Overview
overview
10Static
static
3CatrinePer...rm.exe
windows7-x64
10CatrinePer...rm.exe
windows10-2004-x64
10CatrinePer...rm.exe
windows7-x64
10CatrinePer...rm.exe
windows10-2004-x64
10f_000004.js
windows7-x64
1f_000004.js
windows10-2004-x64
1f_00001c.js
windows7-x64
1f_00001c.js
windows10-2004-x64
1CatrinePer...9_0.js
windows7-x64
1CatrinePer...9_0.js
windows10-2004-x64
1CatrinePer...0_0.js
windows7-x64
1CatrinePer...0_0.js
windows10-2004-x64
1CatrinePer...Ex.dll
windows7-x64
1CatrinePer...Ex.dll
windows10-2004-x64
1CatrinePer...PC.dll
windows7-x64
1CatrinePer...PC.dll
windows10-2004-x64
1CatrinePer...ro.dll
windows7-x64
1CatrinePer...ro.dll
windows10-2004-x64
1CatrinePer...re.dll
windows7-x64
1CatrinePer...re.dll
windows10-2004-x64
1CatrinePer...ms.dll
windows7-x64
1CatrinePer...ms.dll
windows10-2004-x64
1CatrinePer...pf.dll
windows7-x64
1CatrinePer...pf.dll
windows10-2004-x64
1CatrinePer...rs.dll
windows7-x64
1CatrinePer...rs.dll
windows10-2004-x64
1CatrinePer...on.dll
windows7-x64
1CatrinePer...on.dll
windows10-2004-x64
1Revo_Unins...o5.ps1
windows7-x64
1Revo_Unins...o5.ps1
windows10-2004-x64
1Revo_Unins...up.exe
windows7-x64
7Revo_Unins...up.exe
windows10-2004-x64
7Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07-02-2024 17:30
Static task
static1
Behavioral task
behavioral1
Sample
CatrinePerm/CatrinePerm.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
CatrinePerm/CatrinePerm.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
CatrinePerm/CatrinePerm.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
CatrinePerm/CatrinePerm.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
f_000004.js
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
f_000004.js
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
f_00001c.js
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
f_00001c.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/834cfe7d63b4b479_0.js
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/834cfe7d63b4b479_0.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/e9cf90305a4e5760_0.js
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/e9cf90305a4e5760_0.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
CatrinePerm/ControlzEx.dll
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
CatrinePerm/ControlzEx.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
CatrinePerm/DiscordRPC.dll
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
CatrinePerm/DiscordRPC.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
CatrinePerm/MahApps.Metro.dll
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
CatrinePerm/MahApps.Metro.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
CatrinePerm/Microsoft.Web.WebView2.Core.dll
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
CatrinePerm/Microsoft.Web.WebView2.Core.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral21
Sample
CatrinePerm/Microsoft.Web.WebView2.WinForms.dll
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
CatrinePerm/Microsoft.Web.WebView2.WinForms.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral23
Sample
CatrinePerm/Microsoft.Web.WebView2.Wpf.dll
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
CatrinePerm/Microsoft.Web.WebView2.Wpf.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
CatrinePerm/Microsoft.Xaml.Behaviors.dll
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
CatrinePerm/Microsoft.Xaml.Behaviors.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
CatrinePerm/Newtonsoft.Json.dll
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
CatrinePerm/Newtonsoft.Json.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
Revo_Uninstaller_Pro_5.1.1/Crack/revouninstallerpro5.ps1
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
Revo_Uninstaller_Pro_5.1.1/Crack/revouninstallerpro5.ps1
Resource
win10v2004-20231222-en
Behavioral task
behavioral31
Sample
Revo_Uninstaller_Pro_5.1.1/RevoUninProSetup.exe
Resource
win7-20231129-en
Behavioral task
behavioral32
Sample
Revo_Uninstaller_Pro_5.1.1/RevoUninProSetup.exe
Resource
win10v2004-20231222-en
General
-
Target
CatrinePerm/CatrinePerm.exe
-
Size
401KB
-
MD5
9507155d937399149aa9078a3e87a155
-
SHA1
fc849d158401ef8c2c70589d7d96d82c061e171e
-
SHA256
