dmp	autoit_exe
behavioral27/memory/3068-24-0x00000000002F0000-0x00000000004AD000-memory.dmp	autoit_exe
behavioral27/memory/2820-27-0x00000000001E0000-0x000000000039D000-memory.dmp	autoit_exe
behavioral27/memory/3068-28-0x00000000002F0000-0x00000000004AD000-memory.dmp	autoit_exe
behavioral27/memory/3068-29-0x00000000002F0000-0x00000000004AD000-memory.dmp	autoit_exe
behavioral27/memory/3068-30-0x00000000002F0000-0x00000000004AD000-memory.dmp	autoit_exe
behavioral27/memory/3068-31-0x00000000002F0000-0x00000000004AD000-memory.dmp	autoit_exe
behavioral27/memory/3068-32-0x00000000002F0000-0x00000000004AD000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2772	schtasks.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	NINJA.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe
3068	NINJA.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3068	NINJA.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2664	3068	NINJA.exe	29
PID 3068 wrote to memory of 2664	3068	NINJA.exe	29
PID 3068 wrote to memory of 2664	3068	NINJA.exe	29
PID 3068 wrote to memory of 2664	3068	NINJA.exe	29
PID 3068 wrote to memory of 2636	3068	NINJA.exe	31
PID 3068 wrote to memory of 2636	3068	NINJA.exe	31
PID 3068 wrote to memory of 2636	3068	NINJA.exe	31
PID 3068 wrote to memory of 2636	3068	NINJA.exe	31
PID 2664 wrote to memory of 2772	2664	cmd.exe	32
PID 2664 wrote to memory of 2772	2664	cmd.exe	32
PID 2664 wrote to memory of 2772	2664	cmd.exe	32
PID 2664 wrote to memory of 2772	2664	cmd.exe	32
PID 2132 wrote to memory of 2164	2132	taskeng.exe	35
PID 2132 wrote to memory of 2164	2132	taskeng.exe	35
PID 2132 wrote to memory of 2164	2132	taskeng.exe	35
PID 2132 wrote to memory of 2164	2132	taskeng.exe	35
PID 2132 wrote to memory of 2820	2132	taskeng.exe	36
PID 2132 wrote to memory of 2820	2132	taskeng.exe	36
PID 2132 wrote to memory of 2820	2132	taskeng.exe	36
PID 2132 wrote to memory of 2820	2132	taskeng.exe	36

C:\Users\Admin\AppData\Local\Temp\NINJA.exe
"C:\Users\Admin\AppData\Local\Temp\NINJA.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
    3⤵
    - Creates scheduled task(s)
    PID:2772
- C:\Windows\SysWOW64\WSCript.exe
  WSCript C:\Users\Admin\AppData\Local\Temp\SBADLH.vbs
  2⤵
  PID:2636

C:\Windows\system32\taskeng.exe
taskeng.exe {AE853C08-E844-40B0-BAE3-A883D7B4D197} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Roaming\Windata\system.exe
  C:\Users\Admin\AppData\Roaming\Windata\system.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Users\Admin\AppData\Roaming\Windata\system.exe
  C:\Users\Admin\AppData\Roaming\Windata\system.exe
  2⤵
  - Executes dropped EXE
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SBADLH.vbs

Filesize
830B

MD5
d2060d8460f3e563679b861be3612622

SHA1
c2b1f9eec2ed9958c3fd2bc30171a70cfe189324

SHA256
07099ebf0bd52efd1718cfde37eed5fce833753fe43764ffeff22aa1393fd4e3

SHA512
042d0350dac62d92402aa66ea8cc981a9ab3356a5472b63544d780757b8d890d1e9015d77318f22453bc447c09687fb30cca56c70d691a0e34acab51aa637b2e

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\system.exe

Filesize
817KB

MD5
9e870f801dd759298a34be67b104d930

SHA1
c770dab38fce750094a42b1d26311fe135e961ba

SHA256
6f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b

SHA512
f0719d751e71229369ba9c49eee649e130f8eed7e7b662c724f8e7b25a950d77d4ba69aa967394d007561383ca64b95bcb0f466dfc7e1d4e00bf9e3829c957bf

