d1aea6e385d3db7c65b537a02b1565ac379ef2dcefb13a12dd8c39852ecd52c1

Analysis

max time kernel
91s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2023, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

celestial_injector.exe
Size

513KB
MD5

d7c6e839c203be9b308b372f3ab025fb
SHA1

b84851bee68aac80d16873f07a98ed56a681bee5
SHA256

d1aea6e385d3db7c65b537a02b1565ac379ef2dcefb13a12dd8c39852ecd52c1
SHA512

630a46bdcb6f7e80d843df8d91f44fb7263c99c4196b1c0b96f17d056041d69fceb56e85ee8adb0ae350e5f4e0a15c46c426ad2795b483e1e898ab379529810b
SSDEEP

12288:pui/QQmSDpHHcvwstdEVotbT/qu65Mfh29vjLehxXGbxIvB:pui/QQmwp8CoMgo9vjOUxI

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1724	extract.exe
5084	main_injector.exe
3716	impx32.exe

Loads dropped DLL 1 IoCs

pid	Process
5084	main_injector.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5084	main_injector.exe
5084	main_injector.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3748	celestial_injector.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3748	celestial_injector.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 4448	3748	celestial_injector.exe	81
PID 3748 wrote to memory of 4448	3748	celestial_injector.exe	81
PID 3748 wrote to memory of 4448	3748	celestial_injector.exe	81
PID 4448 wrote to memory of 1724	4448	cmd.exe	82
PID 4448 wrote to memory of 1724	4448	cmd.exe	82
PID 4448 wrote to memory of 1724	4448	cmd.exe	82
PID 3748 wrote to memory of 5056	3748	celestial_injector.exe	84
PID 3748 wrote to memory of 5056	3748	celestial_injector.exe	84
PID 3748 wrote to memory of 5056	3748	celestial_injector.exe	84
PID 5056 wrote to memory of 5084	5056	cmd.exe	85
PID 5056 wrote to memory of 5084	5056	cmd.exe	85
PID 5084 wrote to memory of 3716	5084	main_injector.exe	90
PID 5084 wrote to memory of 3716	5084	main_injector.exe	90
PID 5084 wrote to memory of 3716	5084	main_injector.exe	90

C:\Users\Admin\AppData\Local\Temp\celestial_injector.exe
"C:\Users\Admin\AppData\Local\Temp\celestial_injector.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\celestial\extract.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Users\Admin\AppData\Roaming\celestial\extract.exe
    C:\Users\Admin\AppData\Roaming\celestial\extract.exe
    3⤵
    - Executes dropped EXE
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\celestial\injector\injector\main_injector.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Users\Admin\AppData\Roaming\celestial\injector\injector\main_injector.exe
    C:\Users\Admin\AppData\Roaming\celestial\injector\injector\main_injector.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Users\Admin\AppData\Roaming\celestial\injector\injector\impx32.exe
      "impx32.exe" 1 7a0 7a4
      4⤵
      Executes dropped EXE
      PID:3716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Celestial\extract.exe

Filesize
5KB

MD5
1880b46611dae3e9e522e8a270383a36

SHA1
c7472f0cc2ab9fc698696e96fc8e89e037fac521

SHA256
c397dd3393bd8739317d9cff12ea50232c4d306272a045832b45c9249c4a588e

SHA512
f392c5981f46746109824a7bc287637b2eb41b2399f168b67095f18e884f10bde4e8539c9e486b0052147fe5ebd9dbd32749842d8dd3dbf55a8491356f548bee

Download Submit
C:\Users\Admin\AppData\Roaming\Celestial\injector.zip

Filesize
1.0MB

MD5
320308b20ed097a16ad93fe72ea9f3d8

SHA1
d063f19399dd8777dcec89bab5ba4abbe5f49ca2

SHA256
790b0b916a3447a8dfcf713ef37641f7d2f35f87bb94f1d204fab2ade2e90913

SHA512
5b2c4e53c31b7319a98112a3ec2364ba3ce3ac34a434bc69d6b2465d224bbd75bedf9a6a2c813d9eb96135d5280923bde362ec02ab9fda64ca6a832d1c5fb44b

Download Submit
C:\Users\Admin\AppData\Roaming\Celestial\injector\injector\impx32.exe

Filesize
28KB

MD5
e1bfdfb6d0eaa9f191cc54f9daea71f9

SHA1
8cc922afc83e4394a714c43d89a7f6ee997542b1

SHA256
e251bd9645c5587f63046494412a2dabe4b03e6158d26098259db4124a76e205

SHA512
58c52ae882883b80980f842063aa32fff4762dc807c738e9ffa3f02ffa561603f7fd27eab866195ed054be47e6329da6d16762bf581a066320dbbfe2bf5635fc

Download Submit
C:\Users\Admin\AppData\Roaming\Celestial\injector\injector\impx64.dll

Filesize
246KB

MD5
83b556a439fb7cba6bde39d1cddf2d7a

SHA1
95802e7ce59a32b01939fa2bb2e17dece3ab23dc

SHA256
f9e50bb902b3e889fcaf8143131ab57f1fb1c833a037b079017d6f5b2123f1d8

SHA512
8555101641954d0367726a53ec46848cac5eca4adc32f82cae111e0cb977f5f0c814fe1528b204de42a3b3ab1c5b5503ec6c06288c535855525d3db5dc726d14

Download Submit
C:\Users\Admin\AppData\Roaming\Celestial\injector\injector\main_injector.exe

