Analysis
-
max time kernel
930s -
max time network
921s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
28/02/2024, 06:07
General
-
Target
https://archive.org/details/cattoboi
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 28 IoCs
-
NTFS ADS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://archive.org/details/cattoboi1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbb8f33cb8,0x7ffbb8f33cc8,0x7ffbb8f33cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4808 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6256 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5500 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,18023142429753968003,198949183173382021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Catto Boi Fragments v1.0.2\Catto Boi Fragments.exe"C:\Users\Admin\Downloads\Catto Boi Fragments v1.0.2\Catto Boi Fragments.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x0000000000000480 0x00000000000004901⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Catto Boi Fragments v1.0.2\Replay tool.exe"C:\Users\Admin\Downloads\Catto Boi Fragments v1.0.2\Replay tool.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Doggo Boye.exe"C:\Users\Admin\Downloads\Doggo Boye.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 27122⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4508 -ip 45081⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5ac4680cdd73e215dc7bca93d46c2c3e7
SHA156e09960c50519765b9130fcc99711bd8410ada6
SHA2569fe51adb9bcf223c1993ff70091ae81cb7f3771e16e1fab972d48d7ec434381b
SHA512478933f660768240f6a8e80c8d0c84b2d37a005a0fca435590d5a1201b6f1fe30ef6c6215e1b6a3b1c938b6790a3b41044187761fcf5693ab1667159f9750edb
-
Filesize
152B
MD5d4604cbec2768d84c36d8ab35dfed413
SHA1a5b3db6d2a1fa5a8de9999966172239a9b1340c2
SHA2564ea5e5f1ba02111bc2bc9320ae9a1ca7294d6b3afedc128717b4c6c9df70bde2
SHA512c8004e23dc8a51948a2a582a8ce6ebe1d2546e4c1c60e40c6583f5de1e29c0df20650d5cb36e5d2db3fa6b29b958acc3afd307c66f48c168e68cbb6bcfc52855
-
Filesize
152B
MD5577e1c0c1d7ab0053d280fcc67377478
SHA160032085bb950466bba9185ba965e228ec8915e5
SHA2561d2022a0870c1a97ae10e8df444b8ba182536ed838a749ad1e972c0ded85e158
SHA51239d3fd2d96aee014068f3fda389a40e3173c6ce5b200724c433c48ddffe864edfc6207bb0612b8a811ce41746b7771b81bce1b9cb71a28f07a251a607ce51ef5
-
Filesize
168B
MD5d8407f689aeff59c926919ca664e2585
SHA1e92e50b8a680bf4a76ae8312c8de8e05bc7be973
SHA256cf7d747e028802a33327b72cc973ee500ccb9a7a32def84d56e8ee06b4e58f8c
SHA5120cc8b68a5ad5b62d9e6584c85e8220e49396d3175653836ec838643ba6e8596aa96cc213df29e4897cca7eca58a274a5e9ff8ec683dc5ab66c6d8384f20fff39
-
Filesize
417B
MD5e893700896bec0bcafe1d09216c4e484
SHA112f5cb681c6cc96e895f3be52031f8e0bc330e9c
SHA25660043ca63f48559ff97b67c5388e0020a8c9bb66ccc80a907faaba6b7ebc3b58
SHA5122ffede281ba542ffbc14b8539409c3cf9e82439c93d11839138e039e86a33821c58b2227d6d622ce70aacd3c4427add3ec1897f8254e88a462fcf6566023efc3
-
Filesize
498B
MD5304d7f53b4e9097bdc78b9ad04086ed3
SHA1328395c77175a1d7e66d600587be4f7bbcfdc536
SHA2561c1e3a08063159deec0bd215412f6f64125858e13d53660fb3f0d6ca301c575b
SHA512077b502449fd2cb0ffc464024d66aca3d7a0117c024f69797e79776cc74a04f8fa08079e583b06f2599abc606fe02abea91e6ebfdbf32608ec222bad7074b457
