Overview
overview
10Static
static
3CatrinePer...rm.exe
windows7-x64
10CatrinePer...rm.exe
windows10-2004-x64
10CatrinePer...rm.exe
windows7-x64
10CatrinePer...rm.exe
windows10-2004-x64
10f_000004.js
windows7-x64
1f_000004.js
windows10-2004-x64
1f_00001c.js
windows7-x64
1f_00001c.js
windows10-2004-x64
1CatrinePer...9_0.js
windows7-x64
1CatrinePer...9_0.js
windows10-2004-x64
1CatrinePer...0_0.js
windows7-x64
1CatrinePer...0_0.js
windows10-2004-x64
1CatrinePer...Ex.dll
windows7-x64
1CatrinePer...Ex.dll
windows10-2004-x64
1CatrinePer...PC.dll
windows7-x64
1CatrinePer...PC.dll
windows10-2004-x64
1CatrinePer...ro.dll
windows7-x64
1CatrinePer...ro.dll
windows10-2004-x64
1CatrinePer...re.dll
windows7-x64
1CatrinePer...re.dll
windows10-2004-x64
1CatrinePer...ms.dll
windows7-x64
1CatrinePer...ms.dll
windows10-2004-x64
1CatrinePer...pf.dll
windows7-x64
1CatrinePer...pf.dll
windows10-2004-x64
1CatrinePer...rs.dll
windows7-x64
1CatrinePer...rs.dll
windows10-2004-x64
1CatrinePer...on.dll
windows7-x64
1CatrinePer...on.dll
windows10-2004-x64
1Revo_Unins...o5.ps1
windows7-x64
1Revo_Unins...o5.ps1
windows10-2004-x64
1Revo_Unins...up.exe
windows7-x64
7Revo_Unins...up.exe
windows10-2004-x64
7Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07-02-2024 17:30
Static task
static1
Behavioral task
behavioral1
Sample
CatrinePerm/CatrinePerm.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
CatrinePerm/CatrinePerm.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
CatrinePerm/CatrinePerm.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
CatrinePerm/CatrinePerm.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
f_000004.js
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
f_000004.js
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
f_00001c.js
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
f_00001c.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/834cfe7d63b4b479_0.js
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/834cfe7d63b4b479_0.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/e9cf90305a4e5760_0.js
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/e9cf90305a4e5760_0.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
CatrinePerm/ControlzEx.dll
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
CatrinePerm/ControlzEx.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
CatrinePerm/DiscordRPC.dll
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
CatrinePerm/DiscordRPC.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
CatrinePerm/MahApps.Metro.dll
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
CatrinePerm/MahApps.Metro.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
CatrinePerm/Microsoft.Web.WebView2.Core.dll
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
CatrinePerm/Microsoft.Web.WebView2.Core.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral21
Sample
CatrinePerm/Microsoft.Web.WebView2.WinForms.dll
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
CatrinePerm/Microsoft.Web.WebView2.WinForms.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral23
Sample
CatrinePerm/Microsoft.Web.WebView2.Wpf.dll
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
CatrinePerm/Microsoft.Web.WebView2.Wpf.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
CatrinePerm/Microsoft.Xaml.Behaviors.dll
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
CatrinePerm/Microsoft.Xaml.Behaviors.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
CatrinePerm/Newtonsoft.Json.dll
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
CatrinePerm/Newtonsoft.Json.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
Revo_Uninstaller_Pro_5.1.1/Crack/revouninstallerpro5.ps1
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
Revo_Uninstaller_Pro_5.1.1/Crack/revouninstallerpro5.ps1
Resource
win10v2004-20231222-en
Behavioral task
behavioral31
Sample
Revo_Uninstaller_Pro_5.1.1/RevoUninProSetup.exe
Resource
win7-20231129-en
Behavioral task
behavioral32
Sample
Revo_Uninstaller_Pro_5.1.1/RevoUninProSetup.exe
Resource
win10v2004-20231222-en
General
-
Target
CatrinePerm/CatrinePerm.exe
-
Size
811KB
-
MD5
5aabc1aaec4fe6297da47c8d327ddd29
-
SHA1
ddfb19d827747f4ed4e59d4f2975f7017568e974
-
SHA256
45df56d3bd73f3dd6ee05a8d77afd52d61012d1742cae6e42196f9f6f236f6d8
-
SHA512
290b5f9e373b39f41b235ea09d90d026db38e0e63b7f660ff020d9c99819d7baa051fe5fae8221fc8eb5ac635a65de47ba127da2453e7d3a25f1ca337afb9fd6
-
SSDEEP
12288:bwr+M1vyQiO+e7tmMjg4yDY7YjqhRNecqnfpQzt562ByZG3Xw5FP/umZtD1ryHsw:MzDE4Hzn2pstQEyZGw5F+SD1OHo6T
Malware Config
Extracted
xworm
78.69.106.17:8000
-
Install_directory
%ProgramData%
-
install_file
Winrar.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\winrar.exe family_xworm behavioral1/memory/1616-14-0x0000000000A80000-0x0000000000AC4000-memory.dmp family_xworm behavioral1/memory/656-74-0x0000000000B50000-0x0000000000B94000-memory.dmp family_xworm behavioral1/memory/848-79-0x0000000001340000-0x0000000001384000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
