Analysis
-
max time kernel
63s -
max time network
71s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 16:24
Behavioral task
behavioral1
Sample
Celery/Celery Launcher.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Celery/Celery Launcher.exe
Resource
win10v2004-20240226-en
General
-
Target
Celery/Celery Launcher.exe
-
Size
287.0MB
-
MD5
feaef80a175e24dbf45cb0f3561f4891
-
SHA1
dd8652d5623aec0e0de66f50df8d75c3cb54e050
-
SHA256
6b5c7a2136f31631e64960abe17dea5a4eccf9f40943f0f492bc397c8189d5a3
-
SHA512
218c01e342aead4a1094ee57344d29ecde0fbe8216d270ba376344790e0202eaea161be52e183c5442a45b55c657cf8340b6f027288ceaf790069f111994101d
-
SSDEEP
49152:Ght9sTkCObgYD//RcCHEDIpPmChB2iqUL7h5IGn:Ght9bCOblJcqIIJtMq5H
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Celery Launcher.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Celery Launcher.exe -
Executes dropped EXE 1 IoCs
Processes:
Hybrid.pifpid process 3284 Hybrid.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 5956 tasklist.exe 3592 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Hybrid.pifpid process 3284 Hybrid.pif 3284 Hybrid.pif 3284 Hybrid.pif 3284 Hybrid.pif 3284 Hybrid.pif 3284 Hybrid.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 5956 tasklist.exe Token: SeDebugPrivilege 3592 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Hybrid.pifpid process 3284 Hybrid.pif 3284 Hybrid.pif 3284 Hybrid.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Hybrid.pifpid process 3284 Hybrid.pif 3284 Hybrid.pif 3284 Hybrid.pif -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
Celery Launcher.execmd.exedescription pid process target process PID 3948 wrote to memory of 644 3948 Celery Launcher.exe cmd.exe PID 3948 wrote to memory of 644 3948 Celery Launcher.exe cmd.exe PID 3948 wrote to memory of 644 3948 Celery Launcher.exe cmd.exe PID 644 wrote to memory of 5956 644 cmd.exe tasklist.exe PID 644 wrote to memory of 5956 644 cmd.exe tasklist.exe PID 644 wrote to memory of 5956 644 cmd.exe tasklist.exe PID 644 wrote to memory of 5888 644 cmd.exe findstr.exe PID 644 wrote to memory of 5888 644 cmd.exe findstr.exe PID 644 wrote to memory of 5888 644 cmd.exe findstr.exe PID 644 wrote to memory of 3592 644 cmd.exe tasklist.exe PID 644 wrote to memory of 3592 644 cmd.exe tasklist.exe PID 644 wrote to memory of 3592 644 cmd.exe tasklist.exe PID 644 wrote to memory of 4980 644 cmd.exe findstr.exe PID 644 wrote to memory of 4980 644 cmd.exe findstr.exe PID 644 wrote to memory of 4980 644 cmd.exe findstr.exe PID 644 wrote to memory of 5504 644 cmd.exe cmd.exe PID 644 wrote to memory of 5504 644 cmd.exe cmd.exe PID 644 wrote to memory of 5504 644 cmd.exe cmd.exe PID 644 wrote to memory of 5508 644 cmd.exe findstr.exe PID 644 wrote to memory of 5508 644 cmd.exe findstr.exe PID 644 wrote to memory of 5508 644 cmd.exe findstr.exe PID 644 wrote to memory of 3860 644 cmd.exe cmd.exe PID 644 wrote to memory of 3860 644 cmd.exe cmd.exe PID 644 wrote to memory of 3860 644 cmd.exe cmd.exe PID 644 wrote to memory of 3284 644 cmd.exe Hybrid.pif PID 644 wrote to memory of 3284 644 cmd.exe Hybrid.pif PID 644 wrote to memory of 3284 644 cmd.exe Hybrid.pif PID 644 wrote to memory of 2420 644 cmd.exe PING.EXE PID 644 wrote to memory of 2420 644 cmd.exe PING.EXE PID 644 wrote to memory of 2420 644 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Celery\Celery Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Celery\Celery Launcher.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c move Look Look.bat && Look.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md 11013⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V "DeemedTalentNeedsPc" Derived3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Outer + Leader + Lot + Intelligent + Distinguished + Mileage + Scheduled + Train + Links 1101\G3⤵
