File name:

NinjaUI-Setup-v2.0.exe

Full analysis: https://app.any.run/tasks/431e1547-acce-41c1-ba04-bfab8934993d
Verdict: Malicious activity
Analysis date: August 04, 2024, 08:16:28
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
api-base64
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

AAA0815A139A84B11E846705E05BC814

SHA1:

77D07CC005E031A6782F6AB7D44A30E035F68FE7

SHA256:

284FF705A6CD2A91A146DC23E70967E12E6EF18A01DD9013CFE05A2B16FBAE68

SSDEEP:

49152:L0eMNSUY82nPHX297MLqZAE8fczoJqVl/wdIDjCnHXfQTNLvbuyYWW7NkfUM7MH7:AeMNxgo7MEAnioeDDjC3fYNLvYbN9O9Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • NinjaUI-Setup-v2.0.exe (PID: 6496)
      • NinjaUI-Setup.exe (PID: 6584)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • NinjaUI-Setup-v2.0.exe (PID: 6496)
      • NinjaUI-Setup.exe (PID: 6584)

    • Executable content was dropped or overwritten

      • NinjaUI-Setup-v2.0.exe (PID: 6496)
      • NinjaUI-Setup.exe (PID: 6584)

    • Reads the date of Windows installation

      • NinjaUI-Setup-v2.0.exe (PID: 6496)
      • NinjaUI-Setup.exe (PID: 6584)

    • There is functionality for taking screenshot (YARA)

      • NinjaUI-Setup.exe (PID: 6584)
      • NinjaUI.exe (PID: 5040)

  • INFO

    • Checks supported languages

      • NinjaUI-Setup-v2.0.exe (PID: 6496)
      • NinjaUI-Setup.exe (PID: 6584)
      • NinjaUI.exe (PID: 5040)

    • Reads the computer name

      • NinjaUI-Setup-v2.0.exe (PID: 6496)
      • NinjaUI-Setup.exe (PID: 6584)
      • NinjaUI.exe (PID: 5040)

    • Create files in a temporary directory

      • NinjaUI-Setup-v2.0.exe (PID: 6496)
      • NinjaUI-Setup.exe (PID: 6584)

    • Process checks computer location settings

      • NinjaUI-Setup-v2.0.exe (PID: 6496)
      • NinjaUI-Setup.exe (PID: 6584)

    • Reads the machine GUID from the registry

      • NinjaUI-Setup.exe (PID: 6584)
      • NinjaUI.exe (PID: 5040)

    • Reads Environment values

      • NinjaUI-Setup.exe (PID: 6584)
      • NinjaUI.exe (PID: 5040)

    • Disables trace logs

      • NinjaUI-Setup.exe (PID: 6584)
      • NinjaUI.exe (PID: 5040)

    • Reads the software policy settings

      • NinjaUI-Setup.exe (PID: 6584)
      • NinjaUI.exe (PID: 5040)

    • Checks proxy server information

      • NinjaUI.exe (PID: 5040)
      • NinjaUI-Setup.exe (PID: 6584)

    • Creates files in the program directory

      • NinjaUI.exe (PID: 5040)
      • NinjaUI-Setup.exe (PID: 6584)

    • Potential library load (Base64 Encoded 'LoadLibrary')

      • NinjaUI.exe (PID: 5040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:03 07:51:24+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 167936
InitializedDataSize: 344064
UninitializedDataSize: -
EntryPoint: 0x16f40
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ninjaui-setup-v2.0.exe ninjaui-setup.exe no specs THREAT ninjaui-setup.exe THREAT ninjaui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5040"C:\Program Files\NinjaUI\NinjaUI.exe" C:\Program Files\NinjaUI\NinjaUI.exe
NinjaUI-Setup.exe
User:
admin
Company:
NinjaUI Software
Integrity Level:
HIGH
Description:
NinjaUI
Version:
1.0.0.0
Modules
Images
c:\program files\ninjaui\ninjaui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6496"C:\Users\admin\Desktop\NinjaUI-Setup-v2.0.exe" C:\Users\admin\Desktop\NinjaUI-Setup-v2.0.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\ninjaui-setup-v2.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6536"C:\Users\admin\AppData\Local\Temp\RarSFX0\NinjaUI-Setup.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\NinjaUI-Setup.exeNinjaUI-Setup-v2.0.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\ninjaui-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6584"C:\Users\admin\AppData\Local\Temp\RarSFX0\NinjaUI-Setup.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\NinjaUI-Setup.exe
NinjaUI-Setup-v2.0.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\ninjaui-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
13 202
Read events
13 149
Write events
53
Delete events
0

Modification events

(PID) Process:(6496) NinjaUI-Setup-v2.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6496) NinjaUI-Setup-v2.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6496) NinjaUI-Setup-v2.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6496) NinjaUI-Setup-v2.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6584) NinjaUI-Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6584) NinjaUI-Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NinjaUI-Setup_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6584) NinjaUI-Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NinjaUI-Setup_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6584) NinjaUI-Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NinjaUI-Setup_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6584) NinjaUI-Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NinjaUI-Setup_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6584) NinjaUI-Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NinjaUI-Setup_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
Executable files
11
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6496NinjaUI-Setup-v2.0.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\NinjaUI-Setup.exeexecutable
MD5:BA506F8678F4D9FBB99DDA4BEACDB7F3
SHA256:293CBE499C9225CD140993E77C42F76A2F06EF0B59739659B3C1BAB727D5750F
6584NinjaUI-Setup.exeC:\Program Files\NinjaUI\DiscordRPC.dllexecutable
MD5:3956130E36754F184A0443C850F708F8
SHA256:25C39F91F737D80040C72C9E3F95DB0FECE1C9653F501828ADC16CFB1EC59D26
6584NinjaUI-Setup.exeC:\Program Files\NinjaUI\Credits.txttext
MD5:1ECC92D9BFB55EB7C862E93D81602832
SHA256:D55CB4B71C873422A07438C4FF3DC95DD3128CA974D63D795B480FD8BF26971B
5040NinjaUI.exeC:\Program Files\NinjaUI\nui-logs.logtext
MD5:A812E24790C8DCF9203F9F6AA3D2AB91
SHA256:F96FD40FE314BD7132136B38EE17B8EAA2E2ADD360F1990D926005D1A9DE46D1
6584NinjaUI-Setup.exeC:\Program Files\NinjaUI\Guna.UI2.dllexecutable
MD5:C97F23B52087CFA97985F784EA83498F
SHA256:E658E8A5616245DBE655E194B59F1BB704AAEAFBD0925D6EEBBE70555A638CDD
6584NinjaUI-Setup.exeC:\Users\admin\Desktop\NinjaUI.lnkbinary
MD5:1DADC9FF396F11825D7C0FB39CC870E4
SHA256:C3B1285C9D24B11331E5F294C4AB9D2FBE2FB8E1A94890445E3083E0ABAF735D
6584NinjaUI-Setup.exeC:\Program Files\NinjaUI\NinjaLLInjector64.exeexecutable
MD5:AA0FBEFD978B88384A9F822858877357
SHA256:F09C016D88F126C2866FFFF522716328F250AF1D9F0708F1EFEEADCD2DB4C5EB
6584NinjaUI-Setup.exeC:\Program Files\NinjaUI\NinjaMapInjector64.exeexecutable
MD5:A4913BC1CD796344B5C4006A5D92C44D
SHA256:BA90A9883FBA25DA4AE906DFFFC21265378FD36DF15DE8A685C8D24906190604
6584NinjaUI-Setup.exeC:\Program Files\NinjaUI\NinjaLLInjector32.exeexecutable
MD5:A4395C6BD025D170812F12C0A474E856
SHA256:CD7CEC5AAE1B795E5AD194AF84F213B130EC4F20D45E07CECADAEC3D0EAC8FC7
6496NinjaUI-Setup-v2.0.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Guna.UI2.dllexecutable
MD5:C97F23B52087CFA97985F784EA83498F
SHA256:E658E8A5616245DBE655E194B59F1BB704AAEAFBD0925D6EEBBE70555A638CDD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
172.67.68.3:443
https://ninjaui.net/
unknown
html
76.3 Kb
POST
200
172.67.68.3:443
https://api.ninjaui.net/
unknown
binary
44 b
POST
400
104.26.13.77:443
https://auth.ninjaui.net/
unknown
binary
51 b
POST
200
104.26.12.77:443
https://api.ninjaui.net/?getSettings&token=12d4f735e6b341d2a7f5b6545c89d7cfc1ae86a2f12e9e0c7b5e67c9fa1e7bcd
unknown
text
646 b
GET
200
104.26.12.77:443
https://ninjaui.net/
unknown
html
76.3 Kb
GET
200
140.82.121.3:443
https://raw.githubusercontent.com/ZeroByteZDev/NinjaUI-FIles/main/NinjaUI2-Package.zip
unknown
compressed
1.42 Mb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5600
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1248
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5600
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6584
NinjaUI-Setup.exe
185.199.111.133:443
raw.githubusercontent.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.238
whitelisted
raw.githubusercontent.com
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.110.133
shared
ninjaui.net
  • 104.26.13.77
  • 104.26.12.77
  • 172.67.68.3
unknown
api.ninjaui.net
  • 104.26.12.77
  • 172.67.68.3
  • 104.26.13.77
unknown
auth.ninjaui.net
  • 104.26.12.77
  • 172.67.68.3
  • 104.26.13.77
unknown

Threats

PID
Process
Class
Message
2256
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Potentially Bad Traffic
ET HUNTING Terse Request for Zip File (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NinjaUI-Setup-v2.0.exe