Edit tour

Windows Analysis Report
Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Overview

General Information

Sample name:	Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe
Analysis ID:	1636616
MD5:	d508fed135ca2c50325092ad9c11fe74
SHA1:	68f3c3cde62682344937b021c6dbfa1aa6d0bb88
SHA256:	2c5b439f283a66b92968d94a922560e24c5599d1d4e0457053bd72dfb9ff36a4
Infos:

Detection

Score:	68
Range:	0 - 100
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

IP address seen in connection with other malware

May check the online IP address of the machine

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Process Tree

System is w10x64native

Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe (PID: 1664 cmdline: "C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe" MD5: D508FED135CA2C50325092AD9C11FE74)

Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe (PID: 3920 cmdline: "C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe" MD5: D508FED135CA2C50325092AD9C11FE74)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1523001243.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000002.1611095230.000000002DCD0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Fickerstealer_f2159bec	unknown	unknown	0x99ff:$a1: 10 12 F2 0F 10 5A 08 31 C1 89 C6 8B 42 50 89 7D F0 F2 0F 11 8D 18 FF
00000002.00000002.2801370543.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Fickerstealer_f2159bec	unknown	unknown	0xa5ff:$a1: 10 12 F2 0F 10 5A 08 31 C1 89 C6 8B 42 50 89 7D F0 F2 0F 11 8D 18 FF

HTTP traffic detected: GET /?format=xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.201.181

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000002.00000002.2802209139.0000000000741000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/?format=xml
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000002.00000002.2802209139.0000000000741000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/?format=xml$
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000002.00000002.2802209139.0000000000741000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/?format=xmlSSC:
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000002.00000002.2802209139.0000000000741000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/?format=xmlTR
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000002.00000002.2801787673.00000000006D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/?format=xmlk
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	String found in binary or memory: http://www.blacksunsoftware.com
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	String found in binary or memory: http://www.blacksunsoftware.com/upgrading.htmlopenU
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	String found in binary or memory: http://www.blacksunsoftware.com/version/colormania.txt
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	String found in binary or memory: http://www.blacksunsoftware.comD
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	String found in binary or memory: http://www.blacksunsoftware.comS
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	String found in binary or memory: http://www.blacksunsoftware.comopen
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	String found in binary or memory: http://www.blacksunsoftware.comopenU
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000002.00000002.2802209139.00000000007AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com((V

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1611095230.000000002DCD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Fickerstealer_f2159bec Author: unknown
Source: 00000002.00000002.2801370543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Fickerstealer_f2159bec Author: unknown

PE file has nameless sections

Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Static PE information: section name:

Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Static PE information: Number of sections : 13 > 10

Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000000.00000002.1609294170.000000002D584000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000000.00000002.1610232079.000000002DAFD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000000.00000000.1523001243.000000000041D000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Binary or memory string: OriginalFilename vs Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 00000000.00000002.1611095230.000000002DCD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Fickerstealer_f2159bec reference_sample = a4113ccb55e06e783b6cb213647614f039aa7dbb454baa338459ccf37897ebd6, os = windows, severity = x86, creation_date = 2021-07-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Fickerstealer, fingerprint = 0671691c6d5c7177fe155e4076ab39bf5f909ed300f32c1530e80d471dff0296, id = f2159bec-a3ce-47a9-91ad-43b8a19ac172, last_modified = 2021-08-23
Source: 00000002.00000002.2801370543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Fickerstealer_f2159bec reference_sample = a4113ccb55e06e783b6cb213647614f039aa7dbb454baa338459ccf37897ebd6, os = windows, severity = x86, creation_date = 2021-07-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Fickerstealer, fingerprint = 0671691c6d5c7177fe155e4076ab39bf5f909ed300f32c1530e80d471dff0296, id = f2159bec-a3ce-47a9-91ad-43b8a19ac172, last_modified = 2021-08-23

Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Static PE information: Section: uYFHVLAW ZLIB complexity 0.9960201027526395

Source: classification engine

Classification label: mal68.evad.winEXE@3/2@1/2

Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\149JUSKP.txt

Jump to behavior

Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Mutant created: \Sessions\1\BaseNamedObjects\ah;waeh;isfdgaf
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Mutant created: \Sessions\1\BaseNamedObjects\o;awefijo;ijo;
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Mutant created: \Sessions\1\BaseNamedObjects\wh;ijo;h
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Mutant created: \Sessions\1\BaseNamedObjects\hrth
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Mutant created: \Sessions\1\BaseNamedObjects\ho;ah
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Mutant created: \Sessions\1\BaseNamedObjects\whoareyoutellmeandilltellwhoyou
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Mutant created: \Sessions\1\BaseNamedObjects\ijlhlkwah;joi;i

Source: Yara match

File source: 00000000.00000000.1523001243.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe "C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe"
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Process created: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe "C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe"
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Process created: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe "C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Static file information: File size 724063744 > 1048576

Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x368200
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Static PE information: Raw size of Performv is bigger than: 0x100000 < 0x2addfa00

Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Static PE information: More than 200 imports for user32.dll

Source:	Binary string: wntdll.pdbUGP source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000000.00000002.1610232079.000000002D9D0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000000.00000002.1610232079.000000002D9D0000.00000040.00001000.00020000.00000000.sdmp

Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Static PE information: section name: .didata
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Static PE information: section name:
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Static PE information: section name: uYFHVLAW
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Static PE information: section name: Performv

Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Static PE information: section name: uYFHVLAW entropy: 7.996713302303785

Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	File created: \catch me if you can (2002) 1080p.bluray.x264.full 744mb.exe
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	File created: \catch me if you can (2002) 1080p.bluray.x264.full 744mb.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Memory written: PID: 3920 base: 776A2DE0 value: E9 1B D2 B1 88

Jump to behavior

Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior

Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000002.00000002.2802209139.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000002.00000002.2802209139.0000000000741000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-USn
Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe, 00000002.00000002.2802209139.000000000076F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWxlt%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Hijacks the control flow in another process

Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Memory written: PID: 3920 base: 776A2DE0 value: E9

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Memory written: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Process created: C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe "C:\Users\user\Desktop\Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe"

Jump to behavior

Source: Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Binary or memory string: Shell_TrayWndTrayNotifyWndSV

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	212 Process Injection	1 Masquerading	1 Credential API Hooking	1 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	212 Process Injection	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe