e73b3c939cf1dc3054fb57ec128cb139d369a46f042f7e5129eab36f1bfba109

Analysis

max time kernel
1789s
max time network
1803s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Celery/Celery V2.exe
Size

287.0MB
MD5

b69b8bbe558142582d2877ad31457857
SHA1

31332c0162acd3da9b53cd5738b3589777ae0fe6
SHA256

d18f26391a2fdd397d1744e999ebed2abf76890afb05b37542cf1565c932a52e
SHA512

49f7b1bad517516b8255ee490755ab3e8497ae458f45617e3131ef5ed0eb7026291aa024c63b55a6a59b0c4d0ce1cfc89a726e42b72380012eca3af95c45d6ef
SSDEEP

24576:WbSqndca7b4b9Be8R00phMRBuTpFNc/GreAVmYq3/Dqaol2afRZ6K0/lPjDPlr9:M5bb4BrRdIi0We1Ydak2apyNPX

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Ok.pif

description pid process target process

PID 4588 created 3336 4588 Ok.pif Explorer.EXE

description	pid	process	target process
PID 4588 created 3336	4588	Ok.pif	Explorer.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Celery V2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Celery V2.exe

Executes dropped EXE 2 IoCs

Processes:

Ok.pifOk.pif

pid process

4588 Ok.pif
848 Ok.pif
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ok.pif

description pid process target process

PID 4588 set thread context of 848 4588 Ok.pif Ok.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2440 tasklist.exe
3176 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3328 PING.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Ok.pif

pid process

4588 Ok.pif
4588 Ok.pif
4588 Ok.pif
4588 Ok.pif
4588 Ok.pif
4588 Ok.pif
4588 Ok.pif
4588 Ok.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2440 tasklist.exe
Token: SeDebugPrivilege 3176 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Ok.pif

pid process

4588 Ok.pif
4588 Ok.pif
4588 Ok.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Ok.pif

pid process

4588 Ok.pif
4588 Ok.pif
4588 Ok.pif

pid	process
4588	Ok.pif
848	Ok.pif

description	pid	process	target process
PID 4588 set thread context of 848	4588	Ok.pif	Ok.pif

pid	process
2440	tasklist.exe
3176	tasklist.exe

pid	process
3328	PING.EXE

pid	process
4588	Ok.pif
4588	Ok.pif
4588	Ok.pif
4588	Ok.pif
4588	Ok.pif
4588	Ok.pif
4588	Ok.pif
4588	Ok.pif

description	pid	process
Token: SeDebugPrivilege	2440	tasklist.exe
Token: SeDebugPrivilege	3176	tasklist.exe

pid	process
4588	Ok.pif
4588	Ok.pif
4588	Ok.pif

pid	process
4588	Ok.pif
4588	Ok.pif
4588	Ok.pif

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

Celery V2.execmd.exeOk.pif

description	pid	process	target process
PID 3116 wrote to memory of 232	3116	Celery V2.exe	cmd.exe
PID 3116 wrote to memory of 232	3116	Celery V2.exe	cmd.exe
PID 3116 wrote to memory of 232	3116	Celery V2.exe	cmd.exe
PID 232 wrote to memory of 2440	232	cmd.exe	tasklist.exe
PID 232 wrote to memory of 2440	232	cmd.exe	tasklist.exe
PID 232 wrote to memory of 2440	232	cmd.exe	tasklist.exe
PID 232 wrote to memory of 3400	232	cmd.exe	findstr.exe
PID 232 wrote to memory of 3400	232	cmd.exe	findstr.exe
PID 232 wrote to memory of 3400	232	cmd.exe	findstr.exe
PID 232 wrote to memory of 3176	232	cmd.exe	tasklist.exe
PID 232 wrote to memory of 3176	232	cmd.exe	tasklist.exe
PID 232 wrote to memory of 3176	232	cmd.exe	tasklist.exe
PID 232 wrote to memory of 4600	232	cmd.exe	findstr.exe
PID 232 wrote to memory of 4600	232	cmd.exe	findstr.exe
PID 232 wrote to memory of 4600	232	cmd.exe	findstr.exe
PID 232 wrote to memory of 3640	232	cmd.exe	cmd.exe
PID 232 wrote to memory of 3640	232	cmd.exe	cmd.exe
PID 232 wrote to memory of 3640	232	cmd.exe	cmd.exe
PID 232 wrote to memory of 1692	232	cmd.exe	findstr.exe
PID 232 wrote to memory of 1692	232	cmd.exe	findstr.exe
PID 232 wrote to memory of 1692	232	cmd.exe	findstr.exe
PID 232 wrote to memory of 1328	232	cmd.exe	cmd.exe
PID 232 wrote to memory of 1328	232	cmd.exe	cmd.exe
PID 232 wrote to memory of 1328	232	cmd.exe	cmd.exe
PID 232 wrote to memory of 4588	232	cmd.exe	Ok.pif
PID 232 wrote to memory of 4588	232	cmd.exe	Ok.pif
PID 232 wrote to memory of 4588	232	cmd.exe	Ok.pif
PID 232 wrote to memory of 3328	232	cmd.exe	PING.EXE
PID 232 wrote to memory of 3328	232	cmd.exe	PING.EXE
PID 232 wrote to memory of 3328	232	cmd.exe	PING.EXE
PID 4588 wrote to memory of 848	4588	Ok.pif	Ok.pif
PID 4588 wrote to memory of 848	4588	Ok.pif	Ok.pif
PID 4588 wrote to memory of 848	4588	Ok.pif	Ok.pif
PID 4588 wrote to memory of 848	4588	Ok.pif	Ok.pif
PID 4588 wrote to memory of 848	4588	Ok.pif	Ok.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\Celery\Celery V2.exe
"C:\Users\Admin\AppData\Local\Temp\Celery\Celery V2.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Somebody Somebody.bat && Somebody.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:3400

