Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Overview

General Information

Sample name:Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe
Analysis ID:1636616
MD5:d508fed135ca2c50325092ad9c11fe74
SHA1:68f3c3cde62682344937b021c6dbfa1aa6d0bb88
SHA256:2c5b439f283a66b92968d94a922560e24c5599d1d4e0457053bd72dfb9ff36a4
Infos:

Detection

Score:72
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
IP address seen in connection with other malware
May check the online IP address of the machine
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.1240945423.0000000000401000.00000020.00000001.01000000.00000006.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    00000001.00000002.1425700818.000000002DAE0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Fickerstealer_f2159becunknownunknown
    • 0x99ff:$a1: 10 12 F2 0F 10 5A 08 31 C1 89 C6 8B 42 50 89 7D F0 F2 0F 11 8D 18 FF
    00000008.00000002.3757232649.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Fickerstealer_f2159becunknownunknown
    • 0xa5ff:$a1: 10 12 F2 0F 10 5A 08 31 C1 89 C6 8B 42 50 89 7D F0 F2 0F 11 8D 18 FF

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Joe Sandbox ML detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
    Source: Binary string: wntdll.pdbUGP source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000001.00000002.1424620774.000000002D7F0000.00000040.00001000.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000001.00000002.1424620774.000000002D7F0000.00000040.00001000.00020000.00000000.sdmp
    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
    Source: unknownDNS query: name: api.ipify.org
    Source: unknownDNS query: name: api.ipify.org
    Source: global trafficHTTP traffic detected: GET /?format=xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.ipify.orgConnection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 45.93.201.181
    Source: unknownTCP traffic detected without corresponding DNS query: 45.93.201.181
    Source: unknownTCP traffic detected without corresponding DNS query: 45.93.201.181
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /?format=xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.ipify.orgConnection: Keep-Alive
    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000008.00000002.3757679565.0000000000578000.00000004.00000020.00020000.00000000.sdmp, Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000008.00000002.3757679565.000000000058E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/?format=xml
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000008.00000002.3757679565.000000000058E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/?format=xml6
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000008.00000002.3757679565.0000000000598000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/?format=xmlM
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000008.00000002.3757679565.0000000000598000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/?format=xmlRRC:
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000008.00000002.3757679565.0000000000598000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/?format=xmlS
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeString found in binary or memory: http://www.blacksunsoftware.com
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeString found in binary or memory: http://www.blacksunsoftware.com/upgrading.htmlopenU
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeString found in binary or memory: http://www.blacksunsoftware.com/version/colormania.txt
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeString found in binary or memory: http://www.blacksunsoftware.comD
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeString found in binary or memory: http://www.blacksunsoftware.comS
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeString found in binary or memory: http://www.blacksunsoftware.comopen
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeString found in binary or memory: http://www.blacksunsoftware.comopenU
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000008.00000002.3757679565.00000000005E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comP

