2dc625e5072ef7ebaddcffd5be6fd73790fdfe7ed691e4df5d3fcf7fcc029a32

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 15:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Celeste64.exe
Size

13.2MB
MD5

6f445565a4169e268effc04a3aa98a07
SHA1

d97c6fcaa18986bd5f298fac54771088f7f7da89
SHA256

2dc625e5072ef7ebaddcffd5be6fd73790fdfe7ed691e4df5d3fcf7fcc029a32
SHA512

51c8833ba55a393dd27f3ca00e44ce29c2c8702776a8ea036d585ae3df96f01ba8ddd3ff58132b7ac098e24c54b4ebf9eb9a6d178df5971fcdb92a5c0fd0147d
SSDEEP

196608:EBsd3+XNqcBQ9KRIWGmI+/t4RG9VLrgzm:VAXhBQ9KOL++o9VLj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	Celeste64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	Celeste64.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2072	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2072	1568	Celeste64.exe	90
PID 1568 wrote to memory of 2072	1568	Celeste64.exe	90

C:\Users\Admin\AppData\Local\Temp\Celeste64.exe
"C:\Users\Admin\AppData\Local\Temp\Celeste64.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ErrorLog.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ErrorLog.txt

Filesize
787B

MD5
12834e31cf4e7e4304944239640d0fe3

SHA1
fa307c8d30ba8bd59b25f6c983fbd270e17e6f42

SHA256
1b1ddbef22024aed87bd8b2cc4ad9e68f6c5b9b426fcf24e3dbe1d4430a1165e

SHA512
902e1e5b45c6e482e7831ea3b82dd0aaa643c5b25a697d5442c15a1cec38cce52187bb55823ef8f5daf38060f4dd623d81b65ec75411940b5cbfe3ae751508c4

Download Submit