1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761

General

Target

1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761N.exe
Size

3.6MB
MD5

87fac3b9eed8f1ef7bc3c693e3e720f0
SHA1

aba93af0cd7b752af7a0f7dda6aff3b58b0dd4a5
SHA256

1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761
SHA512

3586e7f370ba4ec4c801fa0bdad29f0fef859618595e1acc617061d468752c5a9b60e1e0db09815c2f5897907ddce4f83d569fcb5ec023e53330a2c933e1adb3
SSDEEP

98304:nFqtQT5m7w749osz+IMWcAwJ4+3cSGTVhRsr+Ep90+:nFqtQtEpz+IMWCbGTvRsav+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2148	Desktop.exe
2984	NINJA HEX C++2.exe
2164	NINJA HEX C++.exe
2600	BOOT.exe
2440	BOOT.bat

Loads dropped DLL 4 IoCs

pid	Process
1768	1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761N.exe
2148	Desktop.exe
2984	NINJA HEX C++2.exe
2148	Desktop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOT.bat

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2148	1768	1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761N.exe	30
PID 1768 wrote to memory of 2148	1768	1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761N.exe	30
PID 1768 wrote to memory of 2148	1768	1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761N.exe	30
PID 2148 wrote to memory of 2984	2148	Desktop.exe	31
PID 2148 wrote to memory of 2984	2148	Desktop.exe	31
PID 2148 wrote to memory of 2984	2148	Desktop.exe	31
PID 2984 wrote to memory of 2164	2984	NINJA HEX C++2.exe	32
PID 2984 wrote to memory of 2164	2984	NINJA HEX C++2.exe	32
PID 2984 wrote to memory of 2164	2984	NINJA HEX C++2.exe	32
PID 2148 wrote to memory of 2600	2148	Desktop.exe	33
PID 2148 wrote to memory of 2600	2148	Desktop.exe	33
PID 2148 wrote to memory of 2600	2148	Desktop.exe	33
PID 2600 wrote to memory of 2440	2600	BOOT.exe	34
PID 2600 wrote to memory of 2440	2600	BOOT.exe	34
PID 2600 wrote to memory of 2440	2600	BOOT.exe	34
PID 2600 wrote to memory of 2440	2600	BOOT.exe	34

C:\Users\Admin\AppData\Local\Temp\1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761N.exe
"C:\Users\Admin\AppData\Local\Temp\1792d9330a4d7ac77830f2b13e4b1d05253ea9f4ff16417c9f7b4cae539bc761N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Desktop.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Desktop.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\NINJA HEX C++2.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\NINJA HEX C++2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\NINJA HEX C++.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\NINJA HEX C++.exe"
      4⤵
      Executes dropped EXE
      PID:2164
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\BOOT.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BOOT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BOOT.bat
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BOOT.bat"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX2\BOOT.bat

Filesize
92KB

MD5
3de541f8f8234db458b087cd8bbb126b

SHA1
a23d744d24c6fe9460da82c49b4d7d6714283e34

SHA256
e896e1cfcefc877c0445e5a88e53f06d35d0fe6396f581fdc5c794365d5a9b36

SHA512
5e569df70aedf777171cce0de88fd1e8d79dce14a73238fa4195ad582aad0096aacb783177155b1c511c172af4425696f7f45363d936501fffafe04378e02d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\NINJA HEX C++.exe

Filesize
5.4MB

MD5
e1a4bccaad7e5b3a91fbdaf47a5a95e1

SHA1
4f09efcecf39146a7b6e449b761c7d5545449c0a

SHA256
5ece19586f5196eed5c2c75b28a7a3d10c34765e4e3d84cc67768ad3732adf84

SHA512
46f2f105ba0a801c67feaeba3e0955633405c73f361b746b65e2c273a88347b02df3c091d860f0e7d33385e43cfc5a81968a3a025ac865ee8f3d948a4722682e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Desktop.exe

Filesize
3.4MB

MD5
df1af936febd99db26fe61a3dca9b33a

SHA1
e514e61f86870775611b42c99cf2044a5c43c6ed

SHA256
47ed51e619d18ff3a1cc82afc2867e359baac0fea328ea6e74bd9092ecad8df9

SHA512
25a99ebd0c48671939fe1fd5b8adcb1a717582b293499ad886e3d70d5f1b0a9166aac34292028a711c3b50f65ae8b61032ac049125026acd20dc36ec7270643c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\BOOT.exe

Filesize
471KB

MD5
7534d80413d772ee66b358dfde368e55

SHA1
ac00a7f005ed97338b2f8892b8186cc6a4347f80

SHA256
7eebb0469e1cad2496882bba3626b376826964ae5c25692d401a889752ed839a

SHA512
31031a99109786de85213557b3bf6d544eaf6ccdc5de96904974e73ae343066b5844d90210a8a01b55913a7b828d9cfb759ad33f99970bee0d95f792d4076b96

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\NINJA HEX C++2.exe

Filesize
3.0MB

MD5
ce7c8c2972ef80850d2ed285915b30c4

SHA1
ae500b2f55c8a2dce7fdf3575b59515c30a4802f

SHA256
ef943afc0231fe470a83bb2151fda55b9a02f6858ed54c6788783c430545cbfd

SHA512
fb658304096b54e4cfcf121a762af784afcb8df1ace7d4368a2f8e8b4f158ac7cd4a4ffa8b4b7aa17360717f3fdc911b4e7d2182be3481e7cb0038ec00a9bea7

Download Submit

Analysis

Sharing