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\system.exe

Filesize
817KB

MD5
9e870f801dd759298a34be67b104d930

SHA1
c770dab38fce750094a42b1d26311fe135e961ba

SHA256
6f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b

SHA512
f0719d751e71229369ba9c49eee649e130f8eed7e7b662c724f8e7b25a950d77d4ba69aa967394d007561383ca64b95bcb0f466dfc7e1d4e00bf9e3829c957bf

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\system.exe

Filesize
817KB

MD5
9e870f801dd759298a34be67b104d930

SHA1
c770dab38fce750094a42b1d26311fe135e961ba

SHA256
6f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b

SHA512
f0719d751e71229369ba9c49eee649e130f8eed7e7b662c724f8e7b25a950d77d4ba69aa967394d007561383ca64b95bcb0f466dfc7e1d4e00bf9e3829c957bf

Download Submit
\Users\Admin\AppData\Roaming\Windata\system.exe

Filesize
817KB

MD5
9e870f801dd759298a34be67b104d930

SHA1
c770dab38fce750094a42b1d26311fe135e961ba

SHA256
6f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b

SHA512
f0719d751e71229369ba9c49eee649e130f8eed7e7b662c724f8e7b25a950d77d4ba69aa967394d007561383ca64b95bcb0f466dfc7e1d4e00bf9e3829c957bf

Download Submit
memory/2164-17-0x0000000000340000-0x00000000004FD000-memory.dmp

Filesize
1.7MB

Download
memory/2164-16-0x0000000000340000-0x00000000004FD000-memory.dmp

Filesize
1.7MB

Download
memory/2820-27-0x00000000001E0000-0x000000000039D000-memory.dmp

Filesize
1.7MB

Download
memory/2820-26-0x00000000001E0000-0x000000000039D000-memory.dmp

Filesize
1.7MB

Download
memory/3068-11-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/3068-24-0x00000000002F0000-0x00000000004AD000-memory.dmp

Filesize
1.7MB

Download
memory/3068-12-0x00000000002F0000-0x00000000004AD000-memory.dmp

Filesize
1.7MB

Download
memory/3068-0-0x00000000002F0000-0x00000000004AD000-memory.dmp

Filesize
1.7MB

Download
memory/3068-18-0x00000000002F0000-0x00000000004AD000-memory.dmp

Filesize
1.7MB

Download
memory/3068-19-0x00000000002F0000-0x00000000004AD000-memory.dmp

Filesize
1.7MB

Download
memory/3068-20-0x00000000002F0000-0x00000000004AD000-memory.dmp

Filesize
1.7MB

Download
memory/3068-22-0x00000000002F0000-0x00000000004AD000-memory.dmp

Filesize
1.7MB

Download
memory/3068-23-0x00000000002F0000-0x00000000004AD000-memory.dmp

Filesize
1.7MB

Download
memory/3068-13-0x00000000002F0000-0x00000000004AD000-memory.dmp

Filesize
1.7MB

Download
memory/3068-10-0x00000000002F0000-0x00000000004AD000-memory.dmp

Filesize
1.7MB

Download
memory/3068-9-0x00000000002F0000-0x00000000004AD000-memory.dmp

Filesize
1.7MB

Download
memory/3068-5-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/3068-28-0x00000000002F0000-0x00000000004AD000-memory.dmp

Filesize
1.7MB

Download
memory/3068-29-0x00000000002F0000-0x00000000004AD000-memory.dmp

Filesize
1.7MB

Download
memory/3068-30-0x00000000002F0000-0x00000000004AD000-memory.dmp

Filesize
1.7MB

Download
memory/3068-31-0x00000000002F0000-0x00000000004AD000-memory.dmp

Filesize
1.7MB

Download
memory/3068-32-0x00000000002F0000-0x00000000004AD000-memory.dmp

Filesize
1.7MB

Download