winrar.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Winrar.lnk winrar.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Winrar.lnk winrar.exe -
Executes dropped EXE 4 IoCs
Processes:
CatrinePerm.exewinrar.exeWinrar.exeWinrar.exepid process 2172 CatrinePerm.exe 1616 winrar.exe 656 Winrar.exe 848 Winrar.exe -
Loads dropped DLL 1 IoCs
Processes:
CatrinePerm.exepid process 952 CatrinePerm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winrar.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winrar = "C:\\ProgramData\\Winrar.exe" winrar.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exewinrar.exepid process 2592 powershell.exe 2464 powershell.exe 1668 powershell.exe 1948 powershell.exe 1616 winrar.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
winrar.exepowershell.exepowershell.exepowershell.exepowershell.exeWinrar.exeWinrar.exedescription pid process Token: SeDebugPrivilege 1616 winrar.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 1616 winrar.exe Token: SeDebugPrivilege 656 Winrar.exe Token: SeDebugPrivilege 848 Winrar.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winrar.exepid process 1616 winrar.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
CatrinePerm.exewinrar.exetaskeng.exedescription pid process target process PID 952 wrote to memory of 2172 952 CatrinePerm.exe CatrinePerm.exe PID 952 wrote to memory of 2172 952 CatrinePerm.exe CatrinePerm.exe PID 952 wrote to memory of 2172 952 CatrinePerm.exe CatrinePerm.exe PID 952 wrote to memory of 1616 952 CatrinePerm.exe winrar.exe PID 952 wrote to memory of 1616 952 CatrinePerm.exe winrar.exe PID 952 wrote to memory of 1616 952 CatrinePerm.exe winrar.exe PID 1616 wrote to memory of 2592 1616 winrar.exe powershell.exe PID 1616 wrote to memory of 2592 1616 winrar.exe powershell.exe PID 1616 wrote to memory of 2592 1616 winrar.exe powershell.exe PID 1616 wrote to memory of 2464 1616 winrar.exe powershell.exe PID 1616 wrote to memory of 2464 1616 winrar.exe powershell.exe PID 1616 wrote to memory of 2464 1616 winrar.exe powershell.exe PID 1616 wrote to memory of 1668 1616 winrar.exe powershell.exe PID 1616 wrote to memory of 1668 1616 winrar.exe powershell.exe PID 1616 wrote to memory of 1668 1616 winrar.exe powershell.exe PID 1616 wrote to memory of 1948 1616 winrar.exe powershell.exe PID 1616 wrote to memory of 1948 1616 winrar.exe powershell.exe PID 1616 wrote to memory of 1948 1616 winrar.exe powershell.exe PID 1616 wrote to memory of 1184 1616 winrar.exe schtasks.exe PID 1616 wrote to memory of 1184 1616 winrar.exe schtasks.exe PID 1616 wrote to memory of 1184 1616 winrar.exe schtasks.exe PID 684 wrote to memory of 656 684 taskeng.exe Winrar.exe PID 684 wrote to memory of 656 684 taskeng.exe Winrar.exe PID 684 wrote to memory of 656 684 taskeng.exe Winrar.exe PID 684 wrote to memory of 848 684 taskeng.exe Winrar.exe PID 684 wrote to memory of 848 684 taskeng.exe Winrar.exe PID 684 wrote to memory of 848 684 taskeng.exe Winrar.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CatrinePerm\CatrinePerm.exe"C:\Users\Admin\AppData\Local\Temp\CatrinePerm\CatrinePerm.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Roaming\CatrinePerm.exe"C:\Users\Admin\AppData\Roaming\CatrinePerm.exe"2⤵
- Executes dropped EXE
PID:2172 -
C:\Users\Admin\AppData\Roaming\winrar.exe"C:\Users\Admin\AppData\Roaming\winrar.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\winrar.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winrar.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Winrar.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Winrar.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Winrar" /tr "C:\ProgramData\Winrar.exe"3⤵
- Creates scheduled task(s)
PID:1184
-
C:\Windows\system32\taskeng.exetaskeng.exe {AC921BBD-26BC-4A5B-AE02-1010574A4041} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\ProgramData\Winrar.exeC:\ProgramData\Winrar.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:656 -
C:\ProgramData\Winrar.exeC:\ProgramData\Winrar.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50910598e4367ee8acc2143a555dbafc4
SHA14a4d5f668d9eca34d7e37c39f8304ec3bf285611
SHA25632e879f8222f44103d22d41acdf2d41ae4b2fdf3ce830cfea3277fe3ed89ea37
SHA512d4030bb1e3f84761d6b7bd97936835db1a4969344ae2c85895c60aea62bd6c84cdef6348e6ca2782b5c2670ff929e727e8878a88ecf820dfafed64435b0094c1
-
Filesize
251KB
MD5e10be4048c01cbdb578d684b1137cbd9
SHA1e1848070b2840559524572f735f4df8e8fd2205d
SHA256ae3e0d672c98c2c7afa877acd2e35b5867ae289eae42c28a909b3f5702108ea8
SHA51222ef316c6989248c70e45611ccc9532e0ac687b6889657f9ad48627594fa4b10de6ad38132a9901ab96e1b832273f74a82181c949fd12fd0c8ac1b7de02488d5
-
Filesize
139KB
MD510605ec186aacb6a4b3dde419cb0b5e5
SHA19c41040a4c238dec28c4f47bfb0a28a3cd4bf19d
SHA256ca5b3ebffc2080fec7d44655069190b892e51e4bc4401c31f64a5a70d46f1ead
SHA5121d48bbc5c965f098300ce5404269ea5b1694887531b9aa1e953755f631325946e4914405ae3cabfe13d222ddfde4b0368d446b9aad3956f345d6b142d6579a9d