d3ba0aafc26fb7a3d58e4e720ab05698df33efa6486fe5c51e507f4099306fc6

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

39.0MB
MD5

674c34ea3491bec6673193c5f3e78214
SHA1

b5473312a449d5e1f0dec6a9d5c46a7d06708240
SHA256

d3ba0aafc26fb7a3d58e4e720ab05698df33efa6486fe5c51e507f4099306fc6
SHA512

2d2ecb4ae7389c85d02d0a39ed64f17e75be6cbb0d55736b908f2f8d56a369d6abfdc6b7e5bf27d9752cb79c8fadefc594d2c7afea1a4a14163af3df7724bc48
SSDEEP

786432:FDlzv9s86IICalOSTcIoNT9m6Qe0RbpCiKGBAMmL32h7riJMXsMNV:a8BIXkOfo26SRbdBAFLc7riJ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1056	CatLoaderv5juju.exe
1900	Bootstrapper.exe
1188	Process not Found
2796	Stub.exe

Loads dropped DLL 9 IoCs

pid	Process
692	test.exe
2072	Process not Found
1056	CatLoaderv5juju.exe
2796	Stub.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\CatLoaderv5juju.exe	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2740	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2628	WMIC.exe
Token: SeSecurityPrivilege	2628	WMIC.exe
Token: SeTakeOwnershipPrivilege	2628	WMIC.exe
Token: SeLoadDriverPrivilege	2628	WMIC.exe
Token: SeSystemProfilePrivilege	2628	WMIC.exe
Token: SeSystemtimePrivilege	2628	WMIC.exe
Token: SeProfSingleProcessPrivilege	2628	WMIC.exe
Token: SeIncBasePriorityPrivilege	2628	WMIC.exe
Token: SeCreatePagefilePrivilege	2628	WMIC.exe
Token: SeBackupPrivilege	2628	WMIC.exe
Token: SeRestorePrivilege	2628	WMIC.exe
Token: SeShutdownPrivilege	2628	WMIC.exe
Token: SeDebugPrivilege	2628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2628	WMIC.exe
Token: SeRemoteShutdownPrivilege	2628	WMIC.exe
Token: SeUndockPrivilege	2628	WMIC.exe
Token: SeManageVolumePrivilege	2628	WMIC.exe
Token: 33	2628	WMIC.exe
Token: 34	2628	WMIC.exe
Token: 35	2628	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2628	WMIC.exe
Token: SeSecurityPrivilege	2628	WMIC.exe
Token: SeTakeOwnershipPrivilege	2628	WMIC.exe
Token: SeLoadDriverPrivilege	2628	WMIC.exe
Token: SeSystemProfilePrivilege	2628	WMIC.exe
Token: SeSystemtimePrivilege	2628	WMIC.exe
Token: SeProfSingleProcessPrivilege	2628	WMIC.exe
Token: SeIncBasePriorityPrivilege	2628	WMIC.exe
Token: SeCreatePagefilePrivilege	2628	WMIC.exe
Token: SeBackupPrivilege	2628	WMIC.exe
Token: SeRestorePrivilege	2628	WMIC.exe
Token: SeShutdownPrivilege	2628	WMIC.exe
Token: SeDebugPrivilege	2628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2628	WMIC.exe
Token: SeRemoteShutdownPrivilege	2628	WMIC.exe
Token: SeUndockPrivilege	2628	WMIC.exe
Token: SeManageVolumePrivilege	2628	WMIC.exe
Token: 33	2628	WMIC.exe
Token: 34	2628	WMIC.exe
Token: 35	2628	WMIC.exe
Token: SeDebugPrivilege	1900	Bootstrapper.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 1056	692	test.exe	31
PID 692 wrote to memory of 1056	692	test.exe	31
PID 692 wrote to memory of 1056	692	test.exe	31
PID 692 wrote to memory of 1056	692	test.exe	31
PID 692 wrote to memory of 1900	692	test.exe	32
PID 692 wrote to memory of 1900	692	test.exe	32
PID 692 wrote to memory of 1900	692	test.exe	32
PID 692 wrote to memory of 1900	692	test.exe	32
PID 1900 wrote to memory of 2848	1900	Bootstrapper.exe	34
PID 1900 wrote to memory of 2848	1900	Bootstrapper.exe	34
PID 1900 wrote to memory of 2848	1900	Bootstrapper.exe	34
PID 2848 wrote to memory of 2740	2848	cmd.exe	36
PID 2848 wrote to memory of 2740	2848	cmd.exe	36
PID 2848 wrote to memory of 2740	2848	cmd.exe	36
PID 1056 wrote to memory of 2796	1056	CatLoaderv5juju.exe	37
PID 1056 wrote to memory of 2796	1056	CatLoaderv5juju.exe	37
PID 1056 wrote to memory of 2796	1056	CatLoaderv5juju.exe	37
PID 1900 wrote to memory of 2084	1900	Bootstrapper.exe	38
PID 1900 wrote to memory of 2084	1900	Bootstrapper.exe	38
PID 1900 wrote to memory of 2084	1900	Bootstrapper.exe	38
PID 2084 wrote to memory of 2628	2084	cmd.exe	40
PID 2084 wrote to memory of 2628	2084	cmd.exe	40
PID 2084 wrote to memory of 2628	2084	cmd.exe	40
PID 1900 wrote to memory of 2944	1900	Bootstrapper.exe	42
PID 1900 wrote to memory of 2944	1900	Bootstrapper.exe	42
PID 1900 wrote to memory of 2944	1900	Bootstrapper.exe	42

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\CatLoaderv5juju.exe
  "C:\Windows\CatLoaderv5juju.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Users\Admin\AppData\Local\Temp\onefile_1056_133777105105948000\Stub.exe
    C:\Windows\CatLoaderv5juju.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2796
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\cmd.exe
    "cmd" /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2740
- - C:\Windows\system32\cmd.exe
    "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2628
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1900 -s 1128
    3⤵
    - Loads dropped DLL
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

Filesize
800KB

MD5
02c70d9d6696950c198db93b7f6a835e

SHA1
30231a467a49cc37768eea0f55f4bea1cbfb48e2

SHA256
8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

SHA512
431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

Download Submit
C:\Windows\CatLoaderv5juju.exe

Filesize
38.2MB

MD5
435ec84a9fa0cd8a5d979f139d529edd

SHA1
2cd983ba573163cd7cf34ff7e989e4773a1f1465

SHA256
6ce7962f45d3739810870c363f2bfab0e9cbfe448e5b5f1e6cfab829df610eb5

SHA512
5e138c594b1ac0be97ed772a2007765f5b887a71f4d2a009d5ac37f6074e78fe92a38a1d8abad560e7abfa4b78f7352e18647ec90ca8df4c014e550c1b1fe059

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1056_133777105105948000\python310.dll

Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
memory/1900-11-0x00000000013B0000-0x000000000147E000-memory.dmp

Filesize
824KB

Download