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1101\Hybrid.pif1101\Hybrid.pif 1101\G3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.13⤵
- Runs ping.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1101\GFilesize
2.1MB
MD5af3809ce527bfc88548eca74523b4570
SHA185f2fed57c547b5955c6062a3e2a57e40837ec9f
SHA2567662801ff3af15a7d8cf6d82640b24410d2253dbe2950aac385b9a2a4d90affc
SHA5124b4c11c596d2c8491c4c28c4b088598043ac765622ff37a19845e292339acae4b18d4b097a033d698ade81512d799f9ca31a938ec1cffe4fa1760c19d69fb143
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1101\Hybrid.pifFilesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\DerivedFilesize
157B
MD545dc162ecf97026475c5e414296e0677
SHA1d18ce3307ca0156251112bd9495f9a5cf393184f
SHA256420ec741901cf4ccd054a6d4ae24b6136afbf2bac205d32e278b29ff6ec4837c
SHA512bd9f43091d83b000cf993729d9684c995a31794b20796fa3d80638c46956b1bbb8075af8112e87a103656754dea08cd681e0b37eb6786a63a3f6c66864fad078
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\DistinguishedFilesize
207KB
MD5e1d01f7ce1038846d788109b2f4d7dfd
SHA1bd9603494f6ce603c0bf9d62ee0eca315044b4ab
SHA25633cb3169611235ae15daf74d45f1f176d07a0565546f9d6aef8ce3d2d19cb271
SHA512182ee12898ab57d4e19739e321fa4b0c439a22fe52ae261743b88ea9b6099792f0b10841943aa06fa241b52e8d77ebe7a2290403b402076f9923793ec978338c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\DrumFilesize
59KB
MD50f7afb5dfabb33ac13c0b0eff637f183
SHA1019536a338337eafdc55b051c0d8e070737b71df
SHA2565a9b12cb9bb2ee1903de9804fc5211404637cde7f355df6d15ac0217b27b9522
SHA5122015282fc84d4adcbba163aa7795a625db6d3d0014d1905a0c0fdfd63390da669020d280b292366cc89d58b0990c22729c808cff63644f37ddc281b27e36126a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IntelligentFilesize
239KB
MD5ceb0bc55d58cd3120e6eb769fd10255b
SHA1e8e32df8ec409975c24cfff67175fcc3ea18c6b1
SHA2563048f03f77975b35adb8ffe1145ca8e99f52a94547d1cc0d31803141ebee49c0
SHA512fcd552871e0e1113833fc1cb80f6944db6ece49e4f3cc83bcf9e3d327ee8d1c33e179c6751a7203b524e61188755b425680131119d00e2986417a26dce27d26e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\LeaderFilesize
288KB
MD5daed67e8ea6d3339b4b36c6ee4d34efb
SHA1a66032c00543a511e767b45dd75813141850cc38
SHA256b3c75b7e13bc5f2cf65798660093f1b69b5095bb7b19460ae09fb98af218a063
SHA5121932aeb571f1aa1b74fa1f3926bb9986b717dc1a917f5bee29a362f0b41c601b564efab35c9d040528a8f36317dfc0844dcce118fc2c0700ff328f73b8993ab0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\LinksFilesize
171KB
MD546f5fe0c1139d9b705ed18fec7dd2223
SHA123f0f81ee9f1d717c41f8c59a931009a86f8adea
SHA2565573cb0df10db4968aded57db48a4226f8848c352ce67ee1dcab44d50dba80ae
SHA5120a14b7559509b434f86418cf8a5cc59c1bc4ac0ef515ea7b11af5c5082d5b3a95c20770b1f1306af2ca63b3e74a0c5ca050f6c959e32b9d3f114a56a4f8d8733
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\LookFilesize
9KB
MD5a490c62a3d69d20520eba13415b08ef2
SHA1321263239b797236e32969d4ff308650a4ce7be1
SHA2560f1c3a27364776865b6bca1a5a4b361bf79e9994d04f260622e3deca5e468c60
