c588680b751d0c61e0cb068db13b7866d220bbf342e81ea9802939e167f5db29

Resubmissions

08/06/2024, 17:43

240608-wa3sgseg52 3

08/06/2024, 17:38

240608-v7qzhseg38 7

Analysis

max time kernel
118s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Catto Boi The Quest for the Frozen Tuna (04)/data/hooks/catto.hook
Size

8B
MD5

b6ccb4ece5454dcae51778b3e239ebc2
SHA1

fae77458b7b33db3051840be61ddb131470bb961
SHA256

ccd758e72a8a8cb5f140bab26837f363908550f2558ed86d229ec9016fed49b9
SHA512

de4c2ff99fb34242646a324885db79ca9ef82a5f4b36c657b83ecf6931c008de87b6daf99a1c46336f36687d0ab1fc9b91f5bc07e7c3913bec3844993fd2fbad

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.hook	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.hook\ = "hook_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\hook_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\hook_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\hook_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\hook_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\hook_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\hook_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2032	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2032	AcroRd32.exe
2032	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2832	2320	cmd.exe	29
PID 2320 wrote to memory of 2832	2320	cmd.exe	29
PID 2320 wrote to memory of 2832	2320	cmd.exe	29
PID 2832 wrote to memory of 2032	2832	rundll32.exe	30
PID 2832 wrote to memory of 2032	2832	rundll32.exe	30
PID 2832 wrote to memory of 2032	2832	rundll32.exe	30
PID 2832 wrote to memory of 2032	2832	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Catto Boi The Quest for the Frozen Tuna (04)\data\hooks\catto.hook"
1⤵
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Catto Boi The Quest for the Frozen Tuna (04)\data\hooks\catto.hook
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Catto Boi The Quest for the Frozen Tuna (04)\data\hooks\catto.hook"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
3f0322d500624d4b814f354dcdac3c90

SHA1
f433ada3be0a15357a12f3e090e7286a5b10cf31

SHA256
c74435c7e489b4cd310065e1565cd1837a7a7dd7ce343e3396662137cf5fc79e

SHA512
9fa3d8d2890b069a447b1457856c60b8a0fbb4b6619af39b4f5bca631479f202bbe219155b1afcc972c8df96cddbb8e0c44a4f020fd000e4da064652129992ad

Download Submit