398d91f171775594561f530cd8852cf852b02a5147b905faabad162394810b1e

Resubmissions

02/09/2023, 23:27

230902-3fqhnsfg3s 7

02/09/2023, 23:11

230902-26mc9sff9z 7

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/09/2023, 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

136KB
MD5

400ac159bdf6bcd0d9edf4bdd26c1966
SHA1

9a67fb31a3b7fe4d4ac2c810c987f35d70be5f76
SHA256

398d91f171775594561f530cd8852cf852b02a5147b905faabad162394810b1e
SHA512

b21de56202385f5e3215e806111b03b122db205934be82590092f9422ae3d3e43351ac0a6a1651e156380d72a70301493447936b5d5687532574ce5afd2529e6
SSDEEP

1536:BVHIm3fE6UrdqKctZEitYy9mjEqw2jXsCdUrAhRYcJh4zHCvkbySEziTJ8rEHQCb:t6woIzCc4oJnZOj9O2nX3egzcIcTYg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2644	XClient.exe
2776	CatFN_Loader.exe

Loads dropped DLL 1 IoCs

pid	Process
2936	loader.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2688	powershell.exe
1140	powershell.exe
2644	XClient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	XClient.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	2644	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2644	XClient.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2644	2936	loader.exe	28
PID 2936 wrote to memory of 2644	2936	loader.exe	28
PID 2936 wrote to memory of 2644	2936	loader.exe	28
PID 2936 wrote to memory of 2776	2936	loader.exe	29
PID 2936 wrote to memory of 2776	2936	loader.exe	29
PID 2936 wrote to memory of 2776	2936	loader.exe	29
PID 2776 wrote to memory of 2676	2776	CatFN_Loader.exe	31
PID 2776 wrote to memory of 2676	2776	CatFN_Loader.exe	31
PID 2776 wrote to memory of 2676	2776	CatFN_Loader.exe	31
PID 2776 wrote to memory of 2808	2776	CatFN_Loader.exe	32
PID 2776 wrote to memory of 2808	2776	CatFN_Loader.exe	32
PID 2776 wrote to memory of 2808	2776	CatFN_Loader.exe	32
PID 2776 wrote to memory of 2664	2776	CatFN_Loader.exe	34
PID 2776 wrote to memory of 2664	2776	CatFN_Loader.exe	34
PID 2776 wrote to memory of 2664	2776	CatFN_Loader.exe	34
PID 2776 wrote to memory of 1724	2776	CatFN_Loader.exe	33
PID 2776 wrote to memory of 1724	2776	CatFN_Loader.exe	33
PID 2776 wrote to memory of 1724	2776	CatFN_Loader.exe	33
PID 2776 wrote to memory of 3040	2776	CatFN_Loader.exe	35
PID 2776 wrote to memory of 3040	2776	CatFN_Loader.exe	35
PID 2776 wrote to memory of 3040	2776	CatFN_Loader.exe	35
PID 2776 wrote to memory of 2920	2776	CatFN_Loader.exe	36
PID 2776 wrote to memory of 2920	2776	CatFN_Loader.exe	36
PID 2776 wrote to memory of 2920	2776	CatFN_Loader.exe	36
PID 2776 wrote to memory of 2640	2776	CatFN_Loader.exe	37
PID 2776 wrote to memory of 2640	2776	CatFN_Loader.exe	37
PID 2776 wrote to memory of 2640	2776	CatFN_Loader.exe	37
PID 2776 wrote to memory of 2904	2776	CatFN_Loader.exe	38
PID 2776 wrote to memory of 2904	2776	CatFN_Loader.exe	38
PID 2776 wrote to memory of 2904	2776	CatFN_Loader.exe	38
PID 2776 wrote to memory of 2912	2776	CatFN_Loader.exe	39
PID 2776 wrote to memory of 2912	2776	CatFN_Loader.exe	39
PID 2776 wrote to memory of 2912	2776	CatFN_Loader.exe	39
PID 2776 wrote to memory of 2536	2776	CatFN_Loader.exe	40
PID 2776 wrote to memory of 2536	2776	CatFN_Loader.exe	40
PID 2776 wrote to memory of 2536	2776	CatFN_Loader.exe	40
PID 2776 wrote to memory of 2616	2776	CatFN_Loader.exe	41
PID 2776 wrote to memory of 2616	2776	CatFN_Loader.exe	41
PID 2776 wrote to memory of 2616	2776	CatFN_Loader.exe	41
PID 2776 wrote to memory of 1360	2776	CatFN_Loader.exe	43
PID 2776 wrote to memory of 1360	2776	CatFN_Loader.exe	43
PID 2776 wrote to memory of 1360	2776	CatFN_Loader.exe	43
PID 2644 wrote to memory of 2688	2644	XClient.exe	44
PID 2644 wrote to memory of 2688	2644	XClient.exe	44
PID 2644 wrote to memory of 2688	2644	XClient.exe	44
PID 2644 wrote to memory of 1140	2644	XClient.exe	46
PID 2644 wrote to memory of 1140	2644	XClient.exe	46
PID 2644 wrote to memory of 1140	2644	XClient.exe	46

