Malware Analysis Report

2025-08-05 20:45

Sample ID 240302-2lcnbsae44
Target Cat.Goes.Fishing.v13.11.2019.rar
SHA256 fa925b3e76ed9daa56d7dc81d622202a7aa2649f923f97a986d214bc1ccad048
Tags
discovery upx persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fa925b3e76ed9daa56d7dc81d622202a7aa2649f923f97a986d214bc1ccad048

Threat Level: Shows suspicious behavior

The file Cat.Goes.Fishing.v13.11.2019.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery upx persistence

UPX packed file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Opens file in notepad (likely ransom note)

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 22:39

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

166s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Achievements.bin

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Achievements.bin

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win7-20240221-en

Max time kernel

121s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Stats.bin

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\bin_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\bin_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\bin_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.bin C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.bin\ = "bin_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\bin_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\bin_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Stats.bin

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Stats.bin

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Stats.bin"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 132bd4e66f21f6394c5dcd0260adcbb5
SHA1 248fbfa4fbdbaf23e10ad337698040cf952325f6
SHA256 48aae7af1875a15a8d98bde7951422940acba36cc628316cda577f6e5700f6a9
SHA512 a9bf1e4573a07d6df287abaaf503aeb7aa599dacc55bb5964142f102d54d25251455e926fc3a587e69e8d3c20c0eeb62539faa81efcc872e7e101c03d378d486

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win10v2004-20240226-en

Max time kernel

90s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe"

Signatures

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\tmp615A.tmp C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp615B.tmp C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe N/A
File created C:\Windows\SysWOW64\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe N/A
File created C:\Windows\SysWOW64\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe N/A
File created C:\Windows\system32\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe N/A
File created C:\Windows\system32\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OpenAL\oalinst.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe

"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win7-20240221-en

Max time kernel

142s

Max time network

133s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_EasyLemon.ogg"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_EasyLemon.ogg"

Network

N/A

Files

memory/2224-5-0x000000013FE00000-0x000000013FEF8000-memory.dmp

memory/2224-6-0x000007FEFB800000-0x000007FEFB834000-memory.dmp

memory/2224-7-0x000007FEF6560000-0x000007FEF6814000-memory.dmp

memory/2224-9-0x000007FEFB9D0000-0x000007FEFB9E7000-memory.dmp

memory/2224-11-0x000007FEFB6B0000-0x000007FEFB6C7000-memory.dmp

memory/2224-12-0x000007FEFB690000-0x000007FEFB6A1000-memory.dmp

memory/2224-14-0x000007FEFB650000-0x000007FEFB661000-memory.dmp

memory/2224-13-0x000007FEFB670000-0x000007FEFB68D000-memory.dmp

memory/2224-10-0x000007FEFB900000-0x000007FEFB911000-memory.dmp

memory/2224-8-0x000007FEFC110000-0x000007FEFC128000-memory.dmp

memory/2224-15-0x000007FEF6360000-0x000007FEF6560000-memory.dmp

memory/2224-16-0x000007FEFB610000-0x000007FEFB64F000-memory.dmp

memory/2224-17-0x000007FEF7DD0000-0x000007FEF7DF1000-memory.dmp

memory/2224-18-0x000007FEFB5F0000-0x000007FEFB608000-memory.dmp

memory/2224-20-0x000007FEF7DB0000-0x000007FEF7DC1000-memory.dmp

memory/2224-21-0x000007FEF7D10000-0x000007FEF7D21000-memory.dmp

memory/2224-23-0x000007FEF7260000-0x000007FEF727B000-memory.dmp

memory/2224-22-0x000007FEF7280000-0x000007FEF7291000-memory.dmp

memory/2224-24-0x000007FEF7240000-0x000007FEF7251000-memory.dmp

memory/2224-25-0x000007FEF7220000-0x000007FEF7238000-memory.dmp

memory/2224-26-0x000007FEF71F0000-0x000007FEF7220000-memory.dmp

memory/2224-27-0x000007FEF7180000-0x000007FEF71E7000-memory.dmp

memory/2224-19-0x000007FEF52B0000-0x000007FEF635B000-memory.dmp

memory/2224-28-0x000007FEF7110000-0x000007FEF717F000-memory.dmp

memory/2224-29-0x000007FEF70F0000-0x000007FEF7101000-memory.dmp

memory/2224-30-0x000007FEF6C40000-0x000007FEF6C9C000-memory.dmp

memory/2224-31-0x000007FEF5130000-0x000007FEF52A8000-memory.dmp

memory/2224-32-0x000007FEF6D30000-0x000007FEF6D47000-memory.dmp

memory/2224-33-0x000007FEF7DA0000-0x000007FEF7DB0000-memory.dmp

memory/2224-34-0x000007FEF6C10000-0x000007FEF6C3F000-memory.dmp

memory/2224-35-0x000007FEF6BF0000-0x000007FEF6C01000-memory.dmp

memory/2224-36-0x000007FEF6BD0000-0x000007FEF6BE6000-memory.dmp

memory/2224-37-0x000007FEF5060000-0x000007FEF5125000-memory.dmp

memory/2224-39-0x000007FEF5040000-0x000007FEF5051000-memory.dmp

memory/2224-40-0x000007FEF5020000-0x000007FEF5032000-memory.dmp

memory/2224-38-0x000007FEF6BB0000-0x000007FEF6BC5000-memory.dmp

memory/2224-41-0x000007FEF4EA0000-0x000007FEF501A000-memory.dmp

memory/2224-42-0x000007FEF4E80000-0x000007FEF4E93000-memory.dmp

memory/2224-43-0x000007FEF4E60000-0x000007FEF4E74000-memory.dmp

memory/2224-45-0x000007FEF4E20000-0x000007FEF4E31000-memory.dmp

memory/2224-46-0x000007FEF4E00000-0x000007FEF4E11000-memory.dmp

memory/2224-44-0x000007FEF4E40000-0x000007FEF4E51000-memory.dmp

memory/2224-61-0x000007FEF52B0000-0x000007FEF635B000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:44

Platform

win10v2004-20240226-en

Max time kernel

177s

Max time network

210s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_IceFlow.ogg

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 1964 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Program Files\VideoLAN\VLC\vlc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_IceFlow.ogg

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_IceFlow.ogg"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2f8 0x3fc

Network

Country Destination Domain Proto
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/1980-5-0x00007FF6AC3A0000-0x00007FF6AC498000-memory.dmp

memory/1980-6-0x00007FFE7EDF0000-0x00007FFE7EE24000-memory.dmp

memory/1980-7-0x00007FFE6F880000-0x00007FFE6FB34000-memory.dmp

memory/1980-8-0x00007FFE7F950000-0x00007FFE7F968000-memory.dmp

memory/1980-9-0x00007FFE7F680000-0x00007FFE7F697000-memory.dmp

memory/1980-10-0x00007FFE7F500000-0x00007FFE7F511000-memory.dmp

memory/1980-14-0x00007FFE75D60000-0x00007FFE75D71000-memory.dmp

memory/1980-13-0x00007FFE76460000-0x00007FFE7647D000-memory.dmp

memory/1980-12-0x00007FFE7A920000-0x00007FFE7A931000-memory.dmp

memory/1980-16-0x00007FFE6F640000-0x00007FFE6F67F000-memory.dmp

memory/1980-15-0x00007FFE6F680000-0x00007FFE6F880000-memory.dmp

memory/1980-11-0x00007FFE7A940000-0x00007FFE7A957000-memory.dmp

memory/1980-17-0x00007FFE6E590000-0x00007FFE6F63B000-memory.dmp

memory/1980-19-0x00007FFE6E540000-0x00007FFE6E558000-memory.dmp

memory/1980-20-0x00007FFE6E520000-0x00007FFE6E531000-memory.dmp

memory/1980-21-0x00007FFE6E500000-0x00007FFE6E511000-memory.dmp

memory/1980-26-0x00007FFE6E450000-0x00007FFE6E480000-memory.dmp

memory/1980-27-0x00007FFE6E3E0000-0x00007FFE6E447000-memory.dmp

memory/1980-28-0x00007FFE6E370000-0x00007FFE6E3DF000-memory.dmp

memory/1980-25-0x00007FFE6E480000-0x00007FFE6E498000-memory.dmp

memory/1980-29-0x00007FFE6E350000-0x00007FFE6E361000-memory.dmp

memory/1980-30-0x00007FFE6E2F0000-0x00007FFE6E34C000-memory.dmp

memory/1980-31-0x00007FFE6E170000-0x00007FFE6E2E8000-memory.dmp

memory/1980-32-0x00007FFE6E130000-0x00007FFE6E147000-memory.dmp

memory/1980-36-0x00007FFE6DEC0000-0x00007FFE6DED6000-memory.dmp

memory/1980-39-0x00007FFE6DF50000-0x00007FFE6DF61000-memory.dmp

memory/1980-40-0x00007FFE6DF30000-0x00007FFE6DF42000-memory.dmp

memory/1980-38-0x00007FFE6DDD0000-0x00007FFE6DDE5000-memory.dmp

memory/1980-41-0x00007FFE6D700000-0x00007FFE6D87A000-memory.dmp

memory/1980-42-0x00007FFE6DF10000-0x00007FFE6DF23000-memory.dmp

memory/1980-44-0x00007FFE6D6C0000-0x00007FFE6D6D1000-memory.dmp

memory/1980-46-0x00007FFE6D680000-0x00007FFE6D691000-memory.dmp

memory/1980-45-0x00007FFE6D6A0000-0x00007FFE6D6B1000-memory.dmp

memory/1980-43-0x00007FFE6D6E0000-0x00007FFE6D6F4000-memory.dmp

memory/1980-35-0x00007FFE6E150000-0x00007FFE6E161000-memory.dmp

memory/1980-33-0x00007FFE802F0000-0x00007FFE80300000-memory.dmp

memory/1980-37-0x00007FFE6DDF0000-0x00007FFE6DEB5000-memory.dmp

memory/1980-34-0x00007FFE6DEE0000-0x00007FFE6DF0F000-memory.dmp

memory/1980-24-0x00007FFE6E4A0000-0x00007FFE6E4B1000-memory.dmp

memory/1980-23-0x00007FFE6E4C0000-0x00007FFE6E4DB000-memory.dmp

memory/1980-22-0x00007FFE6E4E0000-0x00007FFE6E4F1000-memory.dmp

memory/1980-18-0x00007FFE6E560000-0x00007FFE6E581000-memory.dmp

memory/1980-59-0x00007FFE6E590000-0x00007FFE6F63B000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win7-20240221-en

Max time kernel

146s

Max time network

141s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_IceFlow.ogg"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_IceFlow.ogg"

Network

N/A

Files

memory/2352-5-0x000000013FA00000-0x000000013FAF8000-memory.dmp

memory/2352-6-0x000007FEF72C0000-0x000007FEF72F4000-memory.dmp

memory/2352-7-0x000007FEF5990000-0x000007FEF5C44000-memory.dmp

memory/2352-8-0x000007FEFB540000-0x000007FEFB558000-memory.dmp

memory/2352-10-0x000007FEF7310000-0x000007FEF7321000-memory.dmp

memory/2352-9-0x000007FEFAA30000-0x000007FEFAA47000-memory.dmp

memory/2352-12-0x000007FEF6580000-0x000007FEF6591000-memory.dmp

memory/2352-13-0x000007FEF6560000-0x000007FEF657D000-memory.dmp

memory/2352-14-0x000007FEF6540000-0x000007FEF6551000-memory.dmp

memory/2352-11-0x000007FEF6BA0000-0x000007FEF6BB7000-memory.dmp

memory/2352-15-0x000007FEF5790000-0x000007FEF5990000-memory.dmp

memory/2352-16-0x000007FEF6090000-0x000007FEF60CF000-memory.dmp

memory/2352-17-0x000007FEF46E0000-0x000007FEF578B000-memory.dmp

memory/2352-19-0x000007FEF6070000-0x000007FEF6088000-memory.dmp

memory/2352-18-0x000007FEF6510000-0x000007FEF6531000-memory.dmp

memory/2352-20-0x000007FEF6050000-0x000007FEF6061000-memory.dmp

memory/2352-22-0x000007FEF6010000-0x000007FEF6021000-memory.dmp

memory/2352-24-0x000007FEF5FD0000-0x000007FEF5FE1000-memory.dmp

memory/2352-23-0x000007FEF5FF0000-0x000007FEF600B000-memory.dmp

memory/2352-26-0x000007FEF4690000-0x000007FEF46C0000-memory.dmp

memory/2352-25-0x000007FEF46C0000-0x000007FEF46D8000-memory.dmp

memory/2352-27-0x000007FEF4620000-0x000007FEF4687000-memory.dmp

memory/2352-21-0x000007FEF6030000-0x000007FEF6041000-memory.dmp

memory/2352-28-0x000007FEF45B0000-0x000007FEF461F000-memory.dmp

memory/2352-29-0x000007FEF4590000-0x000007FEF45A1000-memory.dmp

memory/2352-30-0x000007FEF4530000-0x000007FEF458C000-memory.dmp

memory/2352-31-0x000007FEF43B0000-0x000007FEF4528000-memory.dmp

memory/2352-32-0x000007FEF4390000-0x000007FEF43A7000-memory.dmp

memory/2352-33-0x000007FEF7380000-0x000007FEF7390000-memory.dmp

memory/2352-34-0x000007FEF4360000-0x000007FEF438F000-memory.dmp

memory/2352-35-0x000007FEF4340000-0x000007FEF4351000-memory.dmp

memory/2352-36-0x000007FEF4320000-0x000007FEF4336000-memory.dmp

memory/2352-37-0x000007FEF4250000-0x000007FEF4315000-memory.dmp

memory/2352-39-0x000007FEF41F0000-0x000007FEF4201000-memory.dmp

memory/2352-40-0x000007FEF41D0000-0x000007FEF41E2000-memory.dmp

memory/2352-38-0x000007FEF4230000-0x000007FEF4245000-memory.dmp

memory/2352-41-0x000007FEF4050000-0x000007FEF41CA000-memory.dmp

memory/2352-42-0x000007FEF4030000-0x000007FEF4043000-memory.dmp

memory/2352-43-0x000007FEF4010000-0x000007FEF4024000-memory.dmp

memory/2352-44-0x000007FEF3FF0000-0x000007FEF4001000-memory.dmp

memory/2352-45-0x000007FEF3FD0000-0x000007FEF3FE1000-memory.dmp

memory/2352-46-0x000007FEF3FB0000-0x000007FEF3FC1000-memory.dmp

memory/2352-59-0x000007FEF46E0000-0x000007FEF578B000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3492 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3492 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 8.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/2184-0-0x0000000074660000-0x0000000075498000-memory.dmp

memory/2184-1-0x0000000074660000-0x0000000075498000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4168 wrote to memory of 3488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4168 wrote to memory of 3488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4168 wrote to memory of 3488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3488 -ip 3488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3724 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:44

Platform

win10v2004-20240226-en

Max time kernel

127s

Max time network

212s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Stats.bin

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Stats.bin

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win7-20240221-en

Max time kernel

119s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET99CF.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET99CF.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET99F0.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET99F0.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DirectX.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe

"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

MD5 eaa6b5ee297982a6a396354814006761
SHA1 780bf9a61c080a335e8712c5544fcbf9c7bdcd72
SHA256 d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee
SHA512 ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

MD5 95af51a930889c82630553e5d9d24f4b
SHA1 d24fe70a2152b09d1b85166443e24d2d61defdf5
SHA256 b8c3d2b050e3541e4072d8522a63319ce53f48ce7c975d2b2f389db91df36865
SHA512 faeafbeea9c190b33b5354ec9998cb285911cecf78c69acbe11a2de253e939494e5d72b8036e849f27358d3db64a81f395f81ec3f34810a9f74db37f9edca4cd

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

MD5 69f2ccb12f81ec470df9d387b8c6bbb6
SHA1 2d8837824951e146eb9428b781936cfb605ce05b
SHA256 0d2d950d7ac0b622b3d65a616fbb09875cd1c26d01eff31f07d000a61d6706b2
SHA512 f93e3172b709cdb848a63a3d7909d0b43979960068e86045207d1884742e513e9613fabe1be402bcfe34fa46235e6a7d682bf9cb18fe5fbdb2dc404a7815e1e4

\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

MD5 ba4a4b82dd8bd438959b8542d66161ad
SHA1 51d91e28ace38ea7d183498edd9031dabb6f18bb
SHA256 82f87b955cbe426c3b6302bb2de938057166af6a0db02a3a191d17814fecefb8
SHA512 72689ceba03390eaa0ca228d7885d15531fe57e9c4fdbe619bdd33777b3b79b7f828a81c11b60f16248cf64bff3086c41df04f25e7f13815fd2d3af971025e88

\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

MD5 938638d0da26178572066d3f62ddd15c
SHA1 9941160e7d06e97460aba020e29b42e52bec04e3
SHA256 1a529633246ee8977411af4128738ee7389d8576e100f86fbf590a336e0f8d68
SHA512 934c943250737c737e2f268632300bb923070518f4b7fa321c6d39392fa3cfce032d5a41d54de6ad40529b96e3699fe78251d98f79b102e38a70e49e7af5e1af

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

MD5 ad8982eaa02c7ad4d7cdcbc248caa941
SHA1 4ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256 d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA512 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

MD5 0a23038ea472ffc938366ef4099d6635
SHA1 6499d741776dc4a446c22ea11085842155b34176
SHA256 8f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a
SHA512 dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

MD5 7672509436485121135c2a0e30b9e9ff
SHA1 f557022a9f42fe1303078093e389f21fb693c959
SHA256 d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea
SHA512 e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

158s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019.rar

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2476 wrote to memory of 4808 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2476 wrote to memory of 4808 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019.rar"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3280 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe

"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 544

Network

N/A

Files

memory/2020-0-0x0000000072610000-0x0000000073448000-memory.dmp

memory/2020-1-0x0000000072610000-0x0000000073448000-memory.dmp

memory/2020-4-0x0000000072610000-0x0000000073448000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\D3DX9_43.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 3296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5032 wrote to memory of 3296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5032 wrote to memory of 3296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\D3DX9_43.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\D3DX9_43.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe"

Signatures

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\tmp4A89.tmp C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe N/A
File created C:\Windows\SysWOW64\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe N/A
File created C:\Windows\SysWOW64\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe N/A
File created C:\Windows\system32\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe N/A
File created C:\Windows\system32\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp4A88.tmp C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OpenAL\oalinst.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe

"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\oalinst.exe"

Network

N/A

Files

\Windows\SysWOW64\OpenAL32.new

MD5 235355a8dd26903e75d5e812ecf50e53
SHA1 8316319341a0f9054e19e4a7b21df3dc49386fee
SHA256 1797d150a2e23af4f390f5c33eb598c6f58d0454011d74941f5316add900bbdd
SHA512 5beb9343028790f993d0acb1007fd112b7e2ef6f9fbedfdb62b0140d2bbadf3b6368417ea19edb0bc8674d19418e5784fef4430ce1c329de8e83c304706d39ac

\Windows\SysWOW64\wrap_oal.new

MD5 d494267bc169604fac5e3679b9a97fed
SHA1 c093ce5a4f7dc40f7f604945bd1facfb2c805c4b
SHA256 a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f
SHA512 7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040

\Windows\System32\OpenAL32.new

MD5 2ad7b4f3c8d2bb686d231edff404b7a4
SHA1 f29676b96d04bd2765925a3834d9babfdce6a0b3
SHA256 87802322c8e63555c26fe473ce234ce7099745ccb28c02766c2224c726454039
SHA512 51a6c8cfe30e34c37437e6c5f8c602aa0759b65559a82521e2dbcf8a9865b826077854acb6497df6085d67b4c66083ae5f0f192b743a4b6f77ce7b18f01bf528

\Windows\System32\wrap_oal.new

MD5 549347bcd4aacd63243d78e8f869dbb1
SHA1 efc00d2a7c5acfe17b8a58023826e6840aef39a6
SHA256 5379373cf3eff41cdd8c912c65e27e1bd492bd84238d19a093aa846c9b1ce909
SHA512 c6789376d05deb8c5050225c37c023055c107a72b49afddfd3f91e7e7429d38db9346e2e5d38986c2000c3828389cfbe5d74d80423a79eebd0367bcc81137cd5

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

163s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_EasyLemon.ogg

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2112 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Program Files\VideoLAN\VLC\vlc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_EasyLemon.ogg

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_EasyLemon.ogg"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x33c 0x4f4

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/4600-5-0x00007FF773C30000-0x00007FF773D28000-memory.dmp

memory/4600-6-0x00007FF8FB080000-0x00007FF8FB0B4000-memory.dmp

memory/4600-7-0x00007FF8E6900000-0x00007FF8E6BB4000-memory.dmp

memory/4600-8-0x00007FF8FC600000-0x00007FF8FC618000-memory.dmp

memory/4600-9-0x00007FF8FB0D0000-0x00007FF8FB0E7000-memory.dmp

memory/4600-11-0x00007FF8F71B0000-0x00007FF8F71C7000-memory.dmp

memory/4600-10-0x00007FF8F72A0000-0x00007FF8F72B1000-memory.dmp

memory/4600-12-0x00007FF8F7190000-0x00007FF8F71A1000-memory.dmp

memory/4600-14-0x00007FF8F7150000-0x00007FF8F7161000-memory.dmp

memory/4600-13-0x00007FF8F7170000-0x00007FF8F718D000-memory.dmp

memory/4600-15-0x00007FF8E7240000-0x00007FF8E7440000-memory.dmp

memory/4600-16-0x00007FF8F7110000-0x00007FF8F714F000-memory.dmp

memory/4600-17-0x00007FF8E5850000-0x00007FF8E68FB000-memory.dmp

memory/4600-28-0x00007FF8F6540000-0x00007FF8F65AF000-memory.dmp

memory/4600-26-0x00007FF8F6F30000-0x00007FF8F6F60000-memory.dmp

memory/4600-29-0x00007FF8F6520000-0x00007FF8F6531000-memory.dmp

memory/4600-30-0x00007FF8F64C0000-0x00007FF8F651C000-memory.dmp

memory/4600-27-0x00007FF8F65B0000-0x00007FF8F6617000-memory.dmp

memory/4600-25-0x00007FF8F6F60000-0x00007FF8F6F78000-memory.dmp

memory/4600-31-0x00007FF8E70C0000-0x00007FF8E7238000-memory.dmp

memory/4600-24-0x00007FF8F6F80000-0x00007FF8F6F91000-memory.dmp

memory/4600-33-0x00007FF8F6400000-0x00007FF8F6410000-memory.dmp

memory/4600-32-0x00007FF8F6430000-0x00007FF8F6447000-memory.dmp

memory/4600-37-0x00007FF8E77F0000-0x00007FF8E78B5000-memory.dmp

memory/4600-36-0x00007FF8E7FE0000-0x00007FF8E7FF6000-memory.dmp

memory/4600-39-0x00007FF8E77B0000-0x00007FF8E77C1000-memory.dmp

memory/4600-40-0x00007FF8E76E0000-0x00007FF8E76F2000-memory.dmp

memory/4600-38-0x00007FF8E77D0000-0x00007FF8E77E5000-memory.dmp

memory/4600-35-0x00007FF8F63E0000-0x00007FF8F63F1000-memory.dmp

memory/4600-41-0x00007FF8E4C50000-0x00007FF8E4DCA000-memory.dmp

memory/4600-42-0x00007FF8E70A0000-0x00007FF8E70B3000-memory.dmp

memory/4600-43-0x00007FF8E7080000-0x00007FF8E7094000-memory.dmp

memory/4600-44-0x00007FF8E7060000-0x00007FF8E7071000-memory.dmp

memory/4600-45-0x00007FF8E7040000-0x00007FF8E7051000-memory.dmp

memory/4600-46-0x00007FF8E7020000-0x00007FF8E7031000-memory.dmp

memory/4600-34-0x00007FF8ED500000-0x00007FF8ED52F000-memory.dmp

memory/4600-23-0x00007FF8F6FA0000-0x00007FF8F6FBB000-memory.dmp

memory/4600-22-0x00007FF8F7060000-0x00007FF8F7071000-memory.dmp

memory/4600-21-0x00007FF8F7080000-0x00007FF8F7091000-memory.dmp

memory/4600-20-0x00007FF8F70A0000-0x00007FF8F70B1000-memory.dmp

memory/4600-19-0x00007FF8F70C0000-0x00007FF8F70D8000-memory.dmp

memory/4600-18-0x00007FF8F70E0000-0x00007FF8F7101000-memory.dmp

memory/4600-59-0x00007FF8E5850000-0x00007FF8E68FB000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\directx\websetup\SET3D38.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET3D48.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SET3D48.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SET3D38.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DirectX.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe

"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\dxwebsetup.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:80 www.microsoft.com tcp
US 8.8.8.8:53 133.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

MD5 eaa6b5ee297982a6a396354814006761
SHA1 780bf9a61c080a335e8712c5544fcbf9c7bdcd72
SHA256 d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee
SHA512 ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

MD5 ad8982eaa02c7ad4d7cdcbc248caa941
SHA1 4ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256 d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA512 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

MD5 0a23038ea472ffc938366ef4099d6635
SHA1 6499d741776dc4a446c22ea11085842155b34176
SHA256 8f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a
SHA512 dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

MD5 7672509436485121135c2a0e30b9e9ff
SHA1 f557022a9f42fe1303078093e389f21fb693c959
SHA256 d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea
SHA512 e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

118s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_NightOfChaos.ogg

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4356 wrote to memory of 4968 N/A C:\Windows\system32\cmd.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 4356 wrote to memory of 4968 N/A C:\Windows\system32\cmd.exe C:\Program Files\VideoLAN\VLC\vlc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_NightOfChaos.ogg

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_NightOfChaos.ogg"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3f4 0x3ec

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4968-5-0x00007FF6658D0000-0x00007FF6659C8000-memory.dmp

memory/4968-7-0x00007FF8E4E90000-0x00007FF8E5144000-memory.dmp

memory/4968-6-0x00007FF8F4860000-0x00007FF8F4894000-memory.dmp

memory/4968-9-0x00007FF8F4720000-0x00007FF8F4737000-memory.dmp

memory/4968-15-0x00007FF8E49E0000-0x00007FF8E4BE0000-memory.dmp

memory/4968-14-0x00007FF8F3C00000-0x00007FF8F3C11000-memory.dmp

memory/4968-13-0x00007FF8F3C20000-0x00007FF8F3C3D000-memory.dmp

memory/4968-12-0x00007FF8F4510000-0x00007FF8F4521000-memory.dmp

memory/4968-11-0x00007FF8F4580000-0x00007FF8F4597000-memory.dmp

memory/4968-10-0x00007FF8F45A0000-0x00007FF8F45B1000-memory.dmp

memory/4968-8-0x00007FF8F4740000-0x00007FF8F4758000-memory.dmp

memory/4968-16-0x00007FF8E3930000-0x00007FF8E49DB000-memory.dmp

memory/4968-17-0x00007FF8EB700000-0x00007FF8EB73F000-memory.dmp

memory/4968-19-0x00007FF8F3C40000-0x00007FF8F3C58000-memory.dmp

memory/4968-20-0x00007FF8F3BE0000-0x00007FF8F3BF1000-memory.dmp

memory/4968-21-0x00007FF8F3BA0000-0x00007FF8F3BB1000-memory.dmp

memory/4968-22-0x00007FF8F3340000-0x00007FF8F3351000-memory.dmp

memory/4968-23-0x00007FF8EB000000-0x00007FF8EB01B000-memory.dmp

memory/4968-18-0x00007FF8EB6D0000-0x00007FF8EB6F1000-memory.dmp

memory/4968-25-0x00007FF8EAFC0000-0x00007FF8EAFD8000-memory.dmp

memory/4968-26-0x00007FF8E5AD0000-0x00007FF8E5B00000-memory.dmp

memory/4968-27-0x00007FF8E4E20000-0x00007FF8E4E87000-memory.dmp

memory/4968-28-0x00007FF8E4DB0000-0x00007FF8E4E1F000-memory.dmp

memory/4968-31-0x00007FF8E37B0000-0x00007FF8E3928000-memory.dmp

memory/4968-30-0x00007FF8E4D50000-0x00007FF8E4DAC000-memory.dmp

memory/4968-34-0x00007FF8E4C10000-0x00007FF8E4C3F000-memory.dmp

memory/4968-35-0x00007FF8E4BF0000-0x00007FF8E4C01000-memory.dmp

memory/4968-33-0x00007FF8F8210000-0x00007FF8F8220000-memory.dmp

memory/4968-36-0x00007FF8E33A0000-0x00007FF8E33B6000-memory.dmp

memory/4968-32-0x00007FF8E5A90000-0x00007FF8E5AA7000-memory.dmp

memory/4968-29-0x00007FF8E5AB0000-0x00007FF8E5AC1000-memory.dmp

memory/4968-24-0x00007FF8EAFE0000-0x00007FF8EAFF1000-memory.dmp

memory/4968-41-0x00007FF8E2BA0000-0x00007FF8E2D1A000-memory.dmp

memory/4968-40-0x00007FF8E2D20000-0x00007FF8E2D32000-memory.dmp

memory/4968-43-0x00007FF8E2B60000-0x00007FF8E2B74000-memory.dmp

memory/4968-44-0x00007FF8E2B40000-0x00007FF8E2B51000-memory.dmp

memory/4968-46-0x00007FF8E2B00000-0x00007FF8E2B11000-memory.dmp

memory/4968-45-0x00007FF8E2B20000-0x00007FF8E2B31000-memory.dmp

memory/4968-42-0x00007FF8E2B80000-0x00007FF8E2B93000-memory.dmp

memory/4968-39-0x00007FF8E2D40000-0x00007FF8E2D51000-memory.dmp

memory/4968-38-0x00007FF8E32B0000-0x00007FF8E32C5000-memory.dmp

memory/4968-37-0x00007FF8E32D0000-0x00007FF8E3395000-memory.dmp

memory/4968-58-0x00007FF8E3930000-0x00007FF8E49DB000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win7-20240221-en

Max time kernel

117s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1

Network

N/A

Files

memory/2600-0-0x0000000074420000-0x0000000075258000-memory.dmp

memory/2600-1-0x00000000731B0000-0x0000000073FE8000-memory.dmp

memory/2600-2-0x0000000074420000-0x0000000075258000-memory.dmp

memory/2600-3-0x00000000731B0000-0x0000000073FE8000-memory.dmp

memory/2600-4-0x00000000731B0000-0x0000000073FE8000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win7-20240221-en

Max time kernel

121s

Max time network

128s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Achievements.bin

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\bin_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\bin_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\.bin C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\.bin\ = "bin_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\bin_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\bin_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\bin_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Achievements.bin

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Achievements.bin

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\Stats\Achievements.bin"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 e7214c921c641ebd5610ff9e5aa7c10b
SHA1 f5ab5b27e988fcc362da298586457d4b432ec0e4
SHA256 efd2e71fba9a4f6beb4cd7dd74442d8dafb0e5f46931d0a8edbe42765af35ebe
SHA512 bfe84aeb1814223f8149395cadcf8ea88909d8820012be0fd226041ab837449d7830bb5946c54a567e68e51e97e785f0780edf6efcb829db59a668ecfba71e64

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

162s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\data.win

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\data.win

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win7-20240221-en

Max time kernel

122s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\D3DX9_43.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1912 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1912 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1912 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1912 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1912 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1912 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1912 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\D3DX9_43.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\D3DX9_43.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win7-20240221-en

Max time kernel

126s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\data.win

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.win C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.win\ = "win_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\win_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\win_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\win_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\win_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\win_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\win_auto_file C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\data.win

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\data.win

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\data.win"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 d28ed2cfbd04922ed061163355274331
SHA1 c2caa6573452fd361b1d36d16185a51f8b46c70e
SHA256 186a9139d0efbde5783c00cf9a8d9f104f125edbfb7c57287eb3ca0897eb46a9
SHA512 ad7f987116b8c7f3acd72cb765bdbf0b37dd8be5199a93e97667017d87161d9ff07b8263e9c7df291a3d6aa10727b0d0eeb98c7919dfa8f7c151ca15dbe36483

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win7-20240220-en

Max time kernel

120s

Max time network

122s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\options.ini

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\options.ini

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe

"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Cat Goes Fishing.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4bc 0x4e8

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 82.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/4036-0-0x0000000073750000-0x0000000074588000-memory.dmp

memory/4036-1-0x0000000073750000-0x0000000074588000-memory.dmp

memory/4036-12-0x0000000073750000-0x0000000074588000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win7-20240220-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\vcredist_x86.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\d86a654092ded3e84d\Setup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\d86a654092ded3e84d\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\d86a654092ded3e84d\Setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\d86a654092ded3e84d\Setup.exe N/A
N/A N/A \??\c:\d86a654092ded3e84d\Setup.exe N/A
N/A N/A \??\c:\d86a654092ded3e84d\Setup.exe N/A
N/A N/A \??\c:\d86a654092ded3e84d\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\vcredist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\vcredist_x86.exe"

\??\c:\d86a654092ded3e84d\Setup.exe

c:\d86a654092ded3e84d\Setup.exe

Network

N/A

Files

\d86a654092ded3e84d\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

\??\c:\d86a654092ded3e84d\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

\??\c:\d86a654092ded3e84d\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

\??\c:\d86a654092ded3e84d\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\Users\Admin\AppData\Local\Temp\HFI145C.tmp.html

MD5 70872bcf651cfad9df56f604f6e271e2
SHA1 09dfe6fda4a1c21e3ca241992370f51d1ccb66d2
SHA256 31c1c714098e1edd491e36c9eefcd7413c88041c5bf09726cb59af6a486dc9b9
SHA512 95fa1a9f430b8a0f4a48a47afad2e4dc9c1d8bda07acf267618a2ad8095b04054401efa50c82318555ee5da9ddc167b7ed9a99297a44ab889ffa58f9fdc319a9

\??\c:\d86a654092ded3e84d\UiInfo.xml

MD5 812f8d2e53f076366fa3a214bb4cf558
SHA1 35ae734cfb99bb139906b5f4e8efbf950762f6f0
SHA256 0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283
SHA512 1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

\??\c:\d86a654092ded3e84d\ParameterInfo.xml

MD5 66590f13f4c9ba563a9180bdf25a5b80
SHA1 d6d9146faeec7824b8a09dd6978e5921cc151906
SHA256 bf787b8c697ce418f9d4c07260f56d1145ca70db1cc4b1321d37840837621e8f
SHA512 aba67c66c2f3d9b3c9d71d64511895f15f696be8be0eedd2d6908e1203c4b0cf318b366f9f3cd9c3b3b8c0770462f83e6eea73e304c43f88d0cbedf69e7c92b3

\??\c:\d86a654092ded3e84d\3082\LocalizedData.xml

MD5 5397a12d466d55d566b4209e0e4f92d3
SHA1 fcffd8961fb487995543fc173521fdf5df6e243b
SHA256 f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89
SHA512 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

\??\c:\d86a654092ded3e84d\2052\LocalizedData.xml

MD5 52b1dc12ce4153aa759fb3bbe04d01fc
SHA1 bf21f8591c473d1fce68a9faf1e5942f486f6eba
SHA256 d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3
SHA512 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

\??\c:\d86a654092ded3e84d\1049\LocalizedData.xml

MD5 0eeb554d0b9f9fcdb22401e2532e9cd0
SHA1 08799520b72a1ef92ac5b94a33509d1eddf6caf8
SHA256 beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c
SHA512 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

\??\c:\d86a654092ded3e84d\1042\LocalizedData.xml

MD5 71dfd70ae141f1d5c1366cb661b354b2
SHA1 c4b22590e6f6dd5d39e5158b831ae217ce17a776
SHA256 cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331
SHA512 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

\??\c:\d86a654092ded3e84d\1041\LocalizedData.xml

MD5 7fcfbc308b0c42dcbd8365ba62bada05
SHA1 18a0f0e89b36818c94de0ad795cc593d0e3e29a9
SHA256 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2
SHA512 cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

\??\c:\d86a654092ded3e84d\1040\LocalizedData.xml

MD5 0af948fe4142e34092f9dd47a4b8c275
SHA1 b3d6dd5c126280398d9055f90e2c2c26dbae4eaa
SHA256 c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248
SHA512 d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

\??\c:\d86a654092ded3e84d\1036\LocalizedData.xml

MD5 e382abc19294f779d2833287242e7bc6
SHA1 1ceae32d6b24a3832f9244f5791382865b668a72
SHA256 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf
SHA512 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

\??\c:\d86a654092ded3e84d\1031\LocalizedData.xml

MD5 b83c3803712e61811c438f6e98790369
SHA1 61a0bc59388786ced045acd82621bee8578cae5a
SHA256 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6
SHA512 e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

\??\c:\d86a654092ded3e84d\1028\LocalizedData.xml

MD5 7fc06a77d9aafca9fb19fafa0f919100
SHA1 e565740e7d582cd73f8d3b12de2f4579ff18bb41
SHA256 a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a
SHA512 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

\??\c:\d86a654092ded3e84d\1033\LocalizedData.xml

MD5 d642e322d1e8b739510ca540f8e779f9
SHA1 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c
SHA256 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9
SHA512 e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

\d86a654092ded3e84d\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

\??\c:\d86a654092ded3e84d\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

\??\c:\d86a654092ded3e84d\Strings.xml

MD5 332adf643747297b9bfa9527eaefe084
SHA1 670f933d778eca39938a515a39106551185205e9
SHA256 e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca
SHA512 bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

\d86a654092ded3e84d\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

\??\c:\d86a654092ded3e84d\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

\??\c:\d86a654092ded3e84d\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

\??\c:\d86a654092ded3e84d\graphics\stop.ico

MD5 5dfa8d3abcf4962d9ec41cfc7c0f75e3
SHA1 4196b0878c6c66b6fa260ab765a0e79f7aec0d24
SHA256 b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793
SHA512 69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

memory/2420-98-0x0000000000300000-0x0000000000301000-memory.dmp

\??\c:\d86a654092ded3e84d\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

memory/2420-103-0x0000000000300000-0x0000000000301000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\vcredist_x86.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\vcredist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\_Redist\vcredist_x86.exe"

\??\c:\36072191a3d67895e1a09b62fb6df1\Setup.exe

c:\36072191a3d67895e1a09b62fb6df1\Setup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

C:\36072191a3d67895e1a09b62fb6df1\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

\??\c:\36072191a3d67895e1a09b62fb6df1\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

\??\c:\36072191a3d67895e1a09b62fb6df1\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

C:\Users\Admin\AppData\Local\Temp\HFI443E.tmp.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

\??\c:\36072191a3d67895e1a09b62fb6df1\UiInfo.xml

MD5 812f8d2e53f076366fa3a214bb4cf558
SHA1 35ae734cfb99bb139906b5f4e8efbf950762f6f0
SHA256 0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283
SHA512 1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

\??\c:\36072191a3d67895e1a09b62fb6df1\ParameterInfo.xml

MD5 66590f13f4c9ba563a9180bdf25a5b80
SHA1 d6d9146faeec7824b8a09dd6978e5921cc151906
SHA256 bf787b8c697ce418f9d4c07260f56d1145ca70db1cc4b1321d37840837621e8f
SHA512 aba67c66c2f3d9b3c9d71d64511895f15f696be8be0eedd2d6908e1203c4b0cf318b366f9f3cd9c3b3b8c0770462f83e6eea73e304c43f88d0cbedf69e7c92b3

\??\c:\36072191a3d67895e1a09b62fb6df1\1033\LocalizedData.xml

MD5 d642e322d1e8b739510ca540f8e779f9
SHA1 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c
SHA256 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9
SHA512 e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

\??\c:\36072191a3d67895e1a09b62fb6df1\1031\LocalizedData.xml

MD5 b83c3803712e61811c438f6e98790369
SHA1 61a0bc59388786ced045acd82621bee8578cae5a
SHA256 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6
SHA512 e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

\??\c:\36072191a3d67895e1a09b62fb6df1\1028\LocalizedData.xml

MD5 7fc06a77d9aafca9fb19fafa0f919100
SHA1 e565740e7d582cd73f8d3b12de2f4579ff18bb41
SHA256 a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a
SHA512 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

\??\c:\36072191a3d67895e1a09b62fb6df1\1036\LocalizedData.xml

MD5 e382abc19294f779d2833287242e7bc6
SHA1 1ceae32d6b24a3832f9244f5791382865b668a72
SHA256 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf
SHA512 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

\??\c:\36072191a3d67895e1a09b62fb6df1\1040\LocalizedData.xml

MD5 0af948fe4142e34092f9dd47a4b8c275
SHA1 b3d6dd5c126280398d9055f90e2c2c26dbae4eaa
SHA256 c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248
SHA512 d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

\??\c:\36072191a3d67895e1a09b62fb6df1\1041\LocalizedData.xml

MD5 7fcfbc308b0c42dcbd8365ba62bada05
SHA1 18a0f0e89b36818c94de0ad795cc593d0e3e29a9
SHA256 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2
SHA512 cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

\??\c:\36072191a3d67895e1a09b62fb6df1\1042\LocalizedData.xml

MD5 71dfd70ae141f1d5c1366cb661b354b2
SHA1 c4b22590e6f6dd5d39e5158b831ae217ce17a776
SHA256 cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331
SHA512 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

\??\c:\36072191a3d67895e1a09b62fb6df1\1049\LocalizedData.xml

MD5 0eeb554d0b9f9fcdb22401e2532e9cd0
SHA1 08799520b72a1ef92ac5b94a33509d1eddf6caf8
SHA256 beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c
SHA512 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

\??\c:\36072191a3d67895e1a09b62fb6df1\2052\LocalizedData.xml

MD5 52b1dc12ce4153aa759fb3bbe04d01fc
SHA1 bf21f8591c473d1fce68a9faf1e5942f486f6eba
SHA256 d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3
SHA512 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

\??\c:\36072191a3d67895e1a09b62fb6df1\3082\LocalizedData.xml

MD5 5397a12d466d55d566b4209e0e4f92d3
SHA1 fcffd8961fb487995543fc173521fdf5df6e243b
SHA256 f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89
SHA512 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

\??\c:\36072191a3d67895e1a09b62fb6df1\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

\??\c:\36072191a3d67895e1a09b62fb6df1\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

\??\c:\36072191a3d67895e1a09b62fb6df1\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

\??\c:\36072191a3d67895e1a09b62fb6df1\Strings.xml

MD5 332adf643747297b9bfa9527eaefe084
SHA1 670f933d778eca39938a515a39106551185205e9
SHA256 e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca
SHA512 bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

memory/4460-97-0x0000000002C40000-0x0000000002C41000-memory.dmp

\??\c:\36072191a3d67895e1a09b62fb6df1\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

\??\c:\36072191a3d67895e1a09b62fb6df1\graphics\stop.ico

MD5 5dfa8d3abcf4962d9ec41cfc7c0f75e3
SHA1 4196b0878c6c66b6fa260ab765a0e79f7aec0d24
SHA256 b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793
SHA512 69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

\??\c:\36072191a3d67895e1a09b62fb6df1\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

\??\c:\36072191a3d67895e1a09b62fb6df1\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

memory/4460-102-0x0000000002C40000-0x0000000002C41000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win7-20240215-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_NightOfChaos.ogg"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\music_NightOfChaos.ogg"

Network

N/A

Files

memory/2348-5-0x000000013F8E0000-0x000000013F9D8000-memory.dmp

memory/2348-6-0x000007FEF8550000-0x000007FEF8584000-memory.dmp

memory/2348-7-0x000007FEF6500000-0x000007FEF67B4000-memory.dmp

memory/2348-8-0x000007FEFBA60000-0x000007FEFBA78000-memory.dmp

memory/2348-9-0x000007FEFB2B0000-0x000007FEFB2C7000-memory.dmp

memory/2348-10-0x000007FEF8530000-0x000007FEF8541000-memory.dmp

memory/2348-11-0x000007FEF7750000-0x000007FEF7767000-memory.dmp

memory/2348-12-0x000007FEF7730000-0x000007FEF7741000-memory.dmp

memory/2348-13-0x000007FEF7710000-0x000007FEF772D000-memory.dmp

memory/2348-14-0x000007FEF6C20000-0x000007FEF6C31000-memory.dmp

memory/2348-15-0x000007FEF6300000-0x000007FEF6500000-memory.dmp

memory/2348-16-0x000007FEF6BE0000-0x000007FEF6C1F000-memory.dmp

memory/2348-19-0x000007FEF6B90000-0x000007FEF6BA8000-memory.dmp

memory/2348-24-0x000007FEF5210000-0x000007FEF5221000-memory.dmp

memory/2348-27-0x000007FEF5150000-0x000007FEF51B7000-memory.dmp

memory/2348-29-0x000007FEF50C0000-0x000007FEF50D1000-memory.dmp

memory/2348-30-0x000007FEF5060000-0x000007FEF50BC000-memory.dmp

memory/2348-28-0x000007FEF50E0000-0x000007FEF514F000-memory.dmp

memory/2348-26-0x000007FEF51C0000-0x000007FEF51F0000-memory.dmp

memory/2348-31-0x000007FEF4EE0000-0x000007FEF5058000-memory.dmp

memory/2348-32-0x000007FEF4EC0000-0x000007FEF4ED7000-memory.dmp

memory/2348-25-0x000007FEF51F0000-0x000007FEF5208000-memory.dmp

memory/2348-33-0x000007FEFB2A0000-0x000007FEFB2B0000-memory.dmp

memory/2348-23-0x000007FEF5230000-0x000007FEF524B000-memory.dmp

memory/2348-34-0x000007FEF4E90000-0x000007FEF4EBF000-memory.dmp

memory/2348-35-0x000007FEF4E70000-0x000007FEF4E81000-memory.dmp

memory/2348-36-0x000007FEF4E50000-0x000007FEF4E66000-memory.dmp

memory/2348-22-0x000007FEF6B30000-0x000007FEF6B41000-memory.dmp

memory/2348-21-0x000007FEF6B50000-0x000007FEF6B61000-memory.dmp

memory/2348-37-0x000007FEF4D80000-0x000007FEF4E45000-memory.dmp

memory/2348-40-0x000007FEF4D00000-0x000007FEF4D12000-memory.dmp

memory/2348-39-0x000007FEF4D20000-0x000007FEF4D31000-memory.dmp

memory/2348-38-0x000007FEF4D60000-0x000007FEF4D75000-memory.dmp

memory/2348-20-0x000007FEF6B70000-0x000007FEF6B81000-memory.dmp

memory/2348-18-0x000007FEF6BB0000-0x000007FEF6BD1000-memory.dmp

memory/2348-17-0x000007FEF5250000-0x000007FEF62FB000-memory.dmp

memory/2348-41-0x000007FEF4B80000-0x000007FEF4CFA000-memory.dmp

memory/2348-42-0x000007FEF4B60000-0x000007FEF4B73000-memory.dmp

memory/2348-43-0x000007FEF4B40000-0x000007FEF4B54000-memory.dmp

memory/2348-44-0x000007FEF4B20000-0x000007FEF4B31000-memory.dmp

memory/2348-45-0x000007FEF4B00000-0x000007FEF4B11000-memory.dmp

memory/2348-46-0x000007FEF4AE0000-0x000007FEF4AF1000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

154s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\options.ini

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\options.ini

Network

Country Destination Domain Proto
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win7-20240221-en

Max time kernel

121s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 2512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 2512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 2512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 2512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 2512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 2512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 2512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\steam_api.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win7-20240221-en

Max time kernel

152s

Max time network

128s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019.rar

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC8A7A548\Cat Goes Fishing.exe N/A

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019.rar"

C:\Users\Admin\AppData\Local\Temp\7zOC8A7A548\Cat Goes Fishing.exe

"C:\Users\Admin\AppData\Local\Temp\7zOC8A7A548\Cat Goes Fishing.exe"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnregisterEnter.mp2"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\7zOC8A7A548\Cat Goes Fishing.exe

MD5 906f75296beed2234b5488f8199fc75b
SHA1 f9371f6f24a40594dcf4b96585a9f4033a70e59e
SHA256 fab76ae5f809e690fe130857a266d822b772e91f829781a09c11b4c380b5889c
SHA512 4d156e3429ea1eb372ace4c4fd0e708b15afc99aac4c7b2b214ac74df31d8e055bdc644dac173a125f161a179c33d8f58ad33e633d101fb5fa894c6c08a8cc5f

memory/1532-59-0x000000013F6F0000-0x000000013F7E8000-memory.dmp

memory/1532-60-0x000007FEF7A50000-0x000007FEF7A84000-memory.dmp

memory/1532-61-0x000007FEF55C0000-0x000007FEF5874000-memory.dmp

memory/1532-62-0x000007FEF4310000-0x000007FEF53BB000-memory.dmp

memory/1532-63-0x000007FEF3810000-0x000007FEF3922000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win7-20240221-en

Max time kernel

117s

Max time network

129s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\SteamUserID.cfg

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\cfg_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\cfg_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\.cfg C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\cfg_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\cfg_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\cfg_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\cfg_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\.cfg\ = "cfg_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\SteamUserID.cfg

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\SteamUserID.cfg

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\SteamUserID.cfg"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 bee64e69a532ffa6fc043a94e54f4b06
SHA1 397d15983d5e0e289f23a7713cf3a12711fba72c
SHA256 954f9866a6d4d7655d95bea87354fdae824d1bf66f7effb109bc905432840f92
SHA512 c7037c1dbd84464a77a7ed5a2a6a448abe01b9e06a489980ac10fc127636cb0a93f39735604a1f105f2601cdb81099462861cd58ec2974cf9f34077f9a943e94

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-02 22:39

Reported

2024-03-02 22:43

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

163s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\SteamUserID.cfg

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cat.Goes.Fishing.v13.11.2019\Profile\IGGGAMES\SteamUserID.cfg

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3840 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.201.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 170.253.116.51.in-addr.arpa udp

Files

N/A