Overview

overview

10

Static

static

3

CatrinePer...rm.exe

windows7-x64

10

CatrinePer...rm.exe

windows10-2004-x64

10

CatrinePer...rm.exe

windows7-x64

10

CatrinePer...rm.exe

windows10-2004-x64

10

f_000004.js

windows7-x64

1

f_000004.js

windows10-2004-x64

1

f_00001c.js

windows7-x64

1

f_00001c.js

windows10-2004-x64

1

CatrinePer...9_0.js

windows7-x64

1

CatrinePer...9_0.js

windows10-2004-x64

1

CatrinePer...0_0.js

windows7-x64

1

CatrinePer...0_0.js

windows10-2004-x64

1

CatrinePer...Ex.dll

windows7-x64

1

CatrinePer...Ex.dll

windows10-2004-x64

1

CatrinePer...PC.dll

windows7-x64

1

CatrinePer...PC.dll

windows10-2004-x64

1

CatrinePer...ro.dll

windows7-x64

1

CatrinePer...ro.dll

windows10-2004-x64

1

CatrinePer...re.dll

windows7-x64

1

CatrinePer...re.dll

windows10-2004-x64

1

CatrinePer...ms.dll

windows7-x64

1

CatrinePer...ms.dll

windows10-2004-x64

1

CatrinePer...pf.dll

windows7-x64

1

CatrinePer...pf.dll

windows10-2004-x64

1

CatrinePer...rs.dll

windows7-x64

1

CatrinePer...rs.dll

windows10-2004-x64

1

CatrinePer...on.dll

windows7-x64

1

CatrinePer...on.dll

windows10-2004-x64

1

Revo_Unins...o5.ps1

windows7-x64

1

Revo_Unins...o5.ps1

windows10-2004-x64

1

Revo_Unins...up.exe

windows7-x64

7

Revo_Unins...up.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07-02-2024 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CatrinePerm/CatrinePerm.exe

  • Size

    401KB

  • MD5

    9507155d937399149aa9078a3e87a155

  • SHA1

    fc849d158401ef8c2c70589d7d96d82c061e171e

  • SHA256

    b8966ebd8b18c419d14cc7586009c2ab1bf1a08a438d49058bea5bd076fb8a34

  • SHA512

    f11ac8157a7a3e52f957f6fd444c0fdaad89295890d8474576e1af93ece65e804a019cde8ce4c2c7bb610debc6c252ae604f87419dc32f994574d1171fdca42b

  • SSDEEP

    6144:ADxYwup0zGAc6Y4PWGFrzaN1tM06g51Ejxm7brM0Nfm2Wm5geB5MNXHHHHHHHRHr:AdYr4Gj6OGkpsoM4fm2WmOI5fa/

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

78.69.106.17:8000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Winrar.exe

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CatrinePerm\CatrinePerm.exe
    "C:\Users\Admin\AppData\Local\Temp\CatrinePerm\CatrinePerm.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:912
    • C:\Users\Admin\AppData\Roaming\CatrinePerm.exe
      "C:\Users\Admin\AppData\Roaming\CatrinePerm.exe"
      2⤵
      • Executes dropped EXE
      PID:2172
    • C:\Users\Admin\AppData\Roaming\winrar.exe
      "C:\Users\Admin\AppData\Roaming\winrar.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:668
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\winrar.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2704
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winrar.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2524
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Winrar.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2160
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Winrar.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Winrar" /tr "C:\ProgramData\Winrar.exe"
        3⤵
        • Creates scheduled task(s)
        PID:1532
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {45195901-6C0F-422E-AADF-08EB06B16EFE} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\ProgramData\Winrar.exe
      C:\ProgramData\Winrar.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1672
    • C:\ProgramData\Winrar.exe
      C:\ProgramData\Winrar.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Winrar.exe'
        3⤵
          PID:2888
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Winrar.exe'
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1668
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Winrar.exe'
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2924
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Winrar.exe'
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2044
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Winrar" /tr "C:\ProgramData\Winrar.exe"
          3⤵
          • Creates scheduled task(s)
          PID:1708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      826cf541af4c9b830c79775bebef5276

      SHA1

      f5ca312c80d066b33b3b2936d945641e9e60164c

      SHA256

      8f6e588f62f3448785e15f8433b1401902d5fc08f4f9bc9d5f90c21f862eafdc

      SHA512

      4c71a4a7216a115f9419b631c7684503db6a0a409c664e6f5fb90abdc98e6d21b8409d7459b9a5498ecd133115544f5d2df317834a0202c43a5aea1c12655749

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      20033fc847d71dce9fe3a4f13ccbe07b

      SHA1

      5c1a23ef57a0856815f6c4d58f4b014cff8cc73a

      SHA256

      2a79915cb17b5603259fc721b1252503b6881c9fa3ed30b948b93c02e4b6d523

      SHA512

      0bcd5674a6c08980f97248f481398fcae8878c9d373a5d862f6cc45286069fb3b27b7b7ec30841fa354acd7fa0bf5c8832d7d057576931ceda8e969b3c049bff

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Winrar.lnk
      Filesize

      628B

      MD5

      67b786cf349dbbc1627746ef1f6bf620

      SHA1

      9a109616204c928e28ccfa27bfbe00847f392c13

      SHA256

      508099c082c857b4e296e4c87a4a65ed028c0b9d223ada07c141cd74a6a65533

      SHA512

      24e9f3e53443e23cdee745c3688d4b1519260925ebb60291a3992c7b75386d92361849ce35865c32227bb2e4849fd61f7cce20d7d677511cd35108289ed6758d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\winrar.exe
      Filesize

      251KB

      MD5

      e10be4048c01cbdb578d684b1137cbd9

      SHA1

      e1848070b2840559524572f735f4df8e8fd2205d

      SHA256

      ae3e0d672c98c2c7afa877acd2e35b5867ae289eae42c28a909b3f5702108ea8

      SHA512

      22ef316c6989248c70e45611ccc9532e0ac687b6889657f9ad48627594fa4b10de6ad38132a9901ab96e1b832273f74a82181c949fd12fd0c8ac1b7de02488d5

      Download Submit

    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • \Users\Admin\AppData\Roaming\CatrinePerm.exe
      Filesize

      139KB

      MD5

      10605ec186aacb6a4b3dde419cb0b5e5

      SHA1

      9c41040a4c238dec28c4f47bfb0a28a3cd4bf19d

      SHA256

      ca5b3ebffc2080fec7d44655069190b892e51e4bc4401c31f64a5a70d46f1ead

      SHA512

      1d48bbc5c965f098300ce5404269ea5b1694887531b9aa1e953755f631325946e4914405ae3cabfe13d222ddfde4b0368d446b9aad3956f345d6b142d6579a9d

      Download Submit

    • memory/668-14-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/668-15-0x000000001B1B0000-0x000000001B230000-memory.dmp

      Filesize

      512KB

      Download

    • memory/668-41-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/668-12-0x0000000000CD0000-0x0000000000D14000-memory.dmp

      Filesize

      272KB

      Download

    • memory/668-63-0x000000001B1B0000-0x000000001B230000-memory.dmp

      Filesize

      512KB

      Download

    • memory/668-81-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/912-13-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/912-0-0x0000000000970000-0x00000000009DA000-memory.dmp

      Filesize

      424KB

      Download

    • memory/912-1-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1668-103-0x000007FEEDF20000-0x000007FEEE8BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1668-99-0x000007FEEDF20000-0x000007FEEE8BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1668-100-0x0000000002850000-0x00000000028D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1668-98-0x0000000002850000-0x00000000028D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1668-97-0x000007FEEDF20000-0x000007FEEE8BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1668-101-0x0000000002850000-0x00000000028D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1668-102-0x0000000002850000-0x00000000028D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1672-79-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1672-78-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1672-77-0x0000000000E90000-0x0000000000ED4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2044-122-0x000007FEEDF20000-0x000007FEEE8BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2044-123-0x0000000002F50000-0x0000000002FD0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2160-55-0x0000000002A20000-0x0000000002AA0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2160-56-0x000007FEEF150000-0x000007FEEFAED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2160-50-0x000007FEEF150000-0x000007FEEFAED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2160-51-0x0000000002A20000-0x0000000002AA0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2160-52-0x000007FEEF150000-0x000007FEEFAED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2160-53-0x0000000002A20000-0x0000000002AA0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2160-54-0x0000000002A20000-0x0000000002AA0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-42-0x0000000002980000-0x0000000002A00000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-39-0x0000000002980000-0x0000000002A00000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-34-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2524-35-0x000007FEEE7B0000-0x000007FEEF14D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2524-36-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2524-43-0x000007FEEE7B0000-0x000007FEEF14D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2524-38-0x000007FEEE7B0000-0x000007FEEF14D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2524-37-0x0000000002980000-0x0000000002A00000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-40-0x0000000002980000-0x0000000002A00000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2688-64-0x0000000002950000-0x00000000029D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2688-69-0x000007FEEE7B0000-0x000007FEEF14D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2688-67-0x000000000295B000-0x00000000029C2000-memory.dmp

      Filesize

      412KB

      Download

    • memory/2688-68-0x000007FEEE7B0000-0x000007FEEF14D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2688-66-0x0000000002950000-0x00000000029D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2688-65-0x0000000002950000-0x00000000029D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2688-62-0x000007FEEE7B0000-0x000007FEEF14D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2704-22-0x0000000002C80000-0x0000000002D00000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2704-23-0x0000000002730000-0x0000000002738000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2704-20-0x000000001B560000-0x000000001B842000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2704-28-0x000007FEEF150000-0x000007FEEFAED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2704-27-0x0000000002C80000-0x0000000002D00000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2704-26-0x0000000002C80000-0x0000000002D00000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2704-25-0x0000000002C80000-0x0000000002D00000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2704-24-0x000007FEEF150000-0x000007FEEFAED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2704-21-0x000007FEEF150000-0x000007FEEFAED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2924-109-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2924-111-0x00000000029A0000-0x0000000002A20000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2924-112-0x00000000029A0000-0x0000000002A20000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2924-110-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2924-113-0x00000000023C0000-0x00000000023C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2924-114-0x00000000029A0000-0x0000000002A20000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2924-115-0x000007FEEE8C0000-0x000007FEEF25D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3060-121-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3060-85-0x000000001B080000-0x000000001B100000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3060-83-0x0000000001280000-0x00000000012C4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3060-84-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

      Filesize

      9.9MB

      Download