Overview

overview

10

Static

static

3

CatrinePer...rm.exe

windows7-x64

10

CatrinePer...rm.exe

windows10-2004-x64

10

CatrinePer...rm.exe

windows7-x64

10

CatrinePer...rm.exe

windows10-2004-x64

10

f_000004.js

windows7-x64

1

f_000004.js

windows10-2004-x64

1

f_00001c.js

windows7-x64

1

f_00001c.js

windows10-2004-x64

1

CatrinePer...9_0.js

windows7-x64

1

CatrinePer...9_0.js

windows10-2004-x64

1

CatrinePer...0_0.js

windows7-x64

1

CatrinePer...0_0.js

windows10-2004-x64

1

CatrinePer...Ex.dll

windows7-x64

1

CatrinePer...Ex.dll

windows10-2004-x64

1

CatrinePer...PC.dll

windows7-x64

1

CatrinePer...PC.dll

windows10-2004-x64

1

CatrinePer...ro.dll

windows7-x64

1

CatrinePer...ro.dll

windows10-2004-x64

1

CatrinePer...re.dll

windows7-x64

1

CatrinePer...re.dll

windows10-2004-x64

1

CatrinePer...ms.dll

windows7-x64

1

CatrinePer...ms.dll

windows10-2004-x64

1

CatrinePer...pf.dll

windows7-x64

1

CatrinePer...pf.dll

windows10-2004-x64

1

CatrinePer...rs.dll

windows7-x64

1

CatrinePer...rs.dll

windows10-2004-x64

1

CatrinePer...on.dll

windows7-x64

1

CatrinePer...on.dll

windows10-2004-x64

1

Revo_Unins...o5.ps1

windows7-x64

1

Revo_Unins...o5.ps1

windows10-2004-x64

1

Revo_Unins...up.exe

windows7-x64

7

Revo_Unins...up.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07-02-2024 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CatrinePerm/CatrinePerm.exe

  • Size

    811KB

  • MD5

    5aabc1aaec4fe6297da47c8d327ddd29

  • SHA1

    ddfb19d827747f4ed4e59d4f2975f7017568e974

  • SHA256

    45df56d3bd73f3dd6ee05a8d77afd52d61012d1742cae6e42196f9f6f236f6d8

  • SHA512

    290b5f9e373b39f41b235ea09d90d026db38e0e63b7f660ff020d9c99819d7baa051fe5fae8221fc8eb5ac635a65de47ba127da2453e7d3a25f1ca337afb9fd6

  • SSDEEP

    12288:bwr+M1vyQiO+e7tmMjg4yDY7YjqhRNecqnfpQzt562ByZG3Xw5FP/umZtD1ryHsw:MzDE4Hzn2pstQEyZGw5F+SD1OHo6T

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

78.69.106.17:8000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Winrar.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CatrinePerm\CatrinePerm.exe
    "C:\Users\Admin\AppData\Local\Temp\CatrinePerm\CatrinePerm.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:952
    • C:\Users\Admin\AppData\Roaming\CatrinePerm.exe
      "C:\Users\Admin\AppData\Roaming\CatrinePerm.exe"
      2⤵
      • Executes dropped EXE
      PID:2172
    • C:\Users\Admin\AppData\Roaming\winrar.exe
      "C:\Users\Admin\AppData\Roaming\winrar.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\winrar.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2592
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winrar.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2464
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Winrar.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1668
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Winrar.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1948
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Winrar" /tr "C:\ProgramData\Winrar.exe"
        3⤵
        • Creates scheduled task(s)
        PID:1184
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {AC921BBD-26BC-4A5B-AE02-1010574A4041} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:684
    • C:\ProgramData\Winrar.exe
      C:\ProgramData\Winrar.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:656
    • C:\ProgramData\Winrar.exe
      C:\ProgramData\Winrar.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    0910598e4367ee8acc2143a555dbafc4

