9cc7fd79b16ed36fe78d8b6bc9ea5e99bb1fb48a39d6051c3961bf503fd16a24

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/12/2024, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Starcat ransomware.exe
Size

4.2MB
MD5

0df6cb830d2f8f248ebb420e0473e40b
SHA1

4f89623b972450fac3b320779672003b06fa5d9f
SHA256

9cc7fd79b16ed36fe78d8b6bc9ea5e99bb1fb48a39d6051c3961bf503fd16a24
SHA512

765073189498d4889a18dcd959cec54e4d837a3de249607c8dd4288f2204ba48992cf284afa76fcedf1f6a59954305b37fb0ab99639fca96a643526d16d067a7
SSDEEP

49152:DYIU6iwVwASOuGtlqGz2OiG3NWE8Nsz3QEyB+68eBDN4NoIumzqsRrtYpFGY+uby:L+UaOwENQ3mzROac6t

Score

9^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (1236) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\starcat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Starcat ransomware.exe"	Starcat ransomware.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\temp.jpg"	Starcat ransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png	Starcat ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.starcat	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar.starcat	Starcat ransomware.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_over.png	Starcat ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif	Starcat ransomware.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.starcat	Starcat ransomware.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\init.js	Starcat ransomware.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.js	Starcat ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar	Starcat ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt	Starcat ransomware.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_sun.png	Starcat ransomware.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png	Starcat ransomware.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	Starcat ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar.starcat	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.starcat	Starcat ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar	Starcat ransomware.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png	Starcat ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar	Starcat ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar.starcat	Starcat ransomware.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png	Starcat ransomware.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.starcat	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar.starcat	Starcat ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar	Starcat ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png	Starcat ransomware.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar.starcat	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar.starcat	Starcat ransomware.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html	Starcat ransomware.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html.starcat	Starcat ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	Starcat ransomware.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoBeta.png.starcat	Starcat ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui_4.0.100.v20140401-0608.jar.starcat	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar.starcat	Starcat ransomware.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png	Starcat ransomware.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.starcat	Starcat ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar.starcat	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar.starcat	Starcat ransomware.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi	Starcat ransomware.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\library.js	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar.starcat	Starcat ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar	Starcat ransomware.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png	Starcat ransomware.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.starcat	Starcat ransomware.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_right.png	Starcat ransomware.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	Starcat ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar	Starcat ransomware.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html	Starcat ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.starcat	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar.starcat	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.starcat	Starcat ransomware.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png	Starcat ransomware.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png	Starcat ransomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\rt.jar	Starcat ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar.starcat	Starcat ransomware.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg	Starcat ransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3608	vssadmin.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2420	Starcat ransomware.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	3640	vssvc.exe
Token: SeRestorePrivilege	3640	vssvc.exe
Token: SeAuditPrivilege	3640	vssvc.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe
Token: SeBackupPrivilege	2420	Starcat ransomware.exe
Token: SeSecurityPrivilege	2420	Starcat ransomware.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2420	Starcat ransomware.exe
2420	Starcat ransomware.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2064	2420	Starcat ransomware.exe	30
PID 2420 wrote to memory of 2064	2420	Starcat ransomware.exe	30
PID 2420 wrote to memory of 2064	2420	Starcat ransomware.exe	30
PID 2064 wrote to memory of 3608	2064	cmd.exe	32
PID 2064 wrote to memory of 3608	2064	cmd.exe	32
PID 2064 wrote to memory of 3608	2064	cmd.exe	32
PID 2420 wrote to memory of 1320	2420	Starcat ransomware.exe	37
PID 2420 wrote to memory of 1320	2420	Starcat ransomware.exe	37
PID 2420 wrote to memory of 1320	2420	Starcat ransomware.exe	37
PID 1320 wrote to memory of 596	1320	cmd.exe	39
PID 1320 wrote to memory of 596	1320	cmd.exe	39
PID 1320 wrote to memory of 596	1320	cmd.exe	39
PID 2420 wrote to memory of 696	2420	Starcat ransomware.exe	40
PID 2420 wrote to memory of 696	2420	Starcat ransomware.exe	40
PID 2420 wrote to memory of 696	2420	Starcat ransomware.exe	40

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Starcat ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\Starcat ransomware.exe"
1⤵
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3608
- C:\Windows\system32\cmd.exe
  cmd /c schtasks /create /tn "CopyFileTask" /tr "cmd.exe / c copy "C:\star_cat.txt" "C:\Users\Admin\Desktop\recover files,view here.txt"" / sc minute / mo 10 / f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "CopyFileTask" /tr "cmd.exe / c copy "C:\star_cat.txt" "C:\Users\Admin\Desktop\recover files,view here.txt"" / sc minute / mo 10 / f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:596
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2420 -s 4804
  2⤵
  PID:696