Filesize
17KB

MD5
38736c697186ce61f9cc91d111bbca57

SHA1
ed5e6a8045a070b90bbc6a2d6407aba58af528e8

SHA256
9c8c83261e2bce9a98a3ef0c9ab97272dbd527344af8a60c1ab54438f6d2deb3

SHA512
bee4f561c9632cd77cde2989119a6729048f47c751645cf1dddaa1f0a4f49ba460141c2784186fe26925c1d88366573e9ff7597b1cd1d30fa19391df90e9137b

Download Submit
C:\Users\Admin\AppData\Roaming\Celestial\injector\injector\x64\ntdll.pdb

Filesize
1.5MB

MD5
d09b58cfbc344a0696116962c27fff11

SHA1
ec6d4f80bb407083243c054264218d2fecce4091

SHA256
25425ac4b85a72123fc0ccdcca4b75947e5f39fa0f369ab4c0fca4a3bbdd6189

SHA512
af011632ebf61f902e033aea4a58b1a50e0cb5fe41f5d5ab9ff076e385cab0a5102aed44fce9d912b9dc115f61c7c7aa9b41e0f7d66f5c3c60aca42623c4847d

Download Submit
C:\Users\Admin\AppData\Roaming\Celestial\injector\injector\x86\wntdll.pdb

Filesize
1.6MB

MD5
1783ed29e40fb68b6854166f0cb5e3a2

SHA1
2b39cf51e4dc37dda5b261d8be6685f79a8a62ce

SHA256
a8d9cb62596c85e3c48d259f941123cee62a3e7fa39f8aae3bfa88f671bad48f

SHA512
5db332e607a003f2aae739ee256fac927a5c3ea30593aa6cd605dff9fef6586ce62c8fa3c2384ddb5cf9bfcadec73866a840bb3375597bea39588d8faa7ee46d

Download Submit
C:\Users\Admin\AppData\Roaming\celestial\extract.exe

Filesize
5KB

MD5
1880b46611dae3e9e522e8a270383a36

SHA1
c7472f0cc2ab9fc698696e96fc8e89e037fac521

SHA256
c397dd3393bd8739317d9cff12ea50232c4d306272a045832b45c9249c4a588e

SHA512
f392c5981f46746109824a7bc287637b2eb41b2399f168b67095f18e884f10bde4e8539c9e486b0052147fe5ebd9dbd32749842d8dd3dbf55a8491356f548bee

Download Submit
C:\Users\Admin\AppData\Roaming\celestial\injector\injector\impx32.exe

Filesize
28KB

MD5
e1bfdfb6d0eaa9f191cc54f9daea71f9

SHA1
8cc922afc83e4394a714c43d89a7f6ee997542b1

SHA256
e251bd9645c5587f63046494412a2dabe4b03e6158d26098259db4124a76e205

SHA512
58c52ae882883b80980f842063aa32fff4762dc807c738e9ffa3f02ffa561603f7fd27eab866195ed054be47e6329da6d16762bf581a066320dbbfe2bf5635fc

Download Submit
C:\Users\Admin\AppData\Roaming\celestial\injector\injector\impx64.dll

Filesize
246KB

MD5
83b556a439fb7cba6bde39d1cddf2d7a

SHA1
95802e7ce59a32b01939fa2bb2e17dece3ab23dc

SHA256
f9e50bb902b3e889fcaf8143131ab57f1fb1c833a037b079017d6f5b2123f1d8

SHA512
8555101641954d0367726a53ec46848cac5eca4adc32f82cae111e0cb977f5f0c814fe1528b204de42a3b3ab1c5b5503ec6c06288c535855525d3db5dc726d14

Download Submit
C:\Users\Admin\AppData\Roaming\celestial\injector\injector\main_injector.exe

Filesize
17KB

MD5
38736c697186ce61f9cc91d111bbca57

SHA1
ed5e6a8045a070b90bbc6a2d6407aba58af528e8

SHA256
9c8c83261e2bce9a98a3ef0c9ab97272dbd527344af8a60c1ab54438f6d2deb3

SHA512
bee4f561c9632cd77cde2989119a6729048f47c751645cf1dddaa1f0a4f49ba460141c2784186fe26925c1d88366573e9ff7597b1cd1d30fa19391df90e9137b

Download Submit
C:\Users\Admin\AppData\Roaming\celestial\injector\injector\x64\ntdll.pdb

Filesize
1.5MB

MD5
c93882d5a086ff6877d1c03043aa8223

SHA1
97509da69a6deb2feade54889ed849c670874f99

SHA256
a9c5ea0521a3f82c0d5da9738497e81308c0791546c88344dce8d235c484797d

SHA512
a3701422fc14c60704868684b2132695c0b682e2356b990a8f5ab5f821431cd61cd2f7fe9d93906fd03373d58c3672ec9ae24554f64270eec80707a5533d10a0

Download Submit
C:\Users\Admin\AppData\Roaming\celestial\injector\injector\x86\wntdll.pdb

Filesize
1.6MB

MD5
860baccfd65ee2340f061548576e156e

SHA1
872cdde2a6cfb3e0bc28bbe4ce2dc92b86e85352

SHA256
381906ef44b411c01335d9db3717bb5765413ff51754babc55a9622532ee0357

SHA512
08581ff77d9c4c57c54d9d55f6005db26f4586cbb75c93a635e97769f7784ba438a0bab0f293e51ad9c4e57c57473c58575b5a407820b0e0f80afbe45f72bf92

Download Submit
memory/1724-145-0x00000000050F0000-0x0000000005102000-memory.dmp

Filesize
72KB

Download
memory/1724-144-0x0000000002A30000-0x0000000002A3A000-memory.dmp

Filesize
40KB

Download
memory/1724-143-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/5084-196-0x000002B934450000-0x000002B934454000-memory.dmp

Filesize
16KB

Download