    SHA1

    4a4d5f668d9eca34d7e37c39f8304ec3bf285611

    SHA256

    32e879f8222f44103d22d41acdf2d41ae4b2fdf3ce830cfea3277fe3ed89ea37

    SHA512

    d4030bb1e3f84761d6b7bd97936835db1a4969344ae2c85895c60aea62bd6c84cdef6348e6ca2782b5c2670ff929e727e8878a88ecf820dfafed64435b0094c1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\winrar.exe
    Filesize

    251KB

    MD5

    e10be4048c01cbdb578d684b1137cbd9

    SHA1

    e1848070b2840559524572f735f4df8e8fd2205d

    SHA256

    ae3e0d672c98c2c7afa877acd2e35b5867ae289eae42c28a909b3f5702108ea8

    SHA512

    22ef316c6989248c70e45611ccc9532e0ac687b6889657f9ad48627594fa4b10de6ad38132a9901ab96e1b832273f74a82181c949fd12fd0c8ac1b7de02488d5

    Download Submit

  • \Users\Admin\AppData\Roaming\CatrinePerm.exe
    Filesize

    139KB

    MD5

    10605ec186aacb6a4b3dde419cb0b5e5

    SHA1

    9c41040a4c238dec28c4f47bfb0a28a3cd4bf19d

    SHA256

    ca5b3ebffc2080fec7d44655069190b892e51e4bc4401c31f64a5a70d46f1ead

    SHA512

    1d48bbc5c965f098300ce5404269ea5b1694887531b9aa1e953755f631325946e4914405ae3cabfe13d222ddfde4b0368d446b9aad3956f345d6b142d6579a9d

    Download Submit

  • memory/656-76-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/656-74-0x0000000000B50000-0x0000000000B94000-memory.dmp

    Filesize

    272KB

    Download

  • memory/656-75-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/848-81-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/848-80-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/848-79-0x0000000001340000-0x0000000001384000-memory.dmp

    Filesize

    272KB

    Download

  • memory/952-1-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/952-0-0x00000000008B0000-0x000000000091A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/952-13-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1616-15-0x000000001B260000-0x000000001B2E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1616-12-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1616-52-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1616-14-0x0000000000A80000-0x0000000000AC4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1616-83-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1616-63-0x000000001B260000-0x000000001B2E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1668-51-0x0000000002A1B000-0x0000000002A82000-memory.dmp

    Filesize

    412KB

    Download

  • memory/1668-50-0x0000000002A10000-0x0000000002A90000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1668-49-0x000007FEEE670000-0x000007FEEF00D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1668-48-0x0000000002A10000-0x0000000002A90000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1668-47-0x000007FEEE670000-0x000007FEEF00D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1668-53-0x000007FEEE670000-0x000007FEEF00D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1948-64-0x0000000002C20000-0x0000000002CA0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1948-59-0x000007FEEDCD0000-0x000007FEEE66D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1948-61-0x000007FEEDCD0000-0x000007FEEE66D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1948-62-0x0000000002C20000-0x0000000002CA0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1948-60-0x0000000002C20000-0x0000000002CA0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1948-65-0x0000000002C20000-0x0000000002CA0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1948-66-0x000007FEEDCD0000-0x000007FEEE66D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2464-40-0x0000000002A60000-0x0000000002AE0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2464-41-0x000007FEEDCD0000-0x000007FEEE66D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2464-39-0x0000000002A60000-0x0000000002AE0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2464-38-0x0000000002A60000-0x0000000002AE0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2464-37-0x000007FEEDCD0000-0x000007FEEE66D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2464-36-0x0000000002A60000-0x0000000002AE0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2464-34-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2464-35-0x000007FEEDCD0000-0x000007FEEE66D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2464-33-0x000000001B530000-0x000000001B812000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2592-27-0x000007FEEE670000-0x000007FEEF00D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2592-26-0x0000000002AA0000-0x0000000002B20000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2592-25-0x0000000002AA0000-0x0000000002B20000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2592-24-0x000007FEEE670000-0x000007FEEF00D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2592-23-0x0000000002AA0000-0x0000000002B20000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2592-21-0x000007FEEE670000-0x000007FEEF00D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2592-22-0x0000000001E00000-0x0000000001E08000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2592-20-0x000000001B530000-0x000000001B812000-memory.dmp

    Filesize

    2.9MB

    Download