Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 23:45
Behavioral task
behavioral1
Sample
CatWare.exe
Resource
win7-20241023-en
General
-
Target
CatWare.exe
-
Size
3.1MB
-
MD5
803cc54f484ecae234df37adb1a297ae
-
SHA1
1562c04da59e2394dc6d253875c34c55b44fb399
-
SHA256
475d80a9c80ae084c34d321bc8d6d97a9ad8394b608f62cfa53e0b0313d6e040
-
SHA512
a55217a4e44001a432204d94ce0763a0819ff24dca969d202e59695499f67b4c89e64cec321afaabf13f186a94b5e426955964615e01f5ad7b49db04aa0df7d1
-
SSDEEP
49152:evgt62XlaSFNWPjljiFa2RoUYIBZY3Iar70oGd9eTHHB72eh2NT:evM62XlaSFNWPjljiFXRoUYI83K
Malware Config
Extracted
quasar
1.4.1
ratted
192.168.1.90:4782
c88aa6bc-e16c-4a3b-b3c1-319b31585ecc
-
encryption_key
0840B8A7EBCF09FE22D53C459C6E856527018552
-
install_name
Mapper.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Discord inc.
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2160-1-0x0000000000D00000-0x0000000001024000-memory.dmp family_quasar behavioral1/files/0x0008000000016de8-6.dat family_quasar behavioral1/memory/3052-9-0x0000000000DC0000-0x00000000010E4000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Mapper.exepid Process 3052 Mapper.exe -
Drops file in System32 directory 2 IoCs
Processes:
CatWare.exedescription ioc Process File created C:\Windows\system32\SubDir\Mapper.exe CatWare.exe File opened for modification C:\Windows\system32\SubDir\Mapper.exe CatWare.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2364 schtasks.exe 2096 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CatWare.exeMapper.exedescription pid Process Token: SeDebugPrivilege 2160 CatWare.exe Token: SeDebugPrivilege 3052 Mapper.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Mapper.exepid Process 3052 Mapper.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Mapper.exepid Process 3052 Mapper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Mapper.exepid Process 3052 Mapper.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
CatWare.exeMapper.exedescription pid Process procid_target PID 2160 wrote to memory of 2364 2160 CatWare.exe 30 PID 2160 wrote to memory of 2364 2160 CatWare.exe 30 PID 2160 wrote to memory of 2364 2160 CatWare.exe 30 PID 2160 wrote to memory of 3052 2160 CatWare.exe 32 PID 2160 wrote to memory of 3052 2160 CatWare.exe 32 PID 2160 wrote to memory of 3052 2160 CatWare.exe 32 PID 3052 wrote to memory of 2096 3052 Mapper.exe 33 PID 3052 wrote to memory of 2096 3052 Mapper.exe 33 PID 3052 wrote to memory of 2096 3052 Mapper.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CatWare.exe"C:\Users\Admin\AppData\Local\Temp\CatWare.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discord inc." /sc ONLOGON /tr "C:\Windows\system32\SubDir\Mapper.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2364
-
-
C:\Windows\system32\SubDir\Mapper.exe"C:\Windows\system32\SubDir\Mapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discord inc." /sc ONLOGON /tr "C:\Windows\system32\SubDir\Mapper.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2096
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5803cc54f484ecae234df37adb1a297ae
SHA11562c04da59e2394dc6d253875c34c55b44fb399
SHA256475d80a9c80ae084c34d321bc8d6d97a9ad8394b608f62cfa53e0b0313d6e040
SHA512a55217a4e44001a432204d94ce0763a0819ff24dca969d202e59695499f67b4c89e64cec321afaabf13f186a94b5e426955964615e01f5ad7b49db04aa0df7d1