Overview
overview
10Static
static
3CatrinePer...rm.exe
windows7-x64
10CatrinePer...rm.exe
windows10-2004-x64
10CatrinePer...rm.exe
windows7-x64
10CatrinePer...rm.exe
windows10-2004-x64
10f_000004.js
windows7-x64
3f_000004.js
windows10-2004-x64
3f_00001c.js
windows7-x64
3f_00001c.js
windows10-2004-x64
3CatrinePer...9_0.js
windows7-x64
3CatrinePer...9_0.js
windows10-2004-x64
3CatrinePer...0_0.js
windows7-x64
3CatrinePer...0_0.js
windows10-2004-x64
3CatrinePer...Ex.dll
windows7-x64
1CatrinePer...Ex.dll
windows10-2004-x64
1CatrinePer...PC.dll
windows7-x64
1CatrinePer...PC.dll
windows10-2004-x64
1CatrinePer...ro.dll
windows7-x64
1CatrinePer...ro.dll
windows10-2004-x64
1CatrinePer...re.dll
windows7-x64
1CatrinePer...re.dll
windows10-2004-x64
1CatrinePer...ms.dll
windows7-x64
1CatrinePer...ms.dll
windows10-2004-x64
1CatrinePer...pf.dll
windows7-x64
1CatrinePer...pf.dll
windows10-2004-x64
1CatrinePer...rs.dll
windows7-x64
1CatrinePer...rs.dll
windows10-2004-x64
1CatrinePer...on.dll
windows7-x64
1CatrinePer...on.dll
windows10-2004-x64
1Revo_Unins...up.exe
windows7-x64
7Revo_Unins...up.exe
windows10-2004-x64
7CatrinePer...rp.dll
windows7-x64
1CatrinePer...rp.dll
windows10-2004-x64
1Analysis
-
max time kernel
141s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29-07-2024 11:33
Static task
static1
Behavioral task
behavioral1
Sample
CatrinePerm/CatrinePerm.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
CatrinePerm/CatrinePerm.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
CatrinePerm/CatrinePerm.exe
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
CatrinePerm/CatrinePerm.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
f_000004.js
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
f_000004.js
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
f_00001c.js
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
f_00001c.js
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/834cfe7d63b4b479_0.js
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/834cfe7d63b4b479_0.js
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/e9cf90305a4e5760_0.js
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/e9cf90305a4e5760_0.js
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
CatrinePerm/ControlzEx.dll
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
CatrinePerm/ControlzEx.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
CatrinePerm/DiscordRPC.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
CatrinePerm/DiscordRPC.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
CatrinePerm/MahApps.Metro.dll
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
CatrinePerm/MahApps.Metro.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
CatrinePerm/Microsoft.Web.WebView2.Core.dll
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
CatrinePerm/Microsoft.Web.WebView2.Core.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
CatrinePerm/Microsoft.Web.WebView2.WinForms.dll
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
CatrinePerm/Microsoft.Web.WebView2.WinForms.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
CatrinePerm/Microsoft.Web.WebView2.Wpf.dll
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
CatrinePerm/Microsoft.Web.WebView2.Wpf.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
CatrinePerm/Microsoft.Xaml.Behaviors.dll
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
CatrinePerm/Microsoft.Xaml.Behaviors.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
CatrinePerm/Newtonsoft.Json.dll
Resource
win7-20240705-en
Behavioral task
behavioral28
Sample
CatrinePerm/Newtonsoft.Json.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
Revo_Uninstaller_Pro_5.1.1/RevoUninProSetup.exe
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
Revo_Uninstaller_Pro_5.1.1/RevoUninProSetup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
CatrinePerm/SevenZipSharp.dll
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
CatrinePerm/SevenZipSharp.dll
Resource
win10v2004-20240709-en
General
-
Target
Revo_Uninstaller_Pro_5.1.1/RevoUninProSetup.exe
-
Size
16.8MB
-
MD5
ab0d159cbe7e1f7f9adea455506f73b1
-
SHA1
a780054d4721e433387091233fd16c67ecbf3bec
-
SHA256
21a5b0e1ab9d88eec56dcd1c2ff050742d73e87325922e0840502d211b77b22a
-
SHA512
a28fb07060a33405a3d26d92c6479f77e4c403092b71471d0516cb4a431d2af55e48740c14622c6353066f53945ae8185aafb15f15b643ac4254dd26dd157ddc
-
SSDEEP
393216:LwA1pdJwTb+1yXa+v5wfFUSwwV6YWlw9Muo4O9W3XfCX5wRIa4o:MADdJYVNCtUS1VWlwa4O2Xfs5O4o
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
RevoUninProSetup.tmppid process 2224 RevoUninProSetup.tmp -
Loads dropped DLL 1 IoCs
Processes:
RevoUninProSetup.exepid process 2480 RevoUninProSetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RevoUninProSetup.exeRevoUninProSetup.tmptaskkill.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RevoUninProSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RevoUninProSetup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2820 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2820 taskkill.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
RevoUninProSetup.exeRevoUninProSetup.tmpdescription pid process target process PID 2480 wrote to memory of 2224 2480 RevoUninProSetup.exe RevoUninProSetup.tmp PID 2480 wrote to memory of 2224 2480 RevoUninProSetup.exe RevoUninProSetup.tmp PID 2480 wrote to memory of 2224 2480 RevoUninProSetup.exe RevoUninProSetup.tmp PID 2480 wrote to memory of 2224 2480 RevoUninProSetup.exe RevoUninProSetup.tmp PID 2480 wrote to memory of 2224 2480 RevoUninProSetup.exe RevoUninProSetup.tmp PID 2480 wrote to memory of 2224 2480 RevoUninProSetup.exe RevoUninProSetup.tmp PID 2480 wrote to memory of 2224 2480 RevoUninProSetup.exe RevoUninProSetup.tmp PID 2224 wrote to memory of 2820 2224 RevoUninProSetup.tmp taskkill.exe PID 2224 wrote to memory of 2820 2224 RevoUninProSetup.tmp taskkill.exe PID 2224 wrote to memory of 2820 2224 RevoUninProSetup.tmp taskkill.exe PID 2224 wrote to memory of 2820 2224 RevoUninProSetup.tmp taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Revo_Uninstaller_Pro_5.1.1\RevoUninProSetup.exe"C:\Users\Admin\AppData\Local\Temp\Revo_Uninstaller_Pro_5.1.1\RevoUninProSetup.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\is-61CDV.tmp\RevoUninProSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-61CDV.tmp\RevoUninProSetup.tmp" /SL5="$400EC,16976201,196608,C:\Users\Admin\AppData\Local\Temp\Revo_Uninstaller_Pro_5.1.1\RevoUninProSetup.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im ruplp.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5fd527a16a9dd4fb499dbdaa78e1c2126
SHA191e2fa21419f53e5116235e0391ecb2a7fe8c8e0
SHA256ca4deef34c1b27f92b0e571d057c5a71f786181aceb07797cfd59ad0b4027baf
SHA512feea2a838d34d31d0053c6030866db4f9e3dad79cdd69088879912e205c465190fa29a798b41e025fef08c0d01774db107fc50d90aa0a0b8614aeb2acd0dbc9b