-
Filesize
6KB
MD524c28324c612bbcf49705080a561f134
SHA1aa57d8f811d3714a3af8164fb791dd8a33dadc17
SHA2561a191e034956a1488d5903f959c470a71c90695c1caacd68d576914e19fcb408
SHA512053037688c59913f47b6e4dbfd56fbf0492ece3951bb27793722ebdf5a2b8e58acf7ebca6c628e689e78a0f165c06ceb3a4c2c025bf18e0fb18dbbaf1dab32b9
-
Filesize
6KB
MD5be9ad5a2a1dd01bff9bae7289d67fc7f
SHA110b588779cf64eb914caff1d9da70b4ac2913189
SHA2568d667a504a11d3d0f84d47ea9854c79a0c39fcc2d4cbf5e1a090e0b25489cf62
SHA512075035ff96774ae513b114ab2d5465cafd66809cc414702885f0cf16b02ab3b7aea04e2e716fa70fcdd9d396904c76f894925ec93003658ab4c0b1bd46a1a16a
-
Filesize
708B
MD5f056b93b29358046d8adc3e51b5c78d6
SHA1be8b4cff8aaaca21d80deb824f75dfd43842449a
SHA25606eee99bed9349c92384cfa6ecf1eeee13ca1d3137bbb9c23e69d4fcc0e46d99
SHA512ea7112bb9f647ccc8bb01ea33c3897f533aa2dddea3245572c7b2544d91c72ab0382680efd7e1a834ab65bca0234fbc76018910063095a50108bec615f6a63bf
-
Filesize
540B
MD59d5fb95e352a1afb7c0c7ce48fa96f56
SHA1fe8dd2d11d70452fc2e515b3c460193480224fd2
SHA2566289d7b34ac4eaf506c6019a452de96f9c26085411b43341bd1699f74d50cc68
SHA512dc865ae9ff95d21acb529f2b7e058669dcf2d481f4425a4274401bb5cbced7e61e6e6368f0d87221d3feffa05aaef73e49dbb5a78c17b684e0fffd945cca2a27
-
Filesize
708B
MD51e276b2109f5c3200a5094694e5986c5
SHA1f5629a1433761da31204f862961ea04cca19c96e
SHA25612fb82299783178f0595b2ca50f9f0852293ca47b20eae3d51874413532519eb
SHA51200ab8a64f219f0847135ab471c9611466b552d063e11eefc6133b52935aeecbbd7af1867a8a5f1ff01e89b1df1addd7a01bd5fb39761208f9df96291099f6a71
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD516c376c9bd64aaa5125711930949bb18
SHA123b0a04d5fd7cdc0d959f758c5361fd5b611d32c
SHA2562703317c412080e5ed3ef9af38ae4098109beb9ca05f758f242b4247aa055d10
SHA512f8eddcd574e685a2f2ea3f56b4f2e49f9a4b5631685c4945a62b691eb4268e53460b575a6476ed3c61d7f3c69677c55be910f5b50c9e787585e916475d4eb655
-
Filesize
12KB
MD5a1f22362e7ce2a5c5f534885c8c8c45a
SHA1b39b9845f800403f3f02eac3d24272a5178cb278
SHA2561503069dc47e0f0240cb5b91119c7967e0737b804a2de6041d127841fe0f931c
SHA512cdf387c95123e787cf2d9265e5538cdd6e7a0326a8bb7760929c5531a18e8c4adc6ac5cef35810af44b9b55b50b3ea40cc9acc59da10ad58c9f73daacf8d3b7c
-
Filesize
12KB
MD50ae972f195e7bfd797901ff27ea654ec
SHA1f2bcc3e365a377b81ee1452987e00420018bb260
SHA256060759bf4709c426f79b858dd4d74df42cf536f5e5fe4f14a70ce40fe828219b
SHA512af06a450e06846de9e2892c67d366a90d14fc0f453dc275aa5cf61b3905d8ba2a9386351099b0dcee1f39803ad0aa196fab86cac129dcd637a5cfb18d72dbbee
-
Filesize
484KB
MD574529599302a2e09c30b1e119a0709f2
SHA15990f60194ecafaf43340e44657d224f8d5682eb
SHA256edfc5f86be36c2c509e4ad6ba3742bb5b2429a56de805a99771e24fec62b076a
SHA51225d1c2bc15f5d20f3d69a2c20727e4e2cbb7086aa18ec535eea2a5766302b031c12b9139467b717537300e1497102b387dcc3f53ca5ff11f5301de672efe4b07
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
4.8MB
MD5ea82e7def7b9e5c7252a21b752dd61ef
SHA157ae2f15a5c821e1a5f7fdfe79f328611f8884ff
SHA256d31523e9619265b1019f20e77371389f3d5ac65582ac92f108f995c63c5c8cbe
SHA51222397802d3243d734cc58340d6c073a5210970a9c0e7469ebeab63f45e1369c361773b72bf4927cda371c26092c9c822f6fb52ae2a41c5d4b7c527b819b5e97f
-
Filesize
4KB
-
Filesize
5.5MB
-
Filesize
5.5MB