Analysis Overview
SHA256
fa925b3e76ed9daa56d7dc81d622202a7aa2649f923f97a986d214bc1ccad048
Threat Level: Shows suspicious behavior
The file Cat.Goes.Fishing.v13.11.2019.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Checks installed software on the system
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of SendNotifyMessage
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Opens file in notepad (likely ransom note)
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 22:39
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
166s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Achievements.bin
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win7-20240221-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\bin_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\bin_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\bin_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.bin | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.bin\ = "bin_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\bin_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\bin_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3008 wrote to memory of 3068 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3008 wrote to memory of 3068 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3008 wrote to memory of 3068 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3068 wrote to memory of 2552 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3068 wrote to memory of 2552 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3068 wrote to memory of 2552 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3068 wrote to memory of 2552 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Stats.bin
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Stats.bin
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Stats.bin"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 132bd4e66f21f6394c5dcd0260adcbb5 |
| SHA1 | 248fbfa4fbdbaf23e10ad337698040cf952325f6 |
| SHA256 | 48aae7af1875a15a8d98bde7951422940acba36cc628316cda577f6e5700f6a9 |
| SHA512 | a9bf1e4573a07d6df287abaaf503aeb7aa599dacc55bb5964142f102d54d25251455e926fc3a587e69e8d3c20c0eeb62539faa81efcc872e7e101c03d378d486 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win10v2004-20240226-en
Max time kernel
90s
Max time network
131s
Command Line
Signatures
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\tmp615A.tmp | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmp615B.tmp | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe | N/A |
| File created | C:\Windows\SysWOW64\OpenAL32.new | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe | N/A |
| File created | C:\Windows\SysWOW64\wrap_oal.new | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe | N/A |
| File created | C:\Windows\system32\OpenAL32.new | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe | N/A |
| File created | C:\Windows\system32\wrap_oal.new | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\OpenAL\oalinst.exe | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe
"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win7-20240221-en
Max time kernel
142s
Max time network
133s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_EasyLemon.ogg"
Network
Files
memory/2224-5-0x000000013FE00000-0x000000013FEF8000-memory.dmp
memory/2224-6-0x000007FEFB800000-0x000007FEFB834000-memory.dmp
memory/2224-7-0x000007FEF6560000-0x000007FEF6814000-memory.dmp
memory/2224-9-0x000007FEFB9D0000-0x000007FEFB9E7000-memory.dmp
memory/2224-11-0x000007FEFB6B0000-0x000007FEFB6C7000-memory.dmp
memory/2224-12-0x000007FEFB690000-0x000007FEFB6A1000-memory.dmp
memory/2224-14-0x000007FEFB650000-0x000007FEFB661000-memory.dmp
memory/2224-13-0x000007FEFB670000-0x000007FEFB68D000-memory.dmp
memory/2224-10-0x000007FEFB900000-0x000007FEFB911000-memory.dmp
memory/2224-8-0x000007FEFC110000-0x000007FEFC128000-memory.dmp
memory/2224-15-0x000007FEF6360000-0x000007FEF6560000-memory.dmp
memory/2224-16-0x000007FEFB610000-0x000007FEFB64F000-memory.dmp
memory/2224-17-0x000007FEF7DD0000-0x000007FEF7DF1000-memory.dmp
memory/2224-18-0x000007FEFB5F0000-0x000007FEFB608000-memory.dmp
memory/2224-20-0x000007FEF7DB0000-0x000007FEF7DC1000-memory.dmp
memory/2224-21-0x000007FEF7D10000-0x000007FEF7D21000-memory.dmp
memory/2224-23-0x000007FEF7260000-0x000007FEF727B000-memory.dmp
memory/2224-22-0x000007FEF7280000-0x000007FEF7291000-memory.dmp
memory/2224-24-0x000007FEF7240000-0x000007FEF7251000-memory.dmp
memory/2224-25-0x000007FEF7220000-0x000007FEF7238000-memory.dmp
memory/2224-26-0x000007FEF71F0000-0x000007FEF7220000-memory.dmp
memory/2224-27-0x000007FEF7180000-0x000007FEF71E7000-memory.dmp
memory/2224-19-0x000007FEF52B0000-0x000007FEF635B000-memory.dmp
memory/2224-28-0x000007FEF7110000-0x000007FEF717F000-memory.dmp
memory/2224-29-0x000007FEF70F0000-0x000007FEF7101000-memory.dmp
memory/2224-30-0x000007FEF6C40000-0x000007FEF6C9C000-memory.dmp
memory/2224-31-0x000007FEF5130000-0x000007FEF52A8000-memory.dmp
memory/2224-32-0x000007FEF6D30000-0x000007FEF6D47000-memory.dmp
memory/2224-33-0x000007FEF7DA0000-0x000007FEF7DB0000-memory.dmp
memory/2224-34-0x000007FEF6C10000-0x000007FEF6C3F000-memory.dmp
memory/2224-35-0x000007FEF6BF0000-0x000007FEF6C01000-memory.dmp
memory/2224-36-0x000007FEF6BD0000-0x000007FEF6BE6000-memory.dmp
memory/2224-37-0x000007FEF5060000-0x000007FEF5125000-memory.dmp
memory/2224-39-0x000007FEF5040000-0x000007FEF5051000-memory.dmp
memory/2224-40-0x000007FEF5020000-0x000007FEF5032000-memory.dmp
memory/2224-38-0x000007FEF6BB0000-0x000007FEF6BC5000-memory.dmp
memory/2224-41-0x000007FEF4EA0000-0x000007FEF501A000-memory.dmp
memory/2224-42-0x000007FEF4E80000-0x000007FEF4E93000-memory.dmp
memory/2224-43-0x000007FEF4E60000-0x000007FEF4E74000-memory.dmp
memory/2224-45-0x000007FEF4E20000-0x000007FEF4E31000-memory.dmp
memory/2224-46-0x000007FEF4E00000-0x000007FEF4E11000-memory.dmp
memory/2224-44-0x000007FEF4E40000-0x000007FEF4E51000-memory.dmp
memory/2224-61-0x000007FEF52B0000-0x000007FEF635B000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:44
Platform
win10v2004-20240226-en
Max time kernel
177s
Max time network
210s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1964 wrote to memory of 1980 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 1964 wrote to memory of 1980 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_IceFlow.ogg
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_IceFlow.ogg"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x3fc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
memory/1980-5-0x00007FF6AC3A0000-0x00007FF6AC498000-memory.dmp
memory/1980-6-0x00007FFE7EDF0000-0x00007FFE7EE24000-memory.dmp
memory/1980-7-0x00007FFE6F880000-0x00007FFE6FB34000-memory.dmp
memory/1980-8-0x00007FFE7F950000-0x00007FFE7F968000-memory.dmp
memory/1980-9-0x00007FFE7F680000-0x00007FFE7F697000-memory.dmp
memory/1980-10-0x00007FFE7F500000-0x00007FFE7F511000-memory.dmp
memory/1980-14-0x00007FFE75D60000-0x00007FFE75D71000-memory.dmp
memory/1980-13-0x00007FFE76460000-0x00007FFE7647D000-memory.dmp
memory/1980-12-0x00007FFE7A920000-0x00007FFE7A931000-memory.dmp
memory/1980-16-0x00007FFE6F640000-0x00007FFE6F67F000-memory.dmp
memory/1980-15-0x00007FFE6F680000-0x00007FFE6F880000-memory.dmp
memory/1980-11-0x00007FFE7A940000-0x00007FFE7A957000-memory.dmp
memory/1980-17-0x00007FFE6E590000-0x00007FFE6F63B000-memory.dmp
memory/1980-19-0x00007FFE6E540000-0x00007FFE6E558000-memory.dmp
memory/1980-20-0x00007FFE6E520000-0x00007FFE6E531000-memory.dmp
memory/1980-21-0x00007FFE6E500000-0x00007FFE6E511000-memory.dmp
memory/1980-26-0x00007FFE6E450000-0x00007FFE6E480000-memory.dmp
memory/1980-27-0x00007FFE6E3E0000-0x00007FFE6E447000-memory.dmp
memory/1980-28-0x00007FFE6E370000-0x00007FFE6E3DF000-memory.dmp
memory/1980-25-0x00007FFE6E480000-0x00007FFE6E498000-memory.dmp
memory/1980-29-0x00007FFE6E350000-0x00007FFE6E361000-memory.dmp
memory/1980-30-0x00007FFE6E2F0000-0x00007FFE6E34C000-memory.dmp
memory/1980-31-0x00007FFE6E170000-0x00007FFE6E2E8000-memory.dmp
memory/1980-32-0x00007FFE6E130000-0x00007FFE6E147000-memory.dmp
memory/1980-36-0x00007FFE6DEC0000-0x00007FFE6DED6000-memory.dmp
memory/1980-39-0x00007FFE6DF50000-0x00007FFE6DF61000-memory.dmp
memory/1980-40-0x00007FFE6DF30000-0x00007FFE6DF42000-memory.dmp
memory/1980-38-0x00007FFE6DDD0000-0x00007FFE6DDE5000-memory.dmp
memory/1980-41-0x00007FFE6D700000-0x00007FFE6D87A000-memory.dmp
memory/1980-42-0x00007FFE6DF10000-0x00007FFE6DF23000-memory.dmp
memory/1980-44-0x00007FFE6D6C0000-0x00007FFE6D6D1000-memory.dmp
memory/1980-46-0x00007FFE6D680000-0x00007FFE6D691000-memory.dmp
memory/1980-45-0x00007FFE6D6A0000-0x00007FFE6D6B1000-memory.dmp
memory/1980-43-0x00007FFE6D6E0000-0x00007FFE6D6F4000-memory.dmp
memory/1980-35-0x00007FFE6E150000-0x00007FFE6E161000-memory.dmp
memory/1980-33-0x00007FFE802F0000-0x00007FFE80300000-memory.dmp
memory/1980-37-0x00007FFE6DDF0000-0x00007FFE6DEB5000-memory.dmp
memory/1980-34-0x00007FFE6DEE0000-0x00007FFE6DF0F000-memory.dmp
memory/1980-24-0x00007FFE6E4A0000-0x00007FFE6E4B1000-memory.dmp
memory/1980-23-0x00007FFE6E4C0000-0x00007FFE6E4DB000-memory.dmp
memory/1980-22-0x00007FFE6E4E0000-0x00007FFE6E4F1000-memory.dmp
memory/1980-18-0x00007FFE6E560000-0x00007FFE6E581000-memory.dmp
memory/1980-59-0x00007FFE6E590000-0x00007FFE6F63B000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win7-20240221-en
Max time kernel
146s
Max time network
141s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_IceFlow.ogg"
Network
Files
memory/2352-5-0x000000013FA00000-0x000000013FAF8000-memory.dmp
memory/2352-6-0x000007FEF72C0000-0x000007FEF72F4000-memory.dmp
memory/2352-7-0x000007FEF5990000-0x000007FEF5C44000-memory.dmp
memory/2352-8-0x000007FEFB540000-0x000007FEFB558000-memory.dmp
memory/2352-10-0x000007FEF7310000-0x000007FEF7321000-memory.dmp
memory/2352-9-0x000007FEFAA30000-0x000007FEFAA47000-memory.dmp
memory/2352-12-0x000007FEF6580000-0x000007FEF6591000-memory.dmp
memory/2352-13-0x000007FEF6560000-0x000007FEF657D000-memory.dmp
memory/2352-14-0x000007FEF6540000-0x000007FEF6551000-memory.dmp
memory/2352-11-0x000007FEF6BA0000-0x000007FEF6BB7000-memory.dmp
memory/2352-15-0x000007FEF5790000-0x000007FEF5990000-memory.dmp
memory/2352-16-0x000007FEF6090000-0x000007FEF60CF000-memory.dmp
memory/2352-17-0x000007FEF46E0000-0x000007FEF578B000-memory.dmp
memory/2352-19-0x000007FEF6070000-0x000007FEF6088000-memory.dmp
memory/2352-18-0x000007FEF6510000-0x000007FEF6531000-memory.dmp
memory/2352-20-0x000007FEF6050000-0x000007FEF6061000-memory.dmp
memory/2352-22-0x000007FEF6010000-0x000007FEF6021000-memory.dmp
memory/2352-24-0x000007FEF5FD0000-0x000007FEF5FE1000-memory.dmp
memory/2352-23-0x000007FEF5FF0000-0x000007FEF600B000-memory.dmp
memory/2352-26-0x000007FEF4690000-0x000007FEF46C0000-memory.dmp
memory/2352-25-0x000007FEF46C0000-0x000007FEF46D8000-memory.dmp
memory/2352-27-0x000007FEF4620000-0x000007FEF4687000-memory.dmp
memory/2352-21-0x000007FEF6030000-0x000007FEF6041000-memory.dmp
memory/2352-28-0x000007FEF45B0000-0x000007FEF461F000-memory.dmp
memory/2352-29-0x000007FEF4590000-0x000007FEF45A1000-memory.dmp
memory/2352-30-0x000007FEF4530000-0x000007FEF458C000-memory.dmp
memory/2352-31-0x000007FEF43B0000-0x000007FEF4528000-memory.dmp
memory/2352-32-0x000007FEF4390000-0x000007FEF43A7000-memory.dmp
memory/2352-33-0x000007FEF7380000-0x000007FEF7390000-memory.dmp
memory/2352-34-0x000007FEF4360000-0x000007FEF438F000-memory.dmp
memory/2352-35-0x000007FEF4340000-0x000007FEF4351000-memory.dmp
memory/2352-36-0x000007FEF4320000-0x000007FEF4336000-memory.dmp
memory/2352-37-0x000007FEF4250000-0x000007FEF4315000-memory.dmp
memory/2352-39-0x000007FEF41F0000-0x000007FEF4201000-memory.dmp
memory/2352-40-0x000007FEF41D0000-0x000007FEF41E2000-memory.dmp
memory/2352-38-0x000007FEF4230000-0x000007FEF4245000-memory.dmp
memory/2352-41-0x000007FEF4050000-0x000007FEF41CA000-memory.dmp
memory/2352-42-0x000007FEF4030000-0x000007FEF4043000-memory.dmp
memory/2352-43-0x000007FEF4010000-0x000007FEF4024000-memory.dmp
memory/2352-44-0x000007FEF3FF0000-0x000007FEF4001000-memory.dmp
memory/2352-45-0x000007FEF3FD0000-0x000007FEF3FE1000-memory.dmp
memory/2352-46-0x000007FEF3FB0000-0x000007FEF3FC1000-memory.dmp
memory/2352-59-0x000007FEF46E0000-0x000007FEF578B000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3492 wrote to memory of 2184 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3492 wrote to memory of 2184 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3492 wrote to memory of 2184 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
memory/2184-0-0x0000000074660000-0x0000000075498000-memory.dmp
memory/2184-1-0x0000000074660000-0x0000000075498000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win10v2004-20240226-en
Max time kernel
137s
Max time network
160s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4168 wrote to memory of 3488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4168 wrote to memory of 3488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4168 wrote to memory of 3488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3488 -ip 3488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 612
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3724 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:44
Platform
win10v2004-20240226-en
Max time kernel
127s
Max time network
212s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Stats.bin
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win7-20240221-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\dsetup32.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\DirectX\WebSetup | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\SET99CF.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\SysWOW64\directx\websetup\SET99CF.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\dsetup.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\SET99F0.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\SysWOW64\directx\websetup\SET99F0.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DirectX.log | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe
"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
Network
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
| MD5 | eaa6b5ee297982a6a396354814006761 |
| SHA1 | 780bf9a61c080a335e8712c5544fcbf9c7bdcd72 |
| SHA256 | d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee |
| SHA512 | ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
| MD5 | 95af51a930889c82630553e5d9d24f4b |
| SHA1 | d24fe70a2152b09d1b85166443e24d2d61defdf5 |
| SHA256 | b8c3d2b050e3541e4072d8522a63319ce53f48ce7c975d2b2f389db91df36865 |
| SHA512 | faeafbeea9c190b33b5354ec9998cb285911cecf78c69acbe11a2de253e939494e5d72b8036e849f27358d3db64a81f395f81ec3f34810a9f74db37f9edca4cd |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
| MD5 | 69f2ccb12f81ec470df9d387b8c6bbb6 |
| SHA1 | 2d8837824951e146eb9428b781936cfb605ce05b |
| SHA256 | 0d2d950d7ac0b622b3d65a616fbb09875cd1c26d01eff31f07d000a61d6706b2 |
| SHA512 | f93e3172b709cdb848a63a3d7909d0b43979960068e86045207d1884742e513e9613fabe1be402bcfe34fa46235e6a7d682bf9cb18fe5fbdb2dc404a7815e1e4 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
| MD5 | ba4a4b82dd8bd438959b8542d66161ad |
| SHA1 | 51d91e28ace38ea7d183498edd9031dabb6f18bb |
| SHA256 | 82f87b955cbe426c3b6302bb2de938057166af6a0db02a3a191d17814fecefb8 |
| SHA512 | 72689ceba03390eaa0ca228d7885d15531fe57e9c4fdbe619bdd33777b3b79b7f828a81c11b60f16248cf64bff3086c41df04f25e7f13815fd2d3af971025e88 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
| MD5 | 938638d0da26178572066d3f62ddd15c |
| SHA1 | 9941160e7d06e97460aba020e29b42e52bec04e3 |
| SHA256 | 1a529633246ee8977411af4128738ee7389d8576e100f86fbf590a336e0f8d68 |
| SHA512 | 934c943250737c737e2f268632300bb923070518f4b7fa321c6d39392fa3cfce032d5a41d54de6ad40529b96e3699fe78251d98f79b102e38a70e49e7af5e1af |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf
| MD5 | ad8982eaa02c7ad4d7cdcbc248caa941 |
| SHA1 | 4ccd8e038d73a5361d754c7598ed238fc040d16b |
| SHA256 | d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00 |
| SHA512 | 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll
| MD5 | 0a23038ea472ffc938366ef4099d6635 |
| SHA1 | 6499d741776dc4a446c22ea11085842155b34176 |
| SHA256 | 8f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a |
| SHA512 | dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll
| MD5 | 7672509436485121135c2a0e30b9e9ff |
| SHA1 | f557022a9f42fe1303078093e389f21fb693c959 |
| SHA256 | d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea |
| SHA512 | e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
158s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2476 wrote to memory of 4808 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 2476 wrote to memory of 4808 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019.rar"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3280 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.10:443 | tcp | |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2020 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2020 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2020 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2020 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe
"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 544
Network
Files
memory/2020-0-0x0000000072610000-0x0000000073448000-memory.dmp
memory/2020-1-0x0000000072610000-0x0000000073448000-memory.dmp
memory/2020-4-0x0000000072610000-0x0000000073448000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5032 wrote to memory of 3296 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5032 wrote to memory of 3296 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5032 wrote to memory of 3296 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\D3DX9_43.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\D3DX9_43.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Loads dropped DLL
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\tmp4A89.tmp | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe | N/A |
| File created | C:\Windows\SysWOW64\OpenAL32.new | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe | N/A |
| File created | C:\Windows\SysWOW64\wrap_oal.new | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe | N/A |
| File created | C:\Windows\system32\OpenAL32.new | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe | N/A |
| File created | C:\Windows\system32\wrap_oal.new | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmp4A88.tmp | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\OpenAL\oalinst.exe | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe
"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe"
Network
Files
\Windows\SysWOW64\OpenAL32.new
| MD5 | 235355a8dd26903e75d5e812ecf50e53 |
| SHA1 | 8316319341a0f9054e19e4a7b21df3dc49386fee |
| SHA256 | 1797d150a2e23af4f390f5c33eb598c6f58d0454011d74941f5316add900bbdd |
| SHA512 | 5beb9343028790f993d0acb1007fd112b7e2ef6f9fbedfdb62b0140d2bbadf3b6368417ea19edb0bc8674d19418e5784fef4430ce1c329de8e83c304706d39ac |
\Windows\SysWOW64\wrap_oal.new
| MD5 | d494267bc169604fac5e3679b9a97fed |
| SHA1 | c093ce5a4f7dc40f7f604945bd1facfb2c805c4b |
| SHA256 | a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f |
| SHA512 | 7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040 |
\Windows\System32\OpenAL32.new
| MD5 | 2ad7b4f3c8d2bb686d231edff404b7a4 |
| SHA1 | f29676b96d04bd2765925a3834d9babfdce6a0b3 |
| SHA256 | 87802322c8e63555c26fe473ce234ce7099745ccb28c02766c2224c726454039 |
| SHA512 | 51a6c8cfe30e34c37437e6c5f8c602aa0759b65559a82521e2dbcf8a9865b826077854acb6497df6085d67b4c66083ae5f0f192b743a4b6f77ce7b18f01bf528 |
\Windows\System32\wrap_oal.new
| MD5 | 549347bcd4aacd63243d78e8f869dbb1 |
| SHA1 | efc00d2a7c5acfe17b8a58023826e6840aef39a6 |
| SHA256 | 5379373cf3eff41cdd8c912c65e27e1bd492bd84238d19a093aa846c9b1ce909 |
| SHA512 | c6789376d05deb8c5050225c37c023055c107a72b49afddfd3f91e7e7429d38db9346e2e5d38986c2000c3828389cfbe5d74d80423a79eebd0367bcc81137cd5 |
Analysis: behavioral22
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
163s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2112 wrote to memory of 4600 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2112 wrote to memory of 4600 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_EasyLemon.ogg
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_EasyLemon.ogg"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x4f4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/4600-5-0x00007FF773C30000-0x00007FF773D28000-memory.dmp
memory/4600-6-0x00007FF8FB080000-0x00007FF8FB0B4000-memory.dmp
memory/4600-7-0x00007FF8E6900000-0x00007FF8E6BB4000-memory.dmp
memory/4600-8-0x00007FF8FC600000-0x00007FF8FC618000-memory.dmp
memory/4600-9-0x00007FF8FB0D0000-0x00007FF8FB0E7000-memory.dmp
memory/4600-11-0x00007FF8F71B0000-0x00007FF8F71C7000-memory.dmp
memory/4600-10-0x00007FF8F72A0000-0x00007FF8F72B1000-memory.dmp
memory/4600-12-0x00007FF8F7190000-0x00007FF8F71A1000-memory.dmp
memory/4600-14-0x00007FF8F7150000-0x00007FF8F7161000-memory.dmp
memory/4600-13-0x00007FF8F7170000-0x00007FF8F718D000-memory.dmp
memory/4600-15-0x00007FF8E7240000-0x00007FF8E7440000-memory.dmp
memory/4600-16-0x00007FF8F7110000-0x00007FF8F714F000-memory.dmp
memory/4600-17-0x00007FF8E5850000-0x00007FF8E68FB000-memory.dmp
memory/4600-28-0x00007FF8F6540000-0x00007FF8F65AF000-memory.dmp
memory/4600-26-0x00007FF8F6F30000-0x00007FF8F6F60000-memory.dmp
memory/4600-29-0x00007FF8F6520000-0x00007FF8F6531000-memory.dmp
memory/4600-30-0x00007FF8F64C0000-0x00007FF8F651C000-memory.dmp
memory/4600-27-0x00007FF8F65B0000-0x00007FF8F6617000-memory.dmp
memory/4600-25-0x00007FF8F6F60000-0x00007FF8F6F78000-memory.dmp
memory/4600-31-0x00007FF8E70C0000-0x00007FF8E7238000-memory.dmp
memory/4600-24-0x00007FF8F6F80000-0x00007FF8F6F91000-memory.dmp
memory/4600-33-0x00007FF8F6400000-0x00007FF8F6410000-memory.dmp
memory/4600-32-0x00007FF8F6430000-0x00007FF8F6447000-memory.dmp
memory/4600-37-0x00007FF8E77F0000-0x00007FF8E78B5000-memory.dmp
memory/4600-36-0x00007FF8E7FE0000-0x00007FF8E7FF6000-memory.dmp
memory/4600-39-0x00007FF8E77B0000-0x00007FF8E77C1000-memory.dmp
memory/4600-40-0x00007FF8E76E0000-0x00007FF8E76F2000-memory.dmp
memory/4600-38-0x00007FF8E77D0000-0x00007FF8E77E5000-memory.dmp
memory/4600-35-0x00007FF8F63E0000-0x00007FF8F63F1000-memory.dmp
memory/4600-41-0x00007FF8E4C50000-0x00007FF8E4DCA000-memory.dmp
memory/4600-42-0x00007FF8E70A0000-0x00007FF8E70B3000-memory.dmp
memory/4600-43-0x00007FF8E7080000-0x00007FF8E7094000-memory.dmp
memory/4600-44-0x00007FF8E7060000-0x00007FF8E7071000-memory.dmp
memory/4600-45-0x00007FF8E7040000-0x00007FF8E7051000-memory.dmp
memory/4600-46-0x00007FF8E7020000-0x00007FF8E7031000-memory.dmp
memory/4600-34-0x00007FF8ED500000-0x00007FF8ED52F000-memory.dmp
memory/4600-23-0x00007FF8F6FA0000-0x00007FF8F6FBB000-memory.dmp
memory/4600-22-0x00007FF8F7060000-0x00007FF8F7071000-memory.dmp
memory/4600-21-0x00007FF8F7080000-0x00007FF8F7091000-memory.dmp
memory/4600-20-0x00007FF8F70A0000-0x00007FF8F70B1000-memory.dmp
memory/4600-19-0x00007FF8F70C0000-0x00007FF8F70D8000-memory.dmp
memory/4600-18-0x00007FF8F70E0000-0x00007FF8F7101000-memory.dmp
memory/4600-59-0x00007FF8E5850000-0x00007FF8E68FB000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\directx\websetup\SET3D38.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\dsetup.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\SET3D48.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\SysWOW64\directx\websetup\SET3D48.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\dsetup32.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\DirectX\WebSetup | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\SET3D38.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DirectX.log | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4772 wrote to memory of 1744 | N/A | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe |
| PID 4772 wrote to memory of 1744 | N/A | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe |
| PID 4772 wrote to memory of 1744 | N/A | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe
"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 2.17.5.133:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 133.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
| MD5 | eaa6b5ee297982a6a396354814006761 |
| SHA1 | 780bf9a61c080a335e8712c5544fcbf9c7bdcd72 |
| SHA256 | d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee |
| SHA512 | ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf
| MD5 | ad8982eaa02c7ad4d7cdcbc248caa941 |
| SHA1 | 4ccd8e038d73a5361d754c7598ed238fc040d16b |
| SHA256 | d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00 |
| SHA512 | 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll
| MD5 | 0a23038ea472ffc938366ef4099d6635 |
| SHA1 | 6499d741776dc4a446c22ea11085842155b34176 |
| SHA256 | 8f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a |
| SHA512 | dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll
| MD5 | 7672509436485121135c2a0e30b9e9ff |
| SHA1 | f557022a9f42fe1303078093e389f21fb693c959 |
| SHA256 | d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea |
| SHA512 | e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863 |
Analysis: behavioral26
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
118s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4356 wrote to memory of 4968 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 4356 wrote to memory of 4968 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_NightOfChaos.ogg
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_NightOfChaos.ogg"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f4 0x3ec
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4968-5-0x00007FF6658D0000-0x00007FF6659C8000-memory.dmp
memory/4968-7-0x00007FF8E4E90000-0x00007FF8E5144000-memory.dmp
memory/4968-6-0x00007FF8F4860000-0x00007FF8F4894000-memory.dmp
memory/4968-9-0x00007FF8F4720000-0x00007FF8F4737000-memory.dmp
memory/4968-15-0x00007FF8E49E0000-0x00007FF8E4BE0000-memory.dmp
memory/4968-14-0x00007FF8F3C00000-0x00007FF8F3C11000-memory.dmp
memory/4968-13-0x00007FF8F3C20000-0x00007FF8F3C3D000-memory.dmp
memory/4968-12-0x00007FF8F4510000-0x00007FF8F4521000-memory.dmp
memory/4968-11-0x00007FF8F4580000-0x00007FF8F4597000-memory.dmp
memory/4968-10-0x00007FF8F45A0000-0x00007FF8F45B1000-memory.dmp
memory/4968-8-0x00007FF8F4740000-0x00007FF8F4758000-memory.dmp
memory/4968-16-0x00007FF8E3930000-0x00007FF8E49DB000-memory.dmp
memory/4968-17-0x00007FF8EB700000-0x00007FF8EB73F000-memory.dmp
memory/4968-19-0x00007FF8F3C40000-0x00007FF8F3C58000-memory.dmp
memory/4968-20-0x00007FF8F3BE0000-0x00007FF8F3BF1000-memory.dmp
memory/4968-21-0x00007FF8F3BA0000-0x00007FF8F3BB1000-memory.dmp
memory/4968-22-0x00007FF8F3340000-0x00007FF8F3351000-memory.dmp
memory/4968-23-0x00007FF8EB000000-0x00007FF8EB01B000-memory.dmp
memory/4968-18-0x00007FF8EB6D0000-0x00007FF8EB6F1000-memory.dmp
memory/4968-25-0x00007FF8EAFC0000-0x00007FF8EAFD8000-memory.dmp
memory/4968-26-0x00007FF8E5AD0000-0x00007FF8E5B00000-memory.dmp
memory/4968-27-0x00007FF8E4E20000-0x00007FF8E4E87000-memory.dmp
memory/4968-28-0x00007FF8E4DB0000-0x00007FF8E4E1F000-memory.dmp
memory/4968-31-0x00007FF8E37B0000-0x00007FF8E3928000-memory.dmp
memory/4968-30-0x00007FF8E4D50000-0x00007FF8E4DAC000-memory.dmp
memory/4968-34-0x00007FF8E4C10000-0x00007FF8E4C3F000-memory.dmp
memory/4968-35-0x00007FF8E4BF0000-0x00007FF8E4C01000-memory.dmp
memory/4968-33-0x00007FF8F8210000-0x00007FF8F8220000-memory.dmp
memory/4968-36-0x00007FF8E33A0000-0x00007FF8E33B6000-memory.dmp
memory/4968-32-0x00007FF8E5A90000-0x00007FF8E5AA7000-memory.dmp
memory/4968-29-0x00007FF8E5AB0000-0x00007FF8E5AC1000-memory.dmp
memory/4968-24-0x00007FF8EAFE0000-0x00007FF8EAFF1000-memory.dmp
memory/4968-41-0x00007FF8E2BA0000-0x00007FF8E2D1A000-memory.dmp
memory/4968-40-0x00007FF8E2D20000-0x00007FF8E2D32000-memory.dmp
memory/4968-43-0x00007FF8E2B60000-0x00007FF8E2B74000-memory.dmp
memory/4968-44-0x00007FF8E2B40000-0x00007FF8E2B51000-memory.dmp
memory/4968-46-0x00007FF8E2B00000-0x00007FF8E2B11000-memory.dmp
memory/4968-45-0x00007FF8E2B20000-0x00007FF8E2B31000-memory.dmp
memory/4968-42-0x00007FF8E2B80000-0x00007FF8E2B93000-memory.dmp
memory/4968-39-0x00007FF8E2D40000-0x00007FF8E2D51000-memory.dmp
memory/4968-38-0x00007FF8E32B0000-0x00007FF8E32C5000-memory.dmp
memory/4968-37-0x00007FF8E32D0000-0x00007FF8E3395000-memory.dmp
memory/4968-58-0x00007FF8E3930000-0x00007FF8E49DB000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win7-20240221-en
Max time kernel
117s
Max time network
125s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3012 wrote to memory of 2600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3012 wrote to memory of 2600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3012 wrote to memory of 2600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3012 wrote to memory of 2600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3012 wrote to memory of 2600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3012 wrote to memory of 2600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3012 wrote to memory of 2600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1
Network
Files
memory/2600-0-0x0000000074420000-0x0000000075258000-memory.dmp
memory/2600-1-0x00000000731B0000-0x0000000073FE8000-memory.dmp
memory/2600-2-0x0000000074420000-0x0000000075258000-memory.dmp
memory/2600-3-0x00000000731B0000-0x0000000073FE8000-memory.dmp
memory/2600-4-0x00000000731B0000-0x0000000073FE8000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win7-20240221-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\bin_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\bin_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\.bin | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\.bin\ = "bin_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\bin_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\bin_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\bin_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2708 wrote to memory of 2616 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2708 wrote to memory of 2616 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2708 wrote to memory of 2616 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2616 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2616 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2616 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2616 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Achievements.bin
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Achievements.bin
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Achievements.bin"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | e7214c921c641ebd5610ff9e5aa7c10b |
| SHA1 | f5ab5b27e988fcc362da298586457d4b432ec0e4 |
| SHA256 | efd2e71fba9a4f6beb4cd7dd74442d8dafb0e5f46931d0a8edbe42765af35ebe |
| SHA512 | bfe84aeb1814223f8149395cadcf8ea88909d8820012be0fd226041ab837449d7830bb5946c54a567e68e51e97e785f0780edf6efcb829db59a668ecfba71e64 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
162s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\data.win
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win7-20240221-en
Max time kernel
122s
Max time network
133s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1912 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1912 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1912 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1912 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1912 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1912 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1912 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\D3DX9_43.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\D3DX9_43.dll,#1
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win7-20240221-en
Max time kernel
126s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.win | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.win\ = "win_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\win_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\win_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\win_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\win_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\win_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\win_auto_file | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2200 wrote to memory of 2732 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2200 wrote to memory of 2732 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2200 wrote to memory of 2732 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2732 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2732 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2732 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2732 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\data.win
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\data.win
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\data.win"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | d28ed2cfbd04922ed061163355274331 |
| SHA1 | c2caa6573452fd361b1d36d16185a51f8b46c70e |
| SHA256 | 186a9139d0efbde5783c00cf9a8d9f104f125edbfb7c57287eb3ca0897eb46a9 |
| SHA512 | ad7f987116b8c7f3acd72cb765bdbf0b37dd8be5199a93e97667017d87161d9ff07b8263e9c7df291a3d6aa10727b0d0eeb98c7919dfa8f7c151ca15dbe36483 |
Analysis: behavioral27
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win7-20240220-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\options.ini
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
159s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe
"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4bc 0x4e8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
memory/4036-0-0x0000000073750000-0x0000000074588000-memory.dmp
memory/4036-1-0x0000000073750000-0x0000000074588000-memory.dmp
memory/4036-12-0x0000000073750000-0x0000000074588000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win7-20240220-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\d86a654092ded3e84d\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\vcredist_x86.exe | N/A |
| N/A | N/A | \??\c:\d86a654092ded3e84d\Setup.exe | N/A |
| N/A | N/A | \??\c:\d86a654092ded3e84d\Setup.exe | N/A |
| N/A | N/A | \??\c:\d86a654092ded3e84d\Setup.exe | N/A |
| N/A | N/A | \??\c:\d86a654092ded3e84d\Setup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\d86a654092ded3e84d\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\d86a654092ded3e84d\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\d86a654092ded3e84d\Setup.exe | N/A |
| N/A | N/A | \??\c:\d86a654092ded3e84d\Setup.exe | N/A |
| N/A | N/A | \??\c:\d86a654092ded3e84d\Setup.exe | N/A |
| N/A | N/A | \??\c:\d86a654092ded3e84d\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\vcredist_x86.exe"
\??\c:\d86a654092ded3e84d\Setup.exe
c:\d86a654092ded3e84d\Setup.exe
Network
Files
\d86a654092ded3e84d\Setup.exe
| MD5 | 006f8a615020a4a17f5e63801485df46 |
| SHA1 | 78c82a80ebf9c8bf0c996dd8bc26087679f77fea |
| SHA256 | d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be |
| SHA512 | c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76 |
\??\c:\d86a654092ded3e84d\SetupEngine.dll
| MD5 | 84c1daf5f30ff99895ecab3a55354bcf |
| SHA1 | 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a |
| SHA256 | 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd |
| SHA512 | e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3 |
\??\c:\d86a654092ded3e84d\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
\??\c:\d86a654092ded3e84d\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\HFI145C.tmp.html
| MD5 | 70872bcf651cfad9df56f604f6e271e2 |
| SHA1 | 09dfe6fda4a1c21e3ca241992370f51d1ccb66d2 |
| SHA256 | 31c1c714098e1edd491e36c9eefcd7413c88041c5bf09726cb59af6a486dc9b9 |
| SHA512 | 95fa1a9f430b8a0f4a48a47afad2e4dc9c1d8bda07acf267618a2ad8095b04054401efa50c82318555ee5da9ddc167b7ed9a99297a44ab889ffa58f9fdc319a9 |
\??\c:\d86a654092ded3e84d\UiInfo.xml
| MD5 | 812f8d2e53f076366fa3a214bb4cf558 |
| SHA1 | 35ae734cfb99bb139906b5f4e8efbf950762f6f0 |
| SHA256 | 0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283 |
| SHA512 | 1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23 |
\??\c:\d86a654092ded3e84d\ParameterInfo.xml
| MD5 | 66590f13f4c9ba563a9180bdf25a5b80 |
| SHA1 | d6d9146faeec7824b8a09dd6978e5921cc151906 |
| SHA256 | bf787b8c697ce418f9d4c07260f56d1145ca70db1cc4b1321d37840837621e8f |
| SHA512 | aba67c66c2f3d9b3c9d71d64511895f15f696be8be0eedd2d6908e1203c4b0cf318b366f9f3cd9c3b3b8c0770462f83e6eea73e304c43f88d0cbedf69e7c92b3 |
\??\c:\d86a654092ded3e84d\3082\LocalizedData.xml
| MD5 | 5397a12d466d55d566b4209e0e4f92d3 |
| SHA1 | fcffd8961fb487995543fc173521fdf5df6e243b |
| SHA256 | f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89 |
| SHA512 | 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b |
\??\c:\d86a654092ded3e84d\2052\LocalizedData.xml
| MD5 | 52b1dc12ce4153aa759fb3bbe04d01fc |
| SHA1 | bf21f8591c473d1fce68a9faf1e5942f486f6eba |
| SHA256 | d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3 |
| SHA512 | 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623 |
\??\c:\d86a654092ded3e84d\1049\LocalizedData.xml
| MD5 | 0eeb554d0b9f9fcdb22401e2532e9cd0 |
| SHA1 | 08799520b72a1ef92ac5b94a33509d1eddf6caf8 |
| SHA256 | beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c |
| SHA512 | 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d |
\??\c:\d86a654092ded3e84d\1042\LocalizedData.xml
| MD5 | 71dfd70ae141f1d5c1366cb661b354b2 |
| SHA1 | c4b22590e6f6dd5d39e5158b831ae217ce17a776 |
| SHA256 | cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331 |
| SHA512 | 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a |
\??\c:\d86a654092ded3e84d\1041\LocalizedData.xml
| MD5 | 7fcfbc308b0c42dcbd8365ba62bada05 |
| SHA1 | 18a0f0e89b36818c94de0ad795cc593d0e3e29a9 |
| SHA256 | 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2 |
| SHA512 | cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649 |
\??\c:\d86a654092ded3e84d\1040\LocalizedData.xml
| MD5 | 0af948fe4142e34092f9dd47a4b8c275 |
| SHA1 | b3d6dd5c126280398d9055f90e2c2c26dbae4eaa |
| SHA256 | c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248 |
| SHA512 | d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9 |
\??\c:\d86a654092ded3e84d\1036\LocalizedData.xml
| MD5 | e382abc19294f779d2833287242e7bc6 |
| SHA1 | 1ceae32d6b24a3832f9244f5791382865b668a72 |
| SHA256 | 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf |
| SHA512 | 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e |
\??\c:\d86a654092ded3e84d\1031\LocalizedData.xml
| MD5 | b83c3803712e61811c438f6e98790369 |
| SHA1 | 61a0bc59388786ced045acd82621bee8578cae5a |
| SHA256 | 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6 |
| SHA512 | e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38 |
\??\c:\d86a654092ded3e84d\1028\LocalizedData.xml
| MD5 | 7fc06a77d9aafca9fb19fafa0f919100 |
| SHA1 | e565740e7d582cd73f8d3b12de2f4579ff18bb41 |
| SHA256 | a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a |
| SHA512 | 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf |
\??\c:\d86a654092ded3e84d\1033\LocalizedData.xml
| MD5 | d642e322d1e8b739510ca540f8e779f9 |
| SHA1 | 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c |
| SHA256 | 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9 |
| SHA512 | e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d |
\d86a654092ded3e84d\SetupUi.dll
| MD5 | eb881e3dddc84b20bd92abcec444455f |
| SHA1 | e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1 |
| SHA256 | 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7 |
| SHA512 | 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75 |
\??\c:\d86a654092ded3e84d\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
\??\c:\d86a654092ded3e84d\Strings.xml
| MD5 | 332adf643747297b9bfa9527eaefe084 |
| SHA1 | 670f933d778eca39938a515a39106551185205e9 |
| SHA256 | e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca |
| SHA512 | bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0 |
\d86a654092ded3e84d\1033\SetupResources.dll
| MD5 | 9547d24ac04b4d0d1dbf84f74f54faf7 |
| SHA1 | 71af6001c931c3de7c98ddc337d89ab133fe48bb |
| SHA256 | 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34 |
| SHA512 | 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f |
\??\c:\d86a654092ded3e84d\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
\??\c:\d86a654092ded3e84d\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
\??\c:\d86a654092ded3e84d\graphics\stop.ico
| MD5 | 5dfa8d3abcf4962d9ec41cfc7c0f75e3 |
| SHA1 | 4196b0878c6c66b6fa260ab765a0e79f7aec0d24 |
| SHA256 | b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793 |
| SHA512 | 69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a |
memory/2420-98-0x0000000000300000-0x0000000000301000-memory.dmp
\??\c:\d86a654092ded3e84d\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
memory/2420-103-0x0000000000300000-0x0000000000301000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe | N/A |
| N/A | N/A | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe | N/A |
| N/A | N/A | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe | N/A |
| N/A | N/A | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe | N/A |
| N/A | N/A | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe | N/A |
| N/A | N/A | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe | N/A |
| N/A | N/A | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe | N/A |
| N/A | N/A | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe | N/A |
| N/A | N/A | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe | N/A |
| N/A | N/A | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe | N/A |
| N/A | N/A | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe | N/A |
| N/A | N/A | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3928 wrote to memory of 4460 | N/A | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\vcredist_x86.exe | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe |
| PID 3928 wrote to memory of 4460 | N/A | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\vcredist_x86.exe | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe |
| PID 3928 wrote to memory of 4460 | N/A | C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\vcredist_x86.exe | \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\vcredist_x86.exe"
\??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe
c:\36072191a3d67895e1a09b62fb6df1\Setup.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
C:\36072191a3d67895e1a09b62fb6df1\Setup.exe
| MD5 | 006f8a615020a4a17f5e63801485df46 |
| SHA1 | 78c82a80ebf9c8bf0c996dd8bc26087679f77fea |
| SHA256 | d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be |
| SHA512 | c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76 |
\??\c:\36072191a3d67895e1a09b62fb6df1\SetupEngine.dll
| MD5 | 84c1daf5f30ff99895ecab3a55354bcf |
| SHA1 | 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a |
| SHA256 | 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd |
| SHA512 | e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3 |
\??\c:\36072191a3d67895e1a09b62fb6df1\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
C:\Users\Admin\AppData\Local\Temp\HFI443E.tmp.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
\??\c:\36072191a3d67895e1a09b62fb6df1\UiInfo.xml
| MD5 | 812f8d2e53f076366fa3a214bb4cf558 |
| SHA1 | 35ae734cfb99bb139906b5f4e8efbf950762f6f0 |
| SHA256 | 0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283 |
| SHA512 | 1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23 |
\??\c:\36072191a3d67895e1a09b62fb6df1\ParameterInfo.xml
| MD5 | 66590f13f4c9ba563a9180bdf25a5b80 |
| SHA1 | d6d9146faeec7824b8a09dd6978e5921cc151906 |
| SHA256 | bf787b8c697ce418f9d4c07260f56d1145ca70db1cc4b1321d37840837621e8f |
| SHA512 | aba67c66c2f3d9b3c9d71d64511895f15f696be8be0eedd2d6908e1203c4b0cf318b366f9f3cd9c3b3b8c0770462f83e6eea73e304c43f88d0cbedf69e7c92b3 |
\??\c:\36072191a3d67895e1a09b62fb6df1\1033\LocalizedData.xml
| MD5 | d642e322d1e8b739510ca540f8e779f9 |
| SHA1 | 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c |
| SHA256 | 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9 |
| SHA512 | e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d |
\??\c:\36072191a3d67895e1a09b62fb6df1\1031\LocalizedData.xml
| MD5 | b83c3803712e61811c438f6e98790369 |
| SHA1 | 61a0bc59388786ced045acd82621bee8578cae5a |
| SHA256 | 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6 |
| SHA512 | e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38 |
\??\c:\36072191a3d67895e1a09b62fb6df1\1028\LocalizedData.xml
| MD5 | 7fc06a77d9aafca9fb19fafa0f919100 |
| SHA1 | e565740e7d582cd73f8d3b12de2f4579ff18bb41 |
| SHA256 | a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a |
| SHA512 | 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf |
\??\c:\36072191a3d67895e1a09b62fb6df1\1036\LocalizedData.xml
| MD5 | e382abc19294f779d2833287242e7bc6 |
| SHA1 | 1ceae32d6b24a3832f9244f5791382865b668a72 |
| SHA256 | 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf |
| SHA512 | 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e |
\??\c:\36072191a3d67895e1a09b62fb6df1\1040\LocalizedData.xml
| MD5 | 0af948fe4142e34092f9dd47a4b8c275 |
| SHA1 | b3d6dd5c126280398d9055f90e2c2c26dbae4eaa |
| SHA256 | c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248 |
| SHA512 | d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9 |
\??\c:\36072191a3d67895e1a09b62fb6df1\1041\LocalizedData.xml
| MD5 | 7fcfbc308b0c42dcbd8365ba62bada05 |
| SHA1 | 18a0f0e89b36818c94de0ad795cc593d0e3e29a9 |
| SHA256 | 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2 |
| SHA512 | cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649 |
\??\c:\36072191a3d67895e1a09b62fb6df1\1042\LocalizedData.xml
| MD5 | 71dfd70ae141f1d5c1366cb661b354b2 |
| SHA1 | c4b22590e6f6dd5d39e5158b831ae217ce17a776 |
| SHA256 | cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331 |
| SHA512 | 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a |
\??\c:\36072191a3d67895e1a09b62fb6df1\1049\LocalizedData.xml
| MD5 | 0eeb554d0b9f9fcdb22401e2532e9cd0 |
| SHA1 | 08799520b72a1ef92ac5b94a33509d1eddf6caf8 |
| SHA256 | beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c |
| SHA512 | 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d |
\??\c:\36072191a3d67895e1a09b62fb6df1\2052\LocalizedData.xml
| MD5 | 52b1dc12ce4153aa759fb3bbe04d01fc |
| SHA1 | bf21f8591c473d1fce68a9faf1e5942f486f6eba |
| SHA256 | d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3 |
| SHA512 | 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623 |
\??\c:\36072191a3d67895e1a09b62fb6df1\3082\LocalizedData.xml
| MD5 | 5397a12d466d55d566b4209e0e4f92d3 |
| SHA1 | fcffd8961fb487995543fc173521fdf5df6e243b |
| SHA256 | f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89 |
| SHA512 | 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b |
\??\c:\36072191a3d67895e1a09b62fb6df1\SetupUi.dll
| MD5 | eb881e3dddc84b20bd92abcec444455f |
| SHA1 | e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1 |
| SHA256 | 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7 |
| SHA512 | 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75 |
\??\c:\36072191a3d67895e1a09b62fb6df1\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
\??\c:\36072191a3d67895e1a09b62fb6df1\1033\SetupResources.dll
| MD5 | 9547d24ac04b4d0d1dbf84f74f54faf7 |
| SHA1 | 71af6001c931c3de7c98ddc337d89ab133fe48bb |
| SHA256 | 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34 |
| SHA512 | 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f |
\??\c:\36072191a3d67895e1a09b62fb6df1\Strings.xml
| MD5 | 332adf643747297b9bfa9527eaefe084 |
| SHA1 | 670f933d778eca39938a515a39106551185205e9 |
| SHA256 | e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca |
| SHA512 | bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0 |
memory/4460-97-0x0000000002C40000-0x0000000002C41000-memory.dmp
\??\c:\36072191a3d67895e1a09b62fb6df1\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
\??\c:\36072191a3d67895e1a09b62fb6df1\graphics\stop.ico
| MD5 | 5dfa8d3abcf4962d9ec41cfc7c0f75e3 |
| SHA1 | 4196b0878c6c66b6fa260ab765a0e79f7aec0d24 |
| SHA256 | b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793 |
| SHA512 | 69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a |
\??\c:\36072191a3d67895e1a09b62fb6df1\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
\??\c:\36072191a3d67895e1a09b62fb6df1\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
memory/4460-102-0x0000000002C40000-0x0000000002C41000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win7-20240215-en
Max time kernel
141s
Max time network
123s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_NightOfChaos.ogg"
Network
Files
memory/2348-5-0x000000013F8E0000-0x000000013F9D8000-memory.dmp
memory/2348-6-0x000007FEF8550000-0x000007FEF8584000-memory.dmp
memory/2348-7-0x000007FEF6500000-0x000007FEF67B4000-memory.dmp
memory/2348-8-0x000007FEFBA60000-0x000007FEFBA78000-memory.dmp
memory/2348-9-0x000007FEFB2B0000-0x000007FEFB2C7000-memory.dmp
memory/2348-10-0x000007FEF8530000-0x000007FEF8541000-memory.dmp
memory/2348-11-0x000007FEF7750000-0x000007FEF7767000-memory.dmp
memory/2348-12-0x000007FEF7730000-0x000007FEF7741000-memory.dmp
memory/2348-13-0x000007FEF7710000-0x000007FEF772D000-memory.dmp
memory/2348-14-0x000007FEF6C20000-0x000007FEF6C31000-memory.dmp
memory/2348-15-0x000007FEF6300000-0x000007FEF6500000-memory.dmp
memory/2348-16-0x000007FEF6BE0000-0x000007FEF6C1F000-memory.dmp
memory/2348-19-0x000007FEF6B90000-0x000007FEF6BA8000-memory.dmp
memory/2348-24-0x000007FEF5210000-0x000007FEF5221000-memory.dmp
memory/2348-27-0x000007FEF5150000-0x000007FEF51B7000-memory.dmp
memory/2348-29-0x000007FEF50C0000-0x000007FEF50D1000-memory.dmp
memory/2348-30-0x000007FEF5060000-0x000007FEF50BC000-memory.dmp
memory/2348-28-0x000007FEF50E0000-0x000007FEF514F000-memory.dmp
memory/2348-26-0x000007FEF51C0000-0x000007FEF51F0000-memory.dmp
memory/2348-31-0x000007FEF4EE0000-0x000007FEF5058000-memory.dmp
memory/2348-32-0x000007FEF4EC0000-0x000007FEF4ED7000-memory.dmp
memory/2348-25-0x000007FEF51F0000-0x000007FEF5208000-memory.dmp
memory/2348-33-0x000007FEFB2A0000-0x000007FEFB2B0000-memory.dmp
memory/2348-23-0x000007FEF5230000-0x000007FEF524B000-memory.dmp
memory/2348-34-0x000007FEF4E90000-0x000007FEF4EBF000-memory.dmp
memory/2348-35-0x000007FEF4E70000-0x000007FEF4E81000-memory.dmp
memory/2348-36-0x000007FEF4E50000-0x000007FEF4E66000-memory.dmp
memory/2348-22-0x000007FEF6B30000-0x000007FEF6B41000-memory.dmp
memory/2348-21-0x000007FEF6B50000-0x000007FEF6B61000-memory.dmp
memory/2348-37-0x000007FEF4D80000-0x000007FEF4E45000-memory.dmp
memory/2348-40-0x000007FEF4D00000-0x000007FEF4D12000-memory.dmp
memory/2348-39-0x000007FEF4D20000-0x000007FEF4D31000-memory.dmp
memory/2348-38-0x000007FEF4D60000-0x000007FEF4D75000-memory.dmp
memory/2348-20-0x000007FEF6B70000-0x000007FEF6B81000-memory.dmp
memory/2348-18-0x000007FEF6BB0000-0x000007FEF6BD1000-memory.dmp
memory/2348-17-0x000007FEF5250000-0x000007FEF62FB000-memory.dmp
memory/2348-41-0x000007FEF4B80000-0x000007FEF4CFA000-memory.dmp
memory/2348-42-0x000007FEF4B60000-0x000007FEF4B73000-memory.dmp
memory/2348-43-0x000007FEF4B40000-0x000007FEF4B54000-memory.dmp
memory/2348-44-0x000007FEF4B20000-0x000007FEF4B31000-memory.dmp
memory/2348-45-0x000007FEF4B00000-0x000007FEF4B11000-memory.dmp
memory/2348-46-0x000007FEF4AE0000-0x000007FEF4AF1000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\options.ini
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win7-20240221-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2604 wrote to memory of 2512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2604 wrote to memory of 2512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2604 wrote to memory of 2512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2604 wrote to memory of 2512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2604 wrote to memory of 2512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2604 wrote to memory of 2512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2604 wrote to memory of 2512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win7-20240221-en
Max time kernel
152s
Max time network
128s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zOC8A7A548\Cat Goes Fishing.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1936 wrote to memory of 2700 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 1936 wrote to memory of 2700 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 1936 wrote to memory of 2700 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 2700 wrote to memory of 2468 | N/A | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\7zOC8A7A548\Cat Goes Fishing.exe |
| PID 2700 wrote to memory of 2468 | N/A | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\7zOC8A7A548\Cat Goes Fishing.exe |
| PID 2700 wrote to memory of 2468 | N/A | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\7zOC8A7A548\Cat Goes Fishing.exe |
| PID 2700 wrote to memory of 2468 | N/A | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\7zOC8A7A548\Cat Goes Fishing.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019.rar"
C:\Users\Admin\AppData\Local\Temp\7zOC8A7A548\Cat Goes Fishing.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC8A7A548\Cat Goes Fishing.exe"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnregisterEnter.mp2"
Network
Files
C:\Users\Admin\AppData\Local\Temp\7zOC8A7A548\Cat Goes Fishing.exe
| MD5 | 906f75296beed2234b5488f8199fc75b |
| SHA1 | f9371f6f24a40594dcf4b96585a9f4033a70e59e |
| SHA256 | fab76ae5f809e690fe130857a266d822b772e91f829781a09c11b4c380b5889c |
| SHA512 | 4d156e3429ea1eb372ace4c4fd0e708b15afc99aac4c7b2b214ac74df31d8e055bdc644dac173a125f161a179c33d8f58ad33e633d101fb5fa894c6c08a8cc5f |
memory/1532-59-0x000000013F6F0000-0x000000013F7E8000-memory.dmp
memory/1532-60-0x000007FEF7A50000-0x000007FEF7A84000-memory.dmp
memory/1532-61-0x000007FEF55C0000-0x000007FEF5874000-memory.dmp
memory/1532-62-0x000007FEF4310000-0x000007FEF53BB000-memory.dmp
memory/1532-63-0x000007FEF3810000-0x000007FEF3922000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win7-20240221-en
Max time kernel
117s
Max time network
129s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\cfg_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\cfg_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\.cfg | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\cfg_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\cfg_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\cfg_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\cfg_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\.cfg\ = "cfg_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2140 wrote to memory of 3068 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2140 wrote to memory of 3068 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2140 wrote to memory of 3068 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3068 wrote to memory of 2432 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3068 wrote to memory of 2432 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3068 wrote to memory of 2432 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3068 wrote to memory of 2432 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\SteamUserID.cfg
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\SteamUserID.cfg
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\SteamUserID.cfg"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | bee64e69a532ffa6fc043a94e54f4b06 |
| SHA1 | 397d15983d5e0e289f23a7713cf3a12711fba72c |
| SHA256 | 954f9866a6d4d7655d95bea87354fdae824d1bf66f7effb109bc905432840f92 |
| SHA512 | c7037c1dbd84464a77a7ed5a2a6a448abe01b9e06a489980ac10fc127636cb0a93f39735604a1f105f2601cdb81099462861cd58ec2974cf9f34077f9a943e94 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-03-02 22:39
Reported
2024-03-02 22:43
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
163s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\SteamUserID.cfg
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3840 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.201.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.253.116.51.in-addr.arpa | udp |