umbral | hxxps://mega[.]nz/file/EqF1waoC#WJZTNw7NNx0HZDAtr5Aq1S2XZuMs69aOw2VtthxYMKw

Analysis

max time kernel
720s
max time network
732s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
11-02-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/EqF1waoC#WJZTNw7NNx0HZDAtr5Aq1S2XZuMs69aOw2VtthxYMKw

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000100000002a825-196.dat	family_umbral
behavioral2/memory/2248-210-0x000002666E0B0000-0x000002666E0F8000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Executes dropped EXE 2 IoCs

pid	Process
2248	Celestial.exe
5012	Celestial.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 279241.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4816	msedge.exe
4816	msedge.exe
2200	msedge.exe
2200	msedge.exe
4476	identity_helper.exe
4476	identity_helper.exe
4608	msedge.exe
4608	msedge.exe
1444	msedge.exe
1444	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1384	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1384	AUDIODG.EXE
Token: SeDebugPrivilege	2248	Celestial.exe
Token: SeIncreaseQuotaPrivilege	3096	wmic.exe
Token: SeSecurityPrivilege	3096	wmic.exe
Token: SeTakeOwnershipPrivilege	3096	wmic.exe
Token: SeLoadDriverPrivilege	3096	wmic.exe
Token: SeSystemProfilePrivilege	3096	wmic.exe
Token: SeSystemtimePrivilege	3096	wmic.exe
Token: SeProfSingleProcessPrivilege	3096	wmic.exe
Token: SeIncBasePriorityPrivilege	3096	wmic.exe
Token: SeCreatePagefilePrivilege	3096	wmic.exe
Token: SeBackupPrivilege	3096	wmic.exe
Token: SeRestorePrivilege	3096	wmic.exe
Token: SeShutdownPrivilege	3096	wmic.exe
Token: SeDebugPrivilege	3096	wmic.exe
Token: SeSystemEnvironmentPrivilege	3096	wmic.exe
Token: SeRemoteShutdownPrivilege	3096	wmic.exe
Token: SeUndockPrivilege	3096	wmic.exe
Token: SeManageVolumePrivilege	3096	wmic.exe
Token: 33	3096	wmic.exe
Token: 34	3096	wmic.exe
Token: 35	3096	wmic.exe
Token: 36	3096	wmic.exe
Token: SeIncreaseQuotaPrivilege	3096	wmic.exe
Token: SeSecurityPrivilege	3096	wmic.exe
Token: SeTakeOwnershipPrivilege	3096	wmic.exe
Token: SeLoadDriverPrivilege	3096	wmic.exe
Token: SeSystemProfilePrivilege	3096	wmic.exe
Token: SeSystemtimePrivilege	3096	wmic.exe
Token: SeProfSingleProcessPrivilege	3096	wmic.exe
Token: SeIncBasePriorityPrivilege	3096	wmic.exe
Token: SeCreatePagefilePrivilege	3096	wmic.exe
Token: SeBackupPrivilege	3096	wmic.exe
Token: SeRestorePrivilege	3096	wmic.exe
Token: SeShutdownPrivilege	3096	wmic.exe
Token: SeDebugPrivilege	3096	wmic.exe
Token: SeSystemEnvironmentPrivilege	3096	wmic.exe
Token: SeRemoteShutdownPrivilege	3096	wmic.exe
Token: SeUndockPrivilege	3096	wmic.exe
Token: SeManageVolumePrivilege	3096	wmic.exe
Token: 33	3096	wmic.exe
Token: 34	3096	wmic.exe
Token: 35	3096	wmic.exe
Token: 36	3096	wmic.exe
Token: SeDebugPrivilege	5012	Celestial.exe
Token: SeIncreaseQuotaPrivilege	3820	wmic.exe
Token: SeSecurityPrivilege	3820	wmic.exe
Token: SeTakeOwnershipPrivilege	3820	wmic.exe
Token: SeLoadDriverPrivilege	3820	wmic.exe
Token: SeSystemProfilePrivilege	3820	wmic.exe
Token: SeSystemtimePrivilege	3820	wmic.exe
Token: SeProfSingleProcessPrivilege	3820	wmic.exe
Token: SeIncBasePriorityPrivilege	3820	wmic.exe
Token: SeCreatePagefilePrivilege	3820	wmic.exe
Token: SeBackupPrivilege	3820	wmic.exe
Token: SeRestorePrivilege	3820	wmic.exe
Token: SeShutdownPrivilege	3820	wmic.exe
Token: SeDebugPrivilege	3820	wmic.exe
Token: SeSystemEnvironmentPrivilege	3820	wmic.exe
Token: SeRemoteShutdownPrivilege	3820	wmic.exe
Token: SeUndockPrivilege	3820	wmic.exe
Token: SeManageVolumePrivilege	3820	wmic.exe
Token: 33	3820	wmic.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe
2200	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 3208	2200	msedge.exe	37
PID 2200 wrote to memory of 3208	2200	msedge.exe	37
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 912	2200	msedge.exe	81
PID 2200 wrote to memory of 4816	2200	msedge.exe	80
PID 2200 wrote to memory of 4816	2200	msedge.exe	80
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82
PID 2200 wrote to memory of 4564	2200	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/EqF1waoC#WJZTNw7NNx0HZDAtr5Aq1S2XZuMs69aOw2VtthxYMKw
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda6e43cb8,0x7ffda6e43cc8,0x7ffda6e43cd8
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,11827811300856715978,17857358048145210334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,11827811300856715978,17857358048145210334,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,11827811300856715978,17857358048145210334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11827811300856715978,17857358048145210334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11827811300856715978,17857358048145210334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,11827811300856715978,17857358048145210334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,11827811300856715978,17857358048145210334,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,11827811300856715978,17857358048145210334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11827811300856715978,17857358048145210334,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11827811300856715978,17857358048145210334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11827811300856715978,17857358048145210334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,11827811300856715978,17857358048145210334,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6356 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11827811300856715978,17857358048145210334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11827811300856715978,17857358048145210334,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,11827811300856715978,17857358048145210334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1444
- C:\Users\Admin\Downloads\Celestial.exe
  "C:\Users\Admin\Downloads\Celestial.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,11827811300856715978,17857358048145210334,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5984 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2184

