c588680b751d0c61e0cb068db13b7866d220bbf342e81ea9802939e167f5db29

Resubmissions

08/06/2024, 17:43

240608-wa3sgseg52 3

08/06/2024, 17:38

240608-v7qzhseg38 7

Analysis

max time kernel
109s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Catto Boi The Quest for the Frozen Tuna (04)/data/exe/666.exe
Size

11.0MB
MD5

18dca83e64850e0c1b7f59bbb451ae66
SHA1

fcf49020b5aa1fbc587d1145b85c476917fd511f
SHA256

cef35d45c1b59f7e6e012e062fc42d4ac50a0587a894e85516c637beda7e4c79
SHA512

710826e51dbdbf5b7d156963590d10b1b7773beb95cc0ba6902b45c210ce828fe3d877a1e97419af6184a5e7bc243ba9c096916a9c2b0b40e242c196c76ff346
SSDEEP

196608:qMlbs5/EJmT7YUXyp0dT5nhJemCzIAqThA4RyvOBRqlQb:qYY/EoT0+dT5hAmxhThACqlC

Score

7^/10

ransomware

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	666.exe

Loads dropped DLL 1 IoCs

pid	Process
4376	666.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gm_ttt_10093\\smile.jpg"	666.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 5 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\control panel\desktop	666.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\stretchwallpaper = "0"	666.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\TileWallpaper = "0"	666.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\wallpaperstyle = "2"	666.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\desktop	666.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\stretchwallpaper = "0"	666.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	666.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\wallpaperstyle = "2"	666.exe
Key created	\REGISTRY\USER\.default\Control Panel\desktop	666.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gm_ttt_10093\\smile.jpg"	666.exe
Key created	\REGISTRY\USER\.default\control panel\desktop	666.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5340	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5340	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4376	666.exe
4376	666.exe
4376	666.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 4088	4376	666.exe	84
PID 4376 wrote to memory of 4088	4376	666.exe	84
PID 4376 wrote to memory of 4088	4376	666.exe	84

C:\Users\Admin\AppData\Local\Temp\Catto Boi The Quest for the Frozen Tuna (04)\data\exe\666.exe
"C:\Users\Admin\AppData\Local\Temp\Catto Boi The Quest for the Frozen Tuna (04)\data\exe\666.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" user32.dll, UpdatePerUserSystemParameters
  2⤵
  PID:4088

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact