bf5debbf7b62117ac060513276fa0fdd91d403e62340b50e27db630be5a312f3

Analysis

max time kernel
78s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 21:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NinjaCS_v1.2_[unknowncheats.me]_.exe
Size

3.5MB
MD5

c79ab0b486d21917a4d8a36d1239447a
SHA1

034837082d0d1021b2776fa7cd7ca4985f48f6ca
SHA256

bf5debbf7b62117ac060513276fa0fdd91d403e62340b50e27db630be5a312f3
SHA512

0e40d8f30d1be45e1273e6d91bee94f6a25f663b304c709fe14611af0511e0c24d298fd095e951f78e17bc59f04318ddf19cdcfacc7fc188998ca8028eaedfeb
SSDEEP

98304:Fcb+6LNja7lCx0BVgezCxFvrHvGopcZqrf:FcRL05+ezCxFPGyca

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NinjaCS_v1.2_[unknowncheats.me]_.exe

Executes dropped EXE 1 IoCs

pid	Process
4568	NinjaCS.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 33 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NinjaCS.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NinjaCS.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	NinjaCS.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NinjaCS.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NinjaCS.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	NinjaCS.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NinjaCS.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	NinjaCS.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	NinjaCS.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	NinjaCS.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NinjaCS.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	NinjaCS.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	NinjaCS.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	NinjaCS.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NinjaCS.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	NinjaCS.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	NinjaCS.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	NinjaCS.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	NinjaCS.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	NinjaCS.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	NinjaCS.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	NinjaCS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	NinjaCS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NinjaCS.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	NinjaCS.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NinjaCS.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	NinjaCS.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NinjaCS.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NinjaCS.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NinjaCS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NinjaCS.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	NinjaCS.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	NinjaCS.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4568	NinjaCS.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4568	NinjaCS.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4568	NinjaCS.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 4568	964	NinjaCS_v1.2_[unknowncheats.me]_.exe	91
PID 964 wrote to memory of 4568	964	NinjaCS_v1.2_[unknowncheats.me]_.exe	91

C:\Users\Admin\AppData\Local\Temp\NinjaCS_v1.2_[unknowncheats.me]_.exe
"C:\Users\Admin\AppData\Local\Temp\NinjaCS_v1.2_[unknowncheats.me]_.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:964
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaCS.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaCS.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\HandyControl.dll

Filesize
1.7MB

MD5
7721007a7009690c5bfba1c4e3f56c25

SHA1
bf0644114d3b8cc7104993d697f456724a4549f8

SHA256
858f82fa07f161bccb3ac14addb3efd44542bc957d8e203b7d468f19441980b4

SHA512
488f60b2df9fbb47d434ab4e6b7db917e6b24d7a6e3c09f4e1e1f9fc0fdd88968450773113d6a18d78b6898f8fba0ee2313ecb828d6fe3b65ffc994078f816fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaCS.exe

Filesize
2.4MB

MD5
a5617a7aebcc8ba33f03c606308ca416

SHA1
c86aa606c501067e4082715d5289b5b4abafc069

SHA256
58bf6217a2a8a0af0b9eb7e961bc6f391cb501da8aabfa903661aca5fd30b930

SHA512
3e7841e497f18e1d3b7d163c3426965e110cb68d60ef72d1a147a25e0db9c25c34bb29bf4b642a0004e52e161cb7e36552ae4eaf7b72fb05a9fb0a9e39630751

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaCS.exe

Filesize
2.4MB

MD5
a5617a7aebcc8ba33f03c606308ca416

SHA1
c86aa606c501067e4082715d5289b5b4abafc069

SHA256
58bf6217a2a8a0af0b9eb7e961bc6f391cb501da8aabfa903661aca5fd30b930

SHA512
3e7841e497f18e1d3b7d163c3426965e110cb68d60ef72d1a147a25e0db9c25c34bb29bf4b642a0004e52e161cb7e36552ae4eaf7b72fb05a9fb0a9e39630751

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NinjaCS.exe

Filesize
2.4MB

MD5
a5617a7aebcc8ba33f03c606308ca416

SHA1
c86aa606c501067e4082715d5289b5b4abafc069

SHA256
58bf6217a2a8a0af0b9eb7e961bc6f391cb501da8aabfa903661aca5fd30b930

SHA512
3e7841e497f18e1d3b7d163c3426965e110cb68d60ef72d1a147a25e0db9c25c34bb29bf4b642a0004e52e161cb7e36552ae4eaf7b72fb05a9fb0a9e39630751

Download Submit
memory/4568-33-0x0000020225D90000-0x0000020225E4A000-memory.dmp

Filesize
744KB

Download
memory/4568-36-0x0000020225E60000-0x0000020225E68000-memory.dmp

Filesize
32KB

Download
memory/4568-29-0x00007FFE8BB90000-0x00007FFE8C651000-memory.dmp

Filesize
10.8MB

Download
memory/4568-32-0x0000020225E90000-0x0000020226050000-memory.dmp

Filesize
1.8MB

Download
memory/4568-28-0x000002020A5A0000-0x000002020A808000-memory.dmp

Filesize
2.4MB

Download
memory/4568-34-0x0000020225CC0000-0x0000020225CD0000-memory.dmp

Filesize
64KB

Download
memory/4568-35-0x0000020225CC0000-0x0000020225CD0000-memory.dmp

Filesize
64KB

Download
memory/4568-30-0x0000020225CC0000-0x0000020225CD0000-memory.dmp

Filesize
64KB

Download
memory/4568-37-0x0000020225CC0000-0x0000020225CD0000-memory.dmp

Filesize
64KB

Download
memory/4568-38-0x00000202264B0000-0x00000202264E8000-memory.dmp

Filesize
224KB

Download
memory/4568-39-0x0000020225E80000-0x0000020225E8E000-memory.dmp

Filesize
56KB

Download
memory/4568-41-0x00007FFE8BB90000-0x00007FFE8C651000-memory.dmp

Filesize
10.8MB

Download
memory/4568-42-0x0000020225CC0000-0x0000020225CD0000-memory.dmp

Filesize
64KB

Download
memory/4568-43-0x0000020225CC0000-0x0000020225CD0000-memory.dmp

Filesize
64KB

Download