72b2ae05b10fd711e5a5f8cb2e241bc373db84b4fcbd420934d96c6fbe2a7941

General

Target

0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d.exe
Size

12.6MB
MD5

037b72bd0844cb2ce886cd6442c03694
SHA1

242a11ac80b1370801169997fbf6265a412e61ec
SHA256

0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d
SHA512

a4ee635a38a3f781a6d8b4994eed2f3ba2102ce3085615914f6a8148bdd9351878dfa20fd11ba65379b9d7670b8d4246ac0083237318120a70a7ec6a841813e2
SSDEEP

98304:lS949otHsw/xmF4EMz5YA8/cwumyz5E/qfOeXtOqmSr2fvYFgaH3e:E2OtHswYxMHzq7v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2988	CelestialCodes.exe
1660	CelestialCodes.exe

Loads dropped DLL 3 IoCs

pid	Process
1660	CelestialCodes.exe
1660	CelestialCodes.exe
1660	CelestialCodes.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000c000000012302-13.dat	pyinstaller

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	taskmgr.exe
Token: 35	1660	CelestialCodes.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe
2716	taskmgr.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 2988	868	0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d.exe	34
PID 868 wrote to memory of 2988	868	0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d.exe	34
PID 868 wrote to memory of 2988	868	0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d.exe	34
PID 868 wrote to memory of 2988	868	0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d.exe	34
PID 2988 wrote to memory of 1660	2988	CelestialCodes.exe	35
PID 2988 wrote to memory of 1660	2988	CelestialCodes.exe	35
PID 2988 wrote to memory of 1660	2988	CelestialCodes.exe	35
PID 2988 wrote to memory of 1660	2988	CelestialCodes.exe	35

C:\Users\Admin\AppData\Local\Temp\0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d.exe
"C:\Users\Admin\AppData\Local\Temp\0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Roaming\CelestialCodes.exe
  "C:\Users\Admin\AppData\Roaming\CelestialCodes.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Roaming\CelestialCodes.exe
    "C:\Users\Admin\AppData\Roaming\CelestialCodes.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1660

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2580

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI29882\VCRUNTIME140.dll

Filesize
81KB

MD5
aeab74db6bc6c914997f1a8a9ff013ec

SHA1
6b717f23227d158d6aa566498c438b8f305a29b5

SHA256
18ccb2dd8af853f4e6221bb5513e3154ef67ae61cee6ec319a8a97615987dc4b

SHA512
a2832b7720599361e2537f79a2597acb1a2d5633fdfe20a0d1075e9457683fdb1d5676d121c0bf1a825ff99512dcd924254f1151b50aae922acc0cc10f461036

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29882\_ctypes.pyd

Filesize
102KB

MD5
10861d3fa19d7dc3b41eb6f837340782

SHA1
b258d223b444ab994ec2fec95acaa9f82dc3938c

SHA256
6255bab0b7f3e2209a9c8b89a3e1ec1bbc7a29849a18e70c0cf582a63c90bed1

SHA512
ec83134c9bce9cedeee8ebdb8e382fb7f944a7bc9d3bb47c7e3144ef2ef95114a36ac1cc8c0d52f434ee4c359d938a2d7c035e699c4407df728e200de7da4af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29882\base_library.zip

Filesize
763KB

MD5
0f5df51bf59b997180553542b4950a78

SHA1
0144d40ed1961b42f08c92a69508e29a499d7284

SHA256
a2ab8d8551afc92f3fe352c4e36afe11c7e6e71a771a5137e8633c4b9f7902c1

SHA512
c33c7b27ac1261340215e47639429025fb130ae3a35ba9911f7184fcbc6bfc980d2b45934a563ae4758f779a9433baeff45f12cf61d2fbd988c8264311bc6dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29882\python37.dll

Filesize
3.3MB

MD5
465089eaced8159ec533e4a37033e227

SHA1
074596adae6f53f33b8297f02e21f6a6f7ac6ff1

SHA256
2b29ae140cb9f08af872acf9e17f785ef99398ef3367549b55242bc064d6ae40

SHA512
55eca0922074162c22fff2b4f97bd2972540fa893b9b02b7d9bfa26345186dbbdaf1fbc37a9eba6366743d0d42fb5bb88e708877dfd57cb02ca4d3a6953cfb81

Download Submit
C:\Users\Admin\AppData\Roaming\CelestialCodes.exe

Filesize
13.4MB

MD5
ae65831baf5c6ee604411144cb25bbde

SHA1
c86e6e28c379ecf02cd18d3b4f2cdd15fa2fa0f2

SHA256
8b6e6db30ac2eafabb424be81c7e167d826ff5943d1d25af03b75c03671043c6

SHA512
2fde080710ca05fbb9b3a5bade91c056c25daf675e64af1573c87e42c8488a1c45d1bf774cc4f15a6044484b302012bd539d70bb1dcc9fd5737bcfa49ae87f7e

Download Submit
memory/868-6-0x000000013F500000-0x000000014018C000-memory.dmp

Filesize
12.5MB

Download
memory/868-0-0x000000013F500000-0x000000014018C000-memory.dmp

Filesize
12.5MB

Download
memory/868-7-0x000000013F500000-0x000000014018C000-memory.dmp

Filesize
12.5MB

Download
memory/868-8-0x000000013F500000-0x000000014018C000-memory.dmp

Filesize
12.5MB

Download
memory/868-5-0x000000013F500000-0x000000014018C000-memory.dmp

Filesize
12.5MB

Download
memory/868-25-0x000000013F500000-0x000000014018C000-memory.dmp

Filesize
12.5MB

Download
memory/868-4-0x000000013F500000-0x000000014018C000-memory.dmp

Filesize
12.5MB

Download
memory/868-1-0x000000013F500000-0x000000014018C000-memory.dmp

Filesize
12.5MB

Download
memory/2716-3-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/2716-2-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing