hxxps://cdn[.]discordapp[.]com/attachments/1233411619078279248/1234166922568929280/CatalystInDev_0[.]1[.]zip?ex=664e1184&is=664cc004&hm=ec83d824e06fd1f0661a9a56a855348cc2d266cfc77cf91d21894df10a8b9b90&

Analysis

max time kernel
81s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1233411619078279248/1234166922568929280/CatalystInDev_0.1.zip?ex=664e1184&is=664cc004&hm=ec83d824e06fd1f0661a9a56a855348cc2d266cfc77cf91d21894df10a8b9b90&

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Catalyst.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Catalyst.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Catalyst.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Catalyst.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Catalyst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Catalyst.exe

Executes dropped EXE 2 IoCs

Processes:

Catalyst.exeCatalyst_InDev0.1.exe

pid process

5452 Catalyst.exe
5684 Catalyst_InDev0.1.exe

pid	process
5452	Catalyst.exe
5684	Catalyst_InDev0.1.exe

Loads dropped DLL 20 IoCs

Processes:

Catalyst_InDev0.1.exe

pid	process
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\CatalystInDev_0.1\Catalyst.exe	themida
behavioral1/memory/5452-102-0x00007FF619150000-0x00007FF61A51F000-memory.dmp	themida
behavioral1/memory/5452-103-0x00007FF619150000-0x00007FF61A51F000-memory.dmp	themida
behavioral1/memory/5452-104-0x00007FF619150000-0x00007FF61A51F000-memory.dmp	themida
behavioral1/memory/5452-183-0x00007FF619150000-0x00007FF61A51F000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Catalyst.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Catalyst.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

55 raw.githubusercontent.com
56 raw.githubusercontent.com
53 raw.githubusercontent.com
54 raw.githubusercontent.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Catalyst.exe

pid process

5452 Catalyst.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Catalyst.exe

flow	ioc
55	raw.githubusercontent.com
56	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com

pid	process
5452	Catalyst.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeCatalyst_InDev0.1.exe

pid	process
1108	msedge.exe
1108	msedge.exe
4696	msedge.exe
4696	msedge.exe
4168	identity_helper.exe
4168	identity_helper.exe
4388	msedge.exe
4388	msedge.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe
5684	Catalyst_InDev0.1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4696 msedge.exe
4696 msedge.exe
4696 msedge.exe
4696 msedge.exe
4696 msedge.exe
4696 msedge.exe
4696 msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zG.exeCatalyst_InDev0.1.exe

description	pid	process
Token: SeRestorePrivilege	5244	7zG.exe
Token: 35	5244	7zG.exe
Token: SeSecurityPrivilege	5244	7zG.exe
Token: SeSecurityPrivilege	5244	7zG.exe
Token: SeDebugPrivilege	5684	Catalyst_InDev0.1.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exe7zG.exe

pid	process
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
5244	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4696 wrote to memory of 2252	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2252	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1480	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1108	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 1108	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe
PID 4696 wrote to memory of 2352	4696	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1233411619078279248/1234166922568929280/CatalystInDev_0.1.zip?ex=664e1184&is=664cc004&hm=ec83d824e06fd1f0661a9a56a855348cc2d266cfc77cf91d21894df10a8b9b90&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6b7d46f8,0x7ffd6b7d4708,0x7ffd6b7d4718
2⤵
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1928 /prefetch:2
2⤵
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:8
2⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
2⤵
PID:832

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
2⤵
PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
2⤵
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5636 /prefetch:8
2⤵
PID:2660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
2⤵
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
2⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,1441803369321123304,13499943497772240015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
2⤵
PID:4076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3040

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CatalystInDev_0.1\" -ad -an -ai#7zMap1796:96:7zEvent9722
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5244

C:\Users\Admin\Downloads\CatalystInDev_0.1\Catalyst.exe
"C:\Users\Admin\Downloads\CatalystInDev_0.1\Catalyst.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5452

C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\Catalyst_InDev0.1.exe
"C:\Users\Admin\Downloads\CatalystInDev_0.1\Catalyst.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
3⤵
PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:5140

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
f448ec43c87c44f1108069ab88951252

SHA1
68995b3c24243afcaced32c9fb66c1683a8d0701

SHA256
f41c783f1390eff699667ecd0bb7e9e1389ea214dd76bcfbeb32c13c7675212b

SHA512
dbda74c31c0cec8148c8313e811016a4cbdd51faadfefef5c7456dd6a84aa824ad6b36644eb370ce0710cff4b6b53fc17ea795423191eb062061c26e2d62df6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8c444d18e444074c5851c258a97c577a

SHA1
0a608b0b4f7a0617d469138d4151c0928d301515

SHA256
5df1a1c1c1b0b52990758bf4531d9d5283c50b6e04aae1342fb836764dafae7a

SHA512
16cb78741c8934373f9f51240f120a74de79aa8a3853b5e51122b023e1d23ee0a878a0a9bc5f38cab49aba7b088859b59ae3cd4894f237bfb242fd069488c02d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
7a1bc810649c62ed46f790eb7c483719

SHA1
3239cd59000ebfe7acdea9fed19e4de9e9944955

SHA256
6b589a9547b3f4e9f9637e4cbf610679a42e6cd02448045811c0baf3ba368fa9

SHA512
b4375a53b685f99f84ecd96884498a9a3f3b2dcd55615f6accb5e1588c122a07202cd6861049d7bf423c932d02c00311f8bc28fca949e1869ea5eb7b12adcfa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
75f347ed6f8885f23fb064f44b1370b3

SHA1
d94de3d1bcb78221b4eae0dffd4c8ac58cd6673a

SHA256
e181b47e06d9ad34367faa78c5f285b65f2d98eaacc088d3e4a445954d810ff2

SHA512
fd0bf295e498a5493be29f93b8b40ab7559b081d55e5df03b57481c3e9f4d339ea27bb73fb0ea43001cd705e38f82b96f62f8e66687bf1991b6580ac6e2165c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
Filesize
81KB

MD5
4101128e19134a4733028cfaafc2f3bb

SHA1
66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

SHA256
5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

SHA512
4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd
Filesize
120KB

MD5
6a9ca97c039d9bbb7abf40b53c851198

SHA1
01bcbd134a76ccd4f3badb5f4056abedcff60734

SHA256
e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535

SHA512
dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd
Filesize
62KB

MD5
de4d104ea13b70c093b07219d2eff6cb

SHA1
83daf591c049f977879e5114c5fea9bbbfa0ad7b

SHA256
39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e

SHA512
567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd
Filesize
154KB

MD5
337b0e65a856568778e25660f77bc80a

SHA1
4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

SHA256
613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

SHA512
19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd
Filesize
155KB

MD5
069bccc9f31f57616e88c92650589bdd

SHA1
050fc5ccd92af4fbb3047be40202d062f9958e57

SHA256
cb42e8598e3fa53eeebf63f2af1730b9ec64614bda276ab2cd1f1c196b3d7e32

SHA512
0e5513fbe42987c658dba13da737c547ff0b8006aecf538c2f5cf731c54de83e26889be62e5c8a10d2c91d5ada4d64015b640dab13130039a5a8a5ab33a723dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem
Filesize
285KB

MD5
d3e74c9d33719c8ab162baa4ae743b27

SHA1
ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b

SHA256
7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92

SHA512
e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md__mypyc.pyd
Filesize
116KB

MD5
9ea8098d31adb0f9d928759bdca39819

SHA1
e309c85c1c8e6ce049eea1f39bee654b9f98d7c5

SHA256
3d9893aa79efd13d81fcd614e9ef5fb6aad90569beeded5112de5ed5ac3cf753

SHA512
86af770f61c94dfbf074bcc4b11932bba2511caa83c223780112bda4ffb7986270dc2649d4d3ea78614dbce6f7468c8983a34966fc3f2de53055ac6b5059a707

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll
Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-8.dll
Filesize
34KB

MD5
32d36d2b0719db2b739af803c5e1c2f5

SHA1
023c4f1159a2a05420f68daf939b9ac2b04ab082

SHA256
128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c

SHA512
a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll
Filesize
686KB

MD5
8769adafca3a6fc6ef26f01fd31afa84

SHA1
38baef74bdd2e941ccd321f91bfd49dacc6a3cb6

SHA256
2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071

SHA512
fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\psutil\_psutil_windows.pyd
Filesize
65KB

MD5
3cba71b6bc59c26518dc865241add80a

SHA1
7e9c609790b1de110328bbbcbb4cd09b7150e5bd

SHA256
e10b73d6e13a5ae2624630f3d8535c5091ef403db6a00a2798f30874938ee996

SHA512
3ef7e20e382d51d93c707be930e12781636433650d0a2c27e109ebebeba1f30ea3e7b09af985f87f67f6b9d2ac6a7a717435f94b9d1585a9eb093a83771b43f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\zstandard\backend_c.pyd
Filesize
512KB

MD5
dc08f04c9e03452764b4e228fc38c60b

SHA1
317bcc3f9c81e2fc81c86d5a24c59269a77e3824

SHA256
b990efbda8a50c49cd7fde5894f3c8f3715cb850f8cc4c10bc03fd92e310260f

SHA512
fbc24dd36af658cece54be14c1118af5fda4e7c5b99d22f99690a1fd625cc0e8aa41fd9accd1c74bb4b03d494b6c3571b24f2ee423aaae9a5ad50adc583c52f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\Catalyst_InDev0.1.exe
Filesize
18.9MB

MD5
a741156268d6ab6453764be886311f4f

SHA1
3bb0602428b38ffbc87d3862f690a3bbdae8f8ce

SHA256
d4a362825a355126eafd5fba2795722948bb6215456415d9ae9ef05f09c2cb6c

SHA512
48cd06115b888f47c20bbeaed584a2c9f61b12e3cef5f61f3165f3dfa92b580f9992c70608c1224024c3379437366fa54404096ea3ab37cfca79a81bb8fb4a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\VCRUNTIME140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\_queue.pyd
Filesize
30KB

MD5
ff8300999335c939fcce94f2e7f039c0

SHA1
4ff3a7a9d9ca005b5659b55d8cd064d2eb708b1a

SHA256
2f71046891ba279b00b70eb031fe90b379dbe84559cf49ce5d1297ea6bf47a78

SHA512
f29b1fd6f52130d69c8bd21a72a71841bf67d54b216febcd4e526e81b499b9b48831bb7cdff0bff6878aab542ca05d6326b8a293f2fb4dd95058461c0fd14017

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\charset_normalizer\md.pyd
Filesize
10KB

MD5
723ec2e1404ae1047c3ef860b9840c29

SHA1
8fc869b92863fb6d2758019dd01edbef2a9a100a

SHA256
790a11aa270523c2efa6021ce4f994c3c5a67e8eaaaf02074d5308420b68bd94

SHA512
2e323ae5b816adde7aaa14398f1fdb3efe15a19df3735a604a7db6cadc22b753046eab242e0f1fbcd3310a8fbb59ff49865827d242baf21f44fd994c3ac9a878

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\python3.dll
Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\python311.dll
Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\select.pyd
Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5452_133608119655640067\unicodedata.pyd
Filesize
1.1MB

MD5
bc58eb17a9c2e48e97a12174818d969d

SHA1
11949ebc05d24ab39d86193b6b6fcff3e4733cfd

SHA256
ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa

SHA512
4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

Download Submit
C:\Users\Admin\Downloads\CatalystInDev_0.1.zip
Filesize
14.4MB

MD5
6b112c76ce355029b96e313a95a24d68

SHA1
97a99cce899342920f27b7eb05aab4f119ae25e9

SHA256
d001c2b60e136d3805c2d86802158d3219d4f3952436e19191690d88fb39f638

SHA512
4071a0f923bf1283f4e694e7aacdd69f6fa075c6904dc2ccef0c31977f694468ed0beea024d3d14d4c1b5779141ac2a88727c837ad1370cb395d0f5eff2081af

Download Submit
C:\Users\Admin\Downloads\CatalystInDev_0.1\Catalyst.exe
Filesize
14.0MB

MD5
b765109a6a7d339473b61ab9a759aa0e

SHA1
ade52ded8366094eee9d2a5827bfe45b3b7a977b

SHA256
b5e63f3bbfc75de4da25277b7a9fa0b650e8e2bc72c2af0087bd09698a9d098d

SHA512
ff813e628761d8ac3ee433fcf40dfaac26dd25ae7ac5ce1680c851e4dc9c69398590007043e2eebe5da0e407c917320cea46782bed072ed72f7d3826f868292d

Download Submit
\??\pipe\LOCAL\crashpad_4696_UFTNBCUVCHSYGLHD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5452-102-0x00007FF619150000-0x00007FF61A51F000-memory.dmp

Filesize
19.8MB

Download
memory/5452-103-0x00007FF619150000-0x00007FF61A51F000-memory.dmp

Filesize
19.8MB

Download
memory/5452-183-0x00007FF619150000-0x00007FF61A51F000-memory.dmp

Filesize
19.8MB

Download
memory/5452-104-0x00007FF619150000-0x00007FF61A51F000-memory.dmp

Filesize
19.8MB

Download
memory/5684-184-0x00007FF648DC0000-0x00007FF64A0F2000-memory.dmp

Filesize
19.2MB

Download
memory/5684-220-0x00007FF648DC0000-0x00007FF64A0F2000-memory.dmp

Filesize
19.2MB

Download