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Public\XClient.exe
  "C:\Users\Public\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- C:\Users\Public\CatFN_Loader.exe
  "C:\Users\Public\CatFN_Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0022b2f1085caa33c066f1290306a127

SHA1
04c79419167001e78f7b57a2be4e73774756bc46

SHA256
95442ba580115e39db66ecb025aacebaa241cfad2f2a26f1b7d01bfd52066700

SHA512
cae43da6ca45335e8ac30fffd07850ccdd9c3546ccbe68b8ff79016260b883ec6aa4b4fa4beb0c11523b00989742214c69475dab6a8159fbfc92e9dcd49a6b29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LV2P3GQYHPN2D05WVH3Y.temp

Filesize
7KB

MD5
0022b2f1085caa33c066f1290306a127

SHA1
04c79419167001e78f7b57a2be4e73774756bc46

SHA256
95442ba580115e39db66ecb025aacebaa241cfad2f2a26f1b7d01bfd52066700

SHA512
cae43da6ca45335e8ac30fffd07850ccdd9c3546ccbe68b8ff79016260b883ec6aa4b4fa4beb0c11523b00989742214c69475dab6a8159fbfc92e9dcd49a6b29

Download Submit
C:\Users\Public\CatFN_Loader.exe

Filesize
47KB

MD5
893e3a5e142dd9a60c4e266552189742

SHA1
b2c28a9afc06917c83fb40471bef55678536c2c3

SHA256
e41a0f77b58a92561b4e5b669a689dfbd91516b68e715705a7848554d2c7274b

SHA512
72db92655a20154d813155efe5af2c22ac782845002ee52460119b5e4cd0599c0f3be8c768eb456b3e6f8c63d40b3a57962003ab6c035944553f39a7ce972fc1

Download Submit
C:\Users\Public\XClient.exe

Filesize
75KB

MD5
538c972cbc1c1dcb719a97219bbf3814

SHA1
5fb9600425906b620195eaf99ef87f7a0b5589b8

SHA256
fb171b385febe127ac39470d49c414d782ec9cb6ac05ad086bb8f47805fe3556

SHA512
d888a0e6ffaff8e3bcd4f648d7f172162b26bf43df0b1b69189b6a7d5ea284e0c2ccbc0ffde81d07cd6b34edbabde3da4cbd10b9e33be025eb89868557882ecc

Download Submit
C:\Users\Public\XClient.exe

Filesize
75KB

MD5
538c972cbc1c1dcb719a97219bbf3814

SHA1
5fb9600425906b620195eaf99ef87f7a0b5589b8

SHA256
fb171b385febe127ac39470d49c414d782ec9cb6ac05ad086bb8f47805fe3556

SHA512
d888a0e6ffaff8e3bcd4f648d7f172162b26bf43df0b1b69189b6a7d5ea284e0c2ccbc0ffde81d07cd6b34edbabde3da4cbd10b9e33be025eb89868557882ecc

Download Submit
\Users\Public\CatFN_Loader.exe

Filesize
47KB

MD5
893e3a5e142dd9a60c4e266552189742

SHA1
b2c28a9afc06917c83fb40471bef55678536c2c3

SHA256
e41a0f77b58a92561b4e5b669a689dfbd91516b68e715705a7848554d2c7274b

SHA512
72db92655a20154d813155efe5af2c22ac782845002ee52460119b5e4cd0599c0f3be8c768eb456b3e6f8c63d40b3a57962003ab6c035944553f39a7ce972fc1

Download Submit
memory/1140-42-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/1140-40-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/1140-38-0x000007FEEE190000-0x000007FEEEB2D000-memory.dmp

Filesize
9.6MB

Download
memory/1140-39-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/1140-36-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/1140-37-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/1140-34-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/1140-35-0x000007FEEE190000-0x000007FEEEB2D000-memory.dmp

Filesize
9.6MB

Download
memory/1140-43-0x000007FEEE190000-0x000007FEEEB2D000-memory.dmp

Filesize
9.6MB

Download
memory/2644-14-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2644-15-0x000000001ADB0000-0x000000001AE30000-memory.dmp

Filesize
512KB

Download
memory/2644-12-0x00000000011E0000-0x00000000011FA000-memory.dmp

Filesize
104KB

Download
memory/2644-41-0x000000001ADB0000-0x000000001AE30000-memory.dmp

Filesize
512KB

Download
memory/2644-26-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2688-25-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2688-23-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/2688-22-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2688-21-0x000007FEEEB30000-0x000007FEEF4CD000-memory.dmp

Filesize
9.6MB

Download
memory/2688-24-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2688-28-0x000007FEEEB30000-0x000007FEEF4CD000-memory.dmp

Filesize
9.6MB

Download
memory/2688-27-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2776-16-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2936-13-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2936-0-0x00000000012F0000-0x0000000001318000-memory.dmp

Filesize
160KB

Download
memory/2936-1-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download