bf5debbf7b62117ac060513276fa0fdd91d403e62340b50e27db630be5a312f3

General

Target

NinjaCS_v1.2_[unknowncheats.me]_.exe
Size

3.5MB
MD5

c79ab0b486d21917a4d8a36d1239447a
SHA1

034837082d0d1021b2776fa7cd7ca4985f48f6ca
SHA256

bf5debbf7b62117ac060513276fa0fdd91d403e62340b50e27db630be5a312f3
SHA512

0e40d8f30d1be45e1273e6d91bee94f6a25f663b304c709fe14611af0511e0c24d298fd095e951f78e17bc59f04318ddf19cdcfacc7fc188998ca8028eaedfeb
SSDEEP

98304:Fcb+6LNja7lCx0BVgezCxFvrHvGopcZqrf:FcRL05+ezCxFPGyca

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1980	NinjaCS.exe
1264	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
2304	NinjaCS_v1.2_[unknowncheats.me]_.exe
1264	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1980	NinjaCS.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	NinjaCS.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 1980	2304	NinjaCS_v1.2_[unknowncheats.me]_.exe	27
PID 2304 wrote to memory of 1980	2304	NinjaCS_v1.2_[unknowncheats.me]_.exe	27
PID 2304 wrote to memory of 1980	2304	NinjaCS_v1.2_[unknowncheats.me]_.exe	27
PID 2304 wrote to memory of 1980	2304	NinjaCS_v1.2_[unknowncheats.me]_.exe	27

C:\Users\Admin\AppData\Local\Temp\NinjaCS_v1.2_[unknowncheats.me]_.exe
"C:\Users\Admin\AppData\Local\Temp\NinjaCS_v1.2_[unknowncheats.me]_.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaCS.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaCS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\HandyControl.dll

Filesize
1.7MB

MD5
7721007a7009690c5bfba1c4e3f56c25

SHA1
bf0644114d3b8cc7104993d697f456724a4549f8

SHA256
858f82fa07f161bccb3ac14addb3efd44542bc957d8e203b7d468f19441980b4

SHA512
488f60b2df9fbb47d434ab4e6b7db917e6b24d7a6e3c09f4e1e1f9fc0fdd88968450773113d6a18d78b6898f8fba0ee2313ecb828d6fe3b65ffc994078f816fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaCS.exe

Filesize
2.4MB

MD5
a5617a7aebcc8ba33f03c606308ca416

SHA1
c86aa606c501067e4082715d5289b5b4abafc069

SHA256
58bf6217a2a8a0af0b9eb7e961bc6f391cb501da8aabfa903661aca5fd30b930

SHA512
3e7841e497f18e1d3b7d163c3426965e110cb68d60ef72d1a147a25e0db9c25c34bb29bf4b642a0004e52e161cb7e36552ae4eaf7b72fb05a9fb0a9e39630751

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaCS.exe

Filesize
2.4MB

MD5
a5617a7aebcc8ba33f03c606308ca416

SHA1
c86aa606c501067e4082715d5289b5b4abafc069

SHA256
58bf6217a2a8a0af0b9eb7e961bc6f391cb501da8aabfa903661aca5fd30b930

SHA512
3e7841e497f18e1d3b7d163c3426965e110cb68d60ef72d1a147a25e0db9c25c34bb29bf4b642a0004e52e161cb7e36552ae4eaf7b72fb05a9fb0a9e39630751

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaCS.exe

Filesize
2.4MB

MD5
a5617a7aebcc8ba33f03c606308ca416

SHA1
c86aa606c501067e4082715d5289b5b4abafc069

SHA256
58bf6217a2a8a0af0b9eb7e961bc6f391cb501da8aabfa903661aca5fd30b930

SHA512
3e7841e497f18e1d3b7d163c3426965e110cb68d60ef72d1a147a25e0db9c25c34bb29bf4b642a0004e52e161cb7e36552ae4eaf7b72fb05a9fb0a9e39630751

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaCS.exe

Filesize
2.4MB

MD5
a5617a7aebcc8ba33f03c606308ca416

SHA1
c86aa606c501067e4082715d5289b5b4abafc069

SHA256
58bf6217a2a8a0af0b9eb7e961bc6f391cb501da8aabfa903661aca5fd30b930

SHA512
3e7841e497f18e1d3b7d163c3426965e110cb68d60ef72d1a147a25e0db9c25c34bb29bf4b642a0004e52e161cb7e36552ae4eaf7b72fb05a9fb0a9e39630751

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaCS.exe

Filesize
2.4MB

MD5
a5617a7aebcc8ba33f03c606308ca416

SHA1
c86aa606c501067e4082715d5289b5b4abafc069

SHA256
58bf6217a2a8a0af0b9eb7e961bc6f391cb501da8aabfa903661aca5fd30b930

SHA512
3e7841e497f18e1d3b7d163c3426965e110cb68d60ef72d1a147a25e0db9c25c34bb29bf4b642a0004e52e161cb7e36552ae4eaf7b72fb05a9fb0a9e39630751

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaCS.exe

Filesize
2.4MB

MD5
a5617a7aebcc8ba33f03c606308ca416

SHA1
c86aa606c501067e4082715d5289b5b4abafc069

SHA256
58bf6217a2a8a0af0b9eb7e961bc6f391cb501da8aabfa903661aca5fd30b930

SHA512
3e7841e497f18e1d3b7d163c3426965e110cb68d60ef72d1a147a25e0db9c25c34bb29bf4b642a0004e52e161cb7e36552ae4eaf7b72fb05a9fb0a9e39630751

Download Submit
memory/1980-24-0x000000013F870000-0x000000013FAD8000-memory.dmp

Filesize
2.4MB

Download
memory/1980-28-0x000000001BC60000-0x000000001BE20000-memory.dmp

Filesize
1.8MB

Download
memory/1980-29-0x000000001BE40000-0x000000001BEC0000-memory.dmp

Filesize
512KB

Download
memory/1980-30-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/1980-31-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/1980-26-0x000000001BE40000-0x000000001BEC0000-memory.dmp

Filesize
512KB

Download
memory/1980-25-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/1980-35-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/1980-36-0x000000001BE40000-0x000000001BEC0000-memory.dmp

Filesize
512KB

Download
memory/1980-37-0x000000001BE40000-0x000000001BEC0000-memory.dmp

Filesize
512KB

Download
memory/1980-38-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/1980-39-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing