Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3....rar
windows7-x64
3....rar
windows10-2004-x64
3Catto Boi ...na.exe
windows7-x64
1Catto Boi ...na.exe
windows10-2004-x64
1Catto Boi ...le.dll
windows7-x64
1Catto Boi ...le.dll
windows10-2004-x64
1Catto Boi ...ev.dll
windows7-x64
1Catto Boi ...ev.dll
windows10-2004-x64
1Catto Boi ...ta.win
windows7-x64
3Catto Boi ...ta.win
windows10-2004-x64
3Catto Boi ...66.exe
windows7-x64
7Catto Boi ...66.exe
windows10-2004-x64
7Catto Boi ...ER.exe
windows7-x64
7Catto Boi ...ER.exe
windows10-2004-x64
7Catto Boi ...XT.exe
windows7-x64
7Catto Boi ...XT.exe
windows10-2004-x64
7Catto Boi ...am.exe
windows7-x64
7Catto Boi ...am.exe
windows10-2004-x64
7Catto Boi ...sh.exe
windows7-x64
7Catto Boi ...sh.exe
windows10-2004-x64
7Catto Boi ...ut.bat
windows7-x64
Catto Boi ...ut.bat
windows10-2004-x64
Catto Boi ...y!.txt
windows7-x64
1Catto Boi ...y!.txt
windows10-2004-x64
1Catto Boi ...o.hook
windows7-x64
3Catto Boi ...o.hook
windows10-2004-x64
3Catto Boi ...on.ico
windows7-x64
1Catto Boi ...on.ico
windows10-2004-x64
3Catto Boi ...n2.ico
windows7-x64
1Catto Boi ...n2.ico
windows10-2004-x64
3Catto Boi ...n3.ico
windows7-x64
1Catto Boi ...n3.ico
windows10-2004-x64
3Analysis
-
max time kernel
109s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 17:38
Static task
static1
Behavioral task
behavioral1
Sample
....rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
....rar
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Catto Boi The Quest for the Frozen Tuna (04)/Catto Boi Tuna.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Catto Boi The Quest for the Frozen Tuna (04)/Catto Boi Tuna.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Catto Boi The Quest for the Frozen Tuna (04)/DialogModule.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Catto Boi The Quest for the Frozen Tuna (04)/DialogModule.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
Catto Boi The Quest for the Frozen Tuna (04)/GMS-WinDev.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Catto Boi The Quest for the Frozen Tuna (04)/GMS-WinDev.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data.win
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data.win
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/exe/666.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/exe/666.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/exe/SUFFER.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/exe/SUFFER.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/exe/YOUARENEXT.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/exe/YOUARENEXT.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/exe/mouseSpam.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/exe/mouseSpam.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/exe/punish.exe
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/exe/punish.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/exe/shut.bat
Resource
win7-20240220-en
Behavioral task
behavioral22
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/exe/shut.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/hey!.txt
Resource
win7-20240215-en
Behavioral task
behavioral24
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/hey!.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/hooks/catto.hook
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/hooks/catto.hook
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/img/ico/icon.ico
Resource
win7-20240220-en
Behavioral task
behavioral28
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/img/ico/icon.ico
Resource
win10v2004-20240426-en
Behavioral task
behavioral29
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/img/ico/icon2.ico
Resource
win7-20240215-en
Behavioral task
behavioral30
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/img/ico/icon2.ico
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/img/ico/icon3.ico
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Catto Boi The Quest for the Frozen Tuna (04)/data/img/ico/icon3.ico
Resource
win10v2004-20240508-en
General
-
Target
Catto Boi The Quest for the Frozen Tuna (04)/data/exe/666.exe
-
Size
11.0MB
-
MD5
18dca83e64850e0c1b7f59bbb451ae66
-
SHA1
fcf49020b5aa1fbc587d1145b85c476917fd511f
-
SHA256
cef35d45c1b59f7e6e012e062fc42d4ac50a0587a894e85516c637beda7e4c79
-
SHA512
710826e51dbdbf5b7d156963590d10b1b7773beb95cc0ba6902b45c210ce828fe3d877a1e97419af6184a5e7bc243ba9c096916a9c2b0b40e242c196c76ff346
-
SSDEEP
196608:qMlbs5/EJmT7YUXyp0dT5nhJemCzIAqThA4RyvOBRqlQb:qYY/EoT0+dT5hAmxhThACqlC
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 666.exe -
Loads dropped DLL 1 IoCs
pid Process 4376 666.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gm_ttt_10093\\smile.jpg" 666.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\control panel\desktop 666.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\stretchwallpaper = "0" 666.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\TileWallpaper = "0" 666.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\wallpaperstyle = "2" 666.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\desktop 666.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\stretchwallpaper = "0" 666.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" 666.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\wallpaperstyle = "2" 666.exe Key created \REGISTRY\USER\.default\Control Panel\desktop 666.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gm_ttt_10093\\smile.jpg" 666.exe Key created \REGISTRY\USER\.default\control panel\desktop 666.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 5340 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5340 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4376 666.exe 4376 666.exe 4376 666.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4376 wrote to memory of 4088 4376 666.exe 84 PID 4376 wrote to memory of 4088 4376 666.exe 84 PID 4376 wrote to memory of 4088 4376 666.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\Catto Boi The Quest for the Frozen Tuna (04)\data\exe\666.exe"C:\Users\Admin\AppData\Local\Temp\Catto Boi The Quest for the Frozen Tuna (04)\data\exe\666.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" user32.dll, UpdatePerUserSystemParameters2⤵PID:4088
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x150 0x5081⤵
- Suspicious use of AdjustPrivilegeToken
PID:5340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD574529599302a2e09c30b1e119a0709f2
SHA15990f60194ecafaf43340e44657d224f8d5682eb
SHA256edfc5f86be36c2c509e4ad6ba3742bb5b2429a56de805a99771e24fec62b076a
SHA51225d1c2bc15f5d20f3d69a2c20727e4e2cbb7086aa18ec535eea2a5766302b031c12b9139467b717537300e1497102b387dcc3f53ca5ff11f5301de672efe4b07