b8966ebd8b18c419d14cc7586009c2ab1bf1a08a438d49058bea5bd076fb8a34
-
SHA512
f11ac8157a7a3e52f957f6fd444c0fdaad89295890d8474576e1af93ece65e804a019cde8ce4c2c7bb610debc6c252ae604f87419dc32f994574d1171fdca42b
-
SSDEEP
6144:ADxYwup0zGAc6Y4PWGFrzaN1tM06g51Ejxm7brM0Nfm2Wm5geB5MNXHHHHHHHRHr:AdYr4Gj6OGkpsoM4fm2WmOI5fa/
Malware Config
Extracted
xworm
78.69.106.17:8000
-
Install_directory
%ProgramData%
-
install_file
Winrar.exe
Signatures
-
Detect Xworm Payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\winrar.exe family_xworm behavioral3/memory/668-12-0x0000000000CD0000-0x0000000000D14000-memory.dmp family_xworm behavioral3/memory/1672-77-0x0000000000E90000-0x0000000000ED4000-memory.dmp family_xworm behavioral3/memory/3060-83-0x0000000001280000-0x00000000012C4000-memory.dmp family_xworm behavioral3/memory/3060-85-0x000000001B080000-0x000000001B100000-memory.dmp family_xworm -
Drops startup file 3 IoCs
Processes:
Winrar.exewinrar.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Winrar.lnk Winrar.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Winrar.lnk winrar.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Winrar.lnk winrar.exe -
Executes dropped EXE 4 IoCs
Processes:
CatrinePerm.exewinrar.exeWinrar.exeWinrar.exepid process 2172 CatrinePerm.exe 668 winrar.exe 1672 Winrar.exe 3060 Winrar.exe -
Loads dropped DLL 1 IoCs
Processes:
CatrinePerm.exepid process 912 CatrinePerm.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Winrar.exewinrar.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winrar = "C:\\ProgramData\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winrar = "C:\\ProgramData\\Winrar.exe" winrar.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com 8 ip-api.com -
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1532 schtasks.exe 1708 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exewinrar.exepowershell.exepowershell.exepowershell.exeWinrar.exepid process 2704 powershell.exe 2524 powershell.exe 2160 powershell.exe 2688 powershell.exe 668 winrar.exe 1668 powershell.exe 2924 powershell.exe 2044 powershell.exe 3060 Winrar.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
winrar.exepowershell.exepowershell.exepowershell.exepowershell.exeWinrar.exeWinrar.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 668 winrar.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 668 winrar.exe Token: SeDebugPrivilege 1672 Winrar.exe Token: SeDebugPrivilege 3060 Winrar.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 3060 Winrar.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
winrar.exeWinrar.exepid process 668 winrar.exe 3060 Winrar.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
CatrinePerm.exewinrar.exetaskeng.exeWinrar.exedescription pid process target process PID 912 wrote to memory of 2172 912 CatrinePerm.exe CatrinePerm.exe PID 912 wrote to memory of 2172 912 CatrinePerm.exe CatrinePerm.exe PID 912 wrote to memory of 2172 912 CatrinePerm.exe CatrinePerm.exe PID 912 wrote to memory of 668 912 CatrinePerm.exe winrar.exe PID 912 wrote to memory of 668 912 CatrinePerm.exe winrar.exe PID 912 wrote to memory of 668 912 CatrinePerm.exe winrar.exe PID 668 wrote to memory of 2704 668 winrar.exe powershell.exe PID 668 wrote to memory of 2704 668 winrar.exe powershell.exe PID 668 wrote to memory of 2704 668 winrar.exe powershell.exe PID 668 wrote to memory of 2524 668 winrar.exe powershell.exe PID 668 wrote to memory of 2524 668 winrar.exe powershell.exe PID 668 wrote to memory of 2524 668 winrar.exe powershell.exe PID 668 wrote to memory of 2160 668 winrar.exe powershell.exe PID 668 wrote to memory of 2160 668 winrar.exe powershell.exe PID 668 wrote to memory of 2160 668 winrar.exe powershell.exe PID 668 wrote to memory of 2688 668 winrar.exe powershell.exe PID 668 wrote to memory of 2688 668 winrar.exe powershell.exe PID 668 wrote to memory of 2688 668 winrar.exe powershell.exe PID 668 wrote to memory of 1532 668 winrar.exe schtasks.exe PID 668 wrote to memory of 1532 668 winrar.exe schtasks.exe PID 668 wrote to memory of 1532 668 winrar.exe schtasks.exe PID 540 wrote to memory of 1672 540 taskeng.exe Winrar.exe PID 540 wrote to memory of 1672 540 taskeng.exe Winrar.exe PID 540 wrote to memory of 1672 