Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
190s -
max time network
258s -
platform
windows10-1703_x64 -
resource
win10-20231220-en -
resource tags
arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system -
submitted
09/02/2024, 20:44
General
-
Target
Celestial.exe
-
Size
266KB
-
MD5
deb95e476943219d9fccc87505cc740e
-
SHA1
be4325870bc9e8fe0e8233487287dd3569124bd5
-
SHA256
626e632e710f71661c007726e0195c4e60e1c7366f474c3d22a11e6b9fbfa1d8
-
SHA512
61eb326732efdc2ac4f417ee38153872d9a7afe21b8768f18262cc37ad48018d5d730dfd3c5db84d5b500513bc2e0f9b96c065eb7967adb74c0753c3ee4e42f8
-
SSDEEP
6144:4loZM+rIkd8g+EtXHkv/iD4RwFBJNbYMTnqL9Y0hZ67qb8e1m2iiV8vpFNEvt:moZtL+EP8RwFBJNbYMTnqL9Y0hZgWMiS
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/312-0-0x0000028A62DE0000-0x0000028A62E28000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 312 Celestial.exe Token: SeIncreaseQuotaPrivilege 4668 wmic.exe Token: SeSecurityPrivilege 4668 wmic.exe Token: SeTakeOwnershipPrivilege 4668 wmic.exe Token: SeLoadDriverPrivilege 4668 wmic.exe Token: SeSystemProfilePrivilege 4668 wmic.exe Token: SeSystemtimePrivilege 4668 wmic.exe Token: SeProfSingleProcessPrivilege 4668 wmic.exe Token: SeIncBasePriorityPrivilege 4668 wmic.exe Token: SeCreatePagefilePrivilege 4668 wmic.exe Token: SeBackupPrivilege 4668 wmic.exe Token: SeRestorePrivilege 4668 wmic.exe Token: SeShutdownPrivilege 4668 wmic.exe Token: SeDebugPrivilege 4668 wmic.exe Token: SeSystemEnvironmentPrivilege 4668 wmic.exe Token: SeRemoteShutdownPrivilege 4668 wmic.exe Token: SeUndockPrivilege 4668 wmic.exe Token: SeManageVolumePrivilege 4668 wmic.exe Token: 33 4668 wmic.exe Token: 34 4668 wmic.exe Token: 35 4668 wmic.exe Token: 36 4668 wmic.exe Token: SeIncreaseQuotaPrivilege 4668 wmic.exe Token: SeSecurityPrivilege 4668 wmic.exe Token: SeTakeOwnershipPrivilege 4668 wmic.exe Token: SeLoadDriverPrivilege 4668 wmic.exe Token: SeSystemProfilePrivilege 4668 wmic.exe Token: SeSystemtimePrivilege 4668 wmic.exe Token: SeProfSingleProcessPrivilege 4668 wmic.exe Token: SeIncBasePriorityPrivilege 4668 wmic.exe Token: SeCreatePagefilePrivilege 4668 wmic.exe Token: SeBackupPrivilege 4668 wmic.exe Token: SeRestorePrivilege 4668 wmic.exe Token: SeShutdownPrivilege 4668 wmic.exe Token: SeDebugPrivilege 4668 wmic.exe Token: SeSystemEnvironmentPrivilege 4668 wmic.exe Token: SeRemoteShutdownPrivilege 4668 wmic.exe Token: SeUndockPrivilege 4668 wmic.exe Token: SeManageVolumePrivilege 4668 wmic.exe Token: 33 4668 wmic.exe Token: 34 4668 wmic.exe Token: 35 4668 wmic.exe Token: 36 4668 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 312 wrote to memory of 4668 312 Celestial.exe 75 PID 312 wrote to memory of 4668 312 Celestial.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\Celestial.exe"C:\Users\Admin\AppData\Local\Temp\Celestial.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4668
-