SHA512753b57cf945346a2dd326cd5284dd8beabf75dd39d4aece1325b2e8af2c689bf9eded6d58e00b581008785c1ad19eff64caf4cc9368353eb5dd7fe56ca39f817
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\LotFilesize
234KB
MD55b045dad25282c6e2bb9a71ce09aa176
SHA19571323c5a442dc51ae0e745c562ae08a8b4b0a7
SHA256bc471df2c14409aaa58b5547db8d74309cbb23d9b1733fb0a51176fe13e79b94
SHA512427f67588b1b4734152664888ce68ca063e4407cfee8ae6cb1eafd8ecc01001a6fc3529137744622efc02d84eddcec49190a0d7937c598fda4cc3140928639af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\MileageFilesize
220KB
MD588342b907d5a7d41a1e631ed2c2a7fcc
SHA14a79ad51d45d683dbf3a5845e2f5b7aa9dd3edf5
SHA2568b7e0060e3ab775e6728c07c4f89c79070202724af448f0b8fcc64164550c586
SHA512071be2c875f667c8bdde0e2a4629bdd273954e2d78a8593732c45fb51ea83415927bef07d2aa7794972a27f5707cbf089f8670941186a624cee21d0dd498dc36
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\MusicFilesize
201KB
MD5a20be0eadf873f0ec5e99dfc7f49a7a6
SHA1f855b492a60363a747bb734048ac0d63314933cb
SHA2563278df7fa844c16802ff988565687e71939132993d5ff16d25ff4dd605278a79
SHA5120aa118546118b54ce2af64dfab00d092ac5a583b391a84692f129ecb331cbd53af4ede5abf6084d901a8e5394d8018720ed56781dd17b6139e0b2f761e620130
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\OuterFilesize
277KB
MD50c2093a27ccbe8dbe228567478ccf6da
SHA1fb5741b7059da90181f856dbbc64cd652d0a9bca
SHA256f1865e3db735fedc8f1a6af348b85469edf8bae4867f99cdf1c4cba44ec2a61c
SHA512b7813c97fdf2ff0244db85aad7773d6685887072b7d7061cc68961d95ba04fc7592dee31d32150f2a1f7acdb4d1b2a7d29bf4b6a0c5c3298fc094f8b7bec9ab3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ScheduledFilesize
226KB
MD5a1ccff3b7811ccf1caf939ae8ff9da68
SHA124b89b36dece40a0092cb7e658e7f0e9657e0ffe
SHA2569329113e849d44379b06643ec9a5dd1229b0a8734de8b180cb329106357497c3
SHA51291001e3b9b8145bc352da29edf2030dd7e0b425c23f97684ddea483f4d88e168cb4d18077c4e00e6879306965e7df5b64b62fbb7ce2d0e4fed7435bdecd066ef
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\TextileFilesize
255KB
MD5d4ef7c4d836f9fd404054860e465559a
SHA13dc79a821f859977426b37dc4202d41b10811748
SHA25693b5f2916aa4ddfcdc7d7a57fd72806df4632c8b18bb0cac7b15a65de572e508
SHA512a6949541727b826658fe92ea76d6a663507aa67f2ecc78da69696fb3904e196832b30d294014c240dfa188b70f0f1263f4cdec9e6941b03bc1dcdc77a322f439
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\TheseFilesize
299KB
MD53d0e777794fdaa4c587b586809f577e4
SHA1173a209f4bcd889a1e42c4428dafe1b715daa314
SHA256ae6c6ea85a8c7c62d924e94c1f460c7251391560c9a1f9eb83106053f8219396
SHA51259b6a02210f938af63c0ca12809294dce25eed3d4facca791a57ff087428fa2f07ff16bde3c8e8a5de1ffa4e38a67691512f33f119e270a3266c3a86e66a12c5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\TrainFilesize
252KB
MD52245703aa2c03ea2dca11fbff17349f5
SHA123b6672dc1c7e4b5e53cc57862683e67441d3f77
SHA2561d8371757f071b136eadd4e8b3f0d4d74b8a42c1ac9a3a7324d5a579ec78bfd9
SHA5121de227e090fa55675ff01a0858f785ca8bff8fa7009f3293626dfd416960a843593673712614fe43a31145de5c9e8bb77ab9a6d1bab6ea00ad12b6b8aaa194a2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\WarningsFilesize
58KB
MD5d12d868e8e8fd8dbb557494ed84fe552
SHA1e550ebbc506de886f4c1bfeb2fa6faf1637b9f36
SHA2567d2f505cb2e7b048e386d6c43606d06fc865ee61760920b1b709e3dfb32bf1ef
SHA51295b707d4176b188a070823a6805f27a8fab1cfde1f9a72071746696cebf6d8cb633c8fe85adbb4c2bd6ba1d9a5e58934b74a555498d92054119088c982f653b9
-
memory/3284-40-0x00000000777A1000-0x00000000778C1000-memory.dmpFilesize
1.1MB