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004E0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:668

C:\Users\Admin\Downloads\Celestial.exe
"C:\Users\Admin\Downloads\Celestial.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5012
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Celestial.exe.log

Filesize
1KB

MD5
02df789e3c730b309fc4d9abce5d729b

SHA1
4f9da0f0d4cadacfd0f68fb1f7ee73a66dcf1b4e

SHA256
4afabcd1723096359d90c8f32df7a6a44cd866e89d5b37c89280bfeab61d7321

SHA512
7ac0dd7e3a3e483d07409da793dd2b0915d4369fe41fe743acd82de9aa77b9fa7ea5cd60498034f3fa0674d93d184c9128375d8f7f0796fddecff3845fca8587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dbe72a1f5827efc08f70d06ef815d46

SHA1
6aacd61519fce53ecb92e5e61207a6c29c01f47b

SHA256
dd673404dd6deb2d2b331316370fd05e47c01b9dc489640f05b50898d536a6e3

SHA512
2e6115ca818df5f5b7985caf3ce2324e266b376f6180f84b44e9ae725e037a8456c2cd63e22b9750e2ba27f4c7460dfa429ce9910517a728b056e5f1e730e25a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
a5f4850d4397885e7d4f818b75033761

SHA1
b5fff2f9bfbb9311fe026f2ccad01275236e139f

SHA256
f8003cf07c9f4b7c75f1f5f1958f6ba7ea65c4714f07f9c78fd48aff082977a0

SHA512
fe5d48b2e5f1473ca52c2c8e357b6cebeacebb65d0353834a1359b42b78dd7eff54cb5b8e671d552b62ca0817d66d0e881e20dfb5a14523228294aff8a06edcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
927f64303fca83a05c8ff7b0849a4015

SHA1
2011723d568a8b88f6044477c4bff3a9090994e4

SHA256
8484bd6ae00e2b38f70ccc90e8b735f66f7ae1463c31a4bfb151a454e8952398

SHA512
4319beba1a9e7b93046b0e37101492615f5137006a05e3af59e820e2ba46b4750c7e08bd60c3cc0d2d2327980939e1e3ccf72adfc20f39f9702b585b0d83bde5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2ce0c2ac38880d43b54d45d264d200db

SHA1
0adf237bf0624408a1932e75bbc80241bb2756f4

SHA256
7ec1f7475c96092ccd4aedd832203e59387ea00509c5ea4add0c54c8e81797c9

SHA512
0d01e3983dff6efedc40486ee0fb3423e9e64c6b2a4317e286c9f764694968cb3634b669ab8f963936f3240bc532c9ac2a809796aa6e6f9cdb6cbdadcef09b10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
50982737902c4c3733a4285bfb4759b3

SHA1
59deba2d68fd49b4f4fe4ca226656e60c9e5139d

SHA256
da7302f4bd43aa1bd74a35117a9dd16332f2b825aa20c55a36cfffc63d72e56e

SHA512
d3676e7cb34c5bb6dc818892672b2e1defbb854c1afe0c428e26a970c698368e186f47b2a3e8297fbdb325e1dcd8540ef52db945baa0f25a38d255cfa0470352

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
e5477be1e6c4cc9f570c69a84dd4f681

SHA1
fdcbdc83ccfef1c270b927c6815e641f6d96a132

SHA256
f06ab204d1d24ecd2d13e473bf807a8fc65ed09114a227966b4a308bd7eaa531

SHA512
24eb3338f0a7be6df183c5d5f22831bed07ce0779dcc124e805364a128a08f571160a6809556cd1de323c9d3cc64299855978967c8693b8324cd9bb22f5ffe14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
45235c062a5eaf2d9fa1f13257814433

SHA1
b8e302590512e842f6d4f254105ca771cb02d143

SHA256
c667b6e8f58bcfdd774dc11f493709f773b6d9ebfd9c5e072584644be83dd248

SHA512
ce9ad4dd5fb0c95405250915f265f30def4a7c7641a8b924e99ae8553847f165e3e389dc58ac18f68d7de581ee44ecfb672936d17d34a1583b2d50dd8f4b3af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ceba.TMP

Filesize
48B

MD5
a2b9b399d31e3a0b93b93043d05ae174

SHA1
35cee7a245f1ba515dc9fc9e252e8947947578c7

SHA256
cd820e4225b7ee478e3091873cbd64cf6f0e69ea04d417d27dfe633fabc55575

SHA512
132ae5a19bd1918f94e047a13b3403fdeaa21f46cc7ec8014db40975b55d5b5a23735c0e23a8176e19f1750614f211a08e187e19aad93018532ff6b980ff4a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9f82d4fdbd8c191521bddf1ba9adb401

SHA1
14ec774ef559a42196e46f3f46ed5d71ca9ed4dd

SHA256
cb30b0b5cb9166bc2df9a63d5132aa88e0c90776c1b3fea92dfa2ca7f34b0297

SHA512
e8b06fbcc414573d8ff0396f5b8f0718d18d934401f0e571c172cdda96677d1bf556f0b0868ef8f26e74967ff418b93813e70b7ecf2e3d8f17de20066a7cf3e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4f45fd4a9e9bd5c943cb91115c0514b9

SHA1
59172dba060738b3dd70a20e75a64badb7559746

SHA256
77a191bf69b652093ac0243360311cd310b270ad778f5d7d109b94f38f000c32

SHA512
9f7259dffeb39b1ba279d29d616e99c27588720a6d0afdffc29c1cd7895c75d3993bd7d7f5294ffc1f695d2e3014bdec84bfbbaae3d0b3f1617e5cf7b2c77f71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1ca72eb33ca25dbd12e9c820c1b80e9f

SHA1
ae7f6d030f7332858b98409754a55de2370ff665

SHA256
08ed1aa4719ae65027b3520c0b9320b6a5ce1202ab829f945889df65acb8f85e

SHA512
ada2715f645a79aa036fc881d721b6b2f2235fbfefee4628a296ed3f04f20a6e87847b660cec82f2bd5edcbfeb15725f63be8f95b33c1a8a165805294fefd89e

Download Submit
C:\Users\Admin\Downloads\Celestial.exe

Filesize
266KB

MD5
deb95e476943219d9fccc87505cc740e

SHA1
be4325870bc9e8fe0e8233487287dd3569124bd5

SHA256
626e632e710f71661c007726e0195c4e60e1c7366f474c3d22a11e6b9fbfa1d8

SHA512
61eb326732efdc2ac4f417ee38153872d9a7afe21b8768f18262cc37ad48018d5d730dfd3c5db84d5b500513bc2e0f9b96c065eb7967adb74c0753c3ee4e42f8

Download Submit
memory/2248-214-0x00007FFD92670000-0x00007FFD93132000-memory.dmp

Filesize
10.8MB

Download
memory/2248-212-0x000002666FD10000-0x000002666FD20000-memory.dmp

Filesize
64KB

Download
memory/2248-211-0x00007FFD92670000-0x00007FFD93132000-memory.dmp

Filesize
10.8MB

Download
memory/2248-210-0x000002666E0B0000-0x000002666E0F8000-memory.dmp

Filesize
288KB

Download
memory/5012-249-0x00007FFD921B0000-0x00007FFD92C72000-memory.dmp

Filesize
10.8MB

Download
memory/5012-250-0x0000028AD1990000-0x0000028AD19A0000-memory.dmp

Filesize
64KB

Download
memory/5012-251-0x00007FFD921B0000-0x00007FFD92C72000-memory.dmp

Filesize
10.8MB

Download