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 00000001.00000002.1425700818.000000002DAE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Fickerstealer_f2159bec Author: unknown
    Source: 00000008.00000002.3757232649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Fickerstealer_f2159bec Author: unknown
    PE file has nameless sections
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeStatic PE information: section name:
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeProcess Stats: CPU usage > 49%
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeStatic PE information: Number of sections : 13 > 10
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000001.00000002.1424620774.000000002D91D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000001.00000000.1240945423.000000000041D000.00000020.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilename vs Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000001.00000002.1423809796.000000002D427000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeBinary or memory string: OriginalFilename vs Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
    Source: 00000001.00000002.1425700818.000000002DAE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Fickerstealer_f2159bec reference_sample = a4113ccb55e06e783b6cb213647614f039aa7dbb454baa338459ccf37897ebd6, os = windows, severity = x86, creation_date = 2021-07-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Fickerstealer, fingerprint = 0671691c6d5c7177fe155e4076ab39bf5f909ed300f32c1530e80d471dff0296, id = f2159bec-a3ce-47a9-91ad-43b8a19ac172, last_modified = 2021-08-23
    Source: 00000008.00000002.3757232649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Fickerstealer_f2159bec reference_sample = a4113ccb55e06e783b6cb213647614f039aa7dbb454baa338459ccf37897ebd6, os = windows, severity = x86, creation_date = 2021-07-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Fickerstealer, fingerprint = 0671691c6d5c7177fe155e4076ab39bf5f909ed300f32c1530e80d471dff0296, id = f2159bec-a3ce-47a9-91ad-43b8a19ac172, last_modified = 2021-08-23
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeStatic PE information: Section: uYFHVLAW ZLIB complexity 0.9960201027526395
    Source: classification engineClassification label: mal72.evad.winEXE@3/2@1/2
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ETO08RL7.txtJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeMutant created: \Sessions\1\BaseNamedObjects\ah;waeh;isfdgaf
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeMutant created: \Sessions\1\BaseNamedObjects\o;awefijo;ijo;
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeMutant created: \Sessions\1\BaseNamedObjects\wh;ijo;h
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeMutant created: \Sessions\1\BaseNamedObjects\hrth
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeMutant created: \Sessions\1\BaseNamedObjects\ho;ah
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeMutant created: \Sessions\1\BaseNamedObjects\whoareyoutellmeandilltellwhoyou
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeMutant created: \Sessions\1\BaseNamedObjects\ijlhlkwah;joi;i
    Source: Yara matchFile source: 00000001.00000000.1240945423.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe "C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe"
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeProcess created: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe "C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe"
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeProcess created: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe "C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe"Jump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeStatic file information: File size 724063744 > 1048576
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x368200
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeStatic PE information: Raw size of Performv is bigger than: 0x100000 < 0x2addfa00
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeStatic PE information: More than 200 imports for user32.dll
    Source: Binary string: wntdll.pdbUGP source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000001.00000002.1424620774.000000002D7F0000.00000040.00001000.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000001.00000002.1424620774.000000002D7F0000.00000040.00001000.00020000.00000000.sdmp
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeStatic PE information: section name: .didata
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeStatic PE information: section name:
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeStatic PE information: section name: uYFHVLAW
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeStatic PE information: section name: Performv
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeStatic PE information: section name: uYFHVLAW entropy: 7.996713302303785
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeFile created: \catch me if you can (2002) 1080p.bluray.x264.full 744mb.exe
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeFile created: \catch me if you can (2002) 1080p.bluray.x264.full 744mb.exeJump to behavior

    Hooking and other Techniques for Hiding and Protection

    barindex
    Overwrites code with unconditional jumps - possibly settings hooks in foreign process
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeMemory written: PID: 2020 base: 77752EC0 value: E9 3B D1 A6 88 Jump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeRDTSC instruction interceptor: First address: 944798 second address: 94479C instructions: 0x00000000 rdtsc 0x00000002 dec ch 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeRDTSC instruction interceptor: First address: 94479C second address: 9447AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31E0F3E5BCh 0x00000004 rdtsc
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000008.00000002.3757679565.0000000000608000.00000004.00000020.00020000.00000000.sdmp, Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000008.00000002.3757679565.0000000000598000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Hijacks the control flow in another process
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeMemory written: PID: 2020 base: 77752EC0 value: E9Jump to behavior
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeMemory written: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeProcess created: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe "C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe"Jump to behavior
    Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeBinary or memory string: Shell_TrayWndTrayNotifyWndSV

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
    DLL Side-Loading    		212
    Process Injection    		1
    Masquerading    		1
    Credential API Hooking    		11
    Security Software Discovery    		Remote Services1
    Credential API Hooking    		1
    Ingress Tool Transfer    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Disable or Modify Tools    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable Media2
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)212
    Process Injection    		Security Account Manager1
    System Network Configuration Discovery    		SMB/Windows Admin SharesData from Network Shared Drive12
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS11
    System Information Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
    Software Packing    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.