540 taskeng.exe Winrar.exe PID 540 wrote to memory of 3060 540 taskeng.exe Winrar.exe PID 540 wrote to memory of 3060 540 taskeng.exe Winrar.exe PID 540 wrote to memory of 3060 540 taskeng.exe Winrar.exe PID 3060 wrote to memory of 2888 3060 Winrar.exe powershell.exe PID 3060 wrote to memory of 2888 3060 Winrar.exe powershell.exe PID 3060 wrote to memory of 2888 3060 Winrar.exe powershell.exe PID 3060 wrote to memory of 1668 3060 Winrar.exe powershell.exe PID 3060 wrote to memory of 1668 3060 Winrar.exe powershell.exe PID 3060 wrote to memory of 1668 3060 Winrar.exe powershell.exe PID 3060 wrote to memory of 2924 3060 Winrar.exe powershell.exe PID 3060 wrote to memory of 2924 3060 Winrar.exe powershell.exe PID 3060 wrote to memory of 2924 3060 Winrar.exe powershell.exe PID 3060 wrote to memory of 2044 3060 Winrar.exe powershell.exe PID 3060 wrote to memory of 2044 3060 Winrar.exe powershell.exe PID 3060 wrote to memory of 2044 3060 Winrar.exe powershell.exe PID 3060 wrote to memory of 1708 3060 Winrar.exe schtasks.exe PID 3060 wrote to memory of 1708 3060 Winrar.exe schtasks.exe PID 3060 wrote to memory of 1708 3060 Winrar.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CatrinePerm\CatrinePerm.exe"C:\Users\Admin\AppData\Local\Temp\CatrinePerm\CatrinePerm.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Roaming\CatrinePerm.exe"C:\Users\Admin\AppData\Roaming\CatrinePerm.exe"2⤵
- Executes dropped EXE
PID:2172 -
C:\Users\Admin\AppData\Roaming\winrar.exe"C:\Users\Admin\AppData\Roaming\winrar.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\winrar.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winrar.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Winrar.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Winrar.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Winrar" /tr "C:\ProgramData\Winrar.exe"3⤵
- Creates scheduled task(s)
PID:1532
-
C:\Windows\system32\taskeng.exetaskeng.exe {45195901-6C0F-422E-AADF-08EB06B16EFE} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\ProgramData\Winrar.exeC:\ProgramData\Winrar.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1672 -
C:\ProgramData\Winrar.exeC:\ProgramData\Winrar.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Winrar.exe'3⤵PID:2888
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Winrar.exe'3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Winrar.exe'3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Winrar.exe'3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Winrar" /tr "C:\ProgramData\Winrar.exe"3⤵
- Creates scheduled task(s)
PID:1708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5826cf541af4c9b830c79775bebef5276
SHA1f5ca312c80d066b33b3b2936d945641e9e60164c
SHA2568f6e588f62f3448785e15f8433b1401902d5fc08f4f9bc9d5f90c21f862eafdc
SHA5124c71a4a7216a115f9419b631c7684503db6a0a409c664e6f5fb90abdc98e6d21b8409d7459b9a5498ecd133115544f5d2df317834a0202c43a5aea1c12655749
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD520033fc847d71dce9fe3a4f13ccbe07b
SHA15c1a23ef57a0856815f6c4d58f4b014cff8cc73a
SHA2562a79915cb17b5603259fc721b1252503b6881c9fa3ed30b948b93c02e4b6d523
SHA5120bcd5674a6c08980f97248f481398fcae8878c9d373a5d862f6cc45286069fb3b27b7b7ec30841fa354acd7fa0bf5c8832d7d057576931ceda8e969b3c049bff
-
Filesize
628B
MD567b786cf349dbbc1627746ef1f6bf620
SHA19a109616204c928e28ccfa27bfbe00847f392c13
SHA256508099c082c857b4e296e4c87a4a65ed028c0b9d223ada07c141cd74a6a65533
SHA51224e9f3e53443e23cdee745c3688d4b1519260925ebb60291a3992c7b75386d92361849ce35865c32227bb2e4849fd61f7cce20d7d677511cd35108289ed6758d
-
Filesize
251KB
MD5e10be4048c01cbdb578d684b1137cbd9
SHA1e1848070b2840559524572f735f4df8e8fd2205d
SHA256ae3e0d672c98c2c7afa877acd2e35b5867ae289eae42c28a909b3f5702108ea8
SHA51222ef316c6989248c70e45611ccc9532e0ac687b6889657f9ad48627594fa4b10de6ad38132a9901ab96e1b832273f74a82181c949fd12fd0c8ac1b7de02488d5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
139KB
MD510605ec186aacb6a4b3dde419cb0b5e5
SHA19c41040a4c238dec28c4f47bfb0a28a3cd4bf19d
SHA256ca5b3ebffc2080fec7d44655069190b892e51e4bc4401c31f64a5a70d46f1ead
SHA5121d48bbc5c965f098300ce5404269ea5b1694887531b9aa1e953755f631325946e4914405ae3cabfe13d222ddfde4b0368d446b9aad3956f345d6b142d6579a9d