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
cmd /c md 330573
4⤵
PID:3640

C:\Windows\SysWOW64\findstr.exe
findstr /V "sittingoperatednudeaccomplish" Indiana
4⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Vbulletin + Organizer + Harold + Aggressive + Outlet + Reminder + Suited + Kent + Option 330573\z
4⤵
PID:1328

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\330573\Ok.pif
330573\Ok.pif 330573\z
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:3328

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\330573\Ok.pif
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\330573\Ok.pif
2⤵
- Executes dropped EXE
PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:2364

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\330573\Ok.pif
Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\330573\z
Filesize
2.1MB

MD5
642c8e45758036cc7c42b98bb27bd2ad

SHA1
e6996e9ebbb60c319c970e387501e35c90569460

SHA256
1fd33d33d21708287b51385bc17fa8c3288d889f71525bfc314191a453999dc5

SHA512
03a1a6f63545f198555e91530751fd7984c4342df42e484cc8131f4f2d1f67df9b09158e226d9a7ff8be7cdd81a6b764cfa09db0e40b6926fb5bf2f65c345b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Aggressive
Filesize
219KB

MD5
9690b2dd473cf209022e3eaa6834806a

SHA1
aa4a2b0bc289762aa4186f5adee3a755958195db

SHA256
f64b3d4e9a90a36ff5d2a9352550ed953462e35321d36735a8afb95e0b652743

SHA512
d0e2b02193390bac25024cc00ca76a7ffb459b0f85cda04143c2ce4fc26681ddafa3e1cc219d15cf2a5805efed067400994ed4927d9920305fee240cf8c73239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Autos
Filesize
81KB

MD5
40d2d6e2ffed5fe2edae0937940f545a

SHA1
36651bc47b82c147f982636f14f93e48617d0600

SHA256
9a12748d5a3c6e274f71c000c85353b5ab22a616c7a90b0d712aaf1115ff1fc7

SHA512
62519a5e6450cb498d35545de5863bdf08ba95bbbf72698fbce238819bf2cad26860dfb28bc3c9358916aaccd29f3f2d35443ae8ff324230b8e0335e6fc5824f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cigarettes
Filesize
200KB

MD5
b2dcd8a89d61b67dffe7fab92c86d42b

SHA1
0efd91fad3b3cb742afa16592fd85d78420f7667

SHA256
bbf59ecead28a76e3d3cae7be7cf8505b222fa3abc7fd3f26a2031b99a7db71b

SHA512
83e6675a2562ad411f8dce5cbb616c21817c351b711521fc8402defdcea1b9293639f0fad1c1dd8a5da7e06612993c1eadfb027dbf0e8de4c78779399ee0a7d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Complexity
Filesize
20KB

MD5
e16344b9893a203c54392b9f43982f3d

SHA1
5934d10f6259b42c963b8bf43b845eb42c98fb4e

SHA256
4818e6041c65e51a16de4941b7d499691513e3c22b66d572ad3ffd6f92a631f5

SHA512
60f342a75adf9941091a9d2d829fbc2981b018c7df38aa14c9476e75e313e6b33872b1b6902d8fdf553312f9079ea7853c72a36dbf2b9a50d0765b904c41c6aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Even
Filesize
86KB

MD5
cd3c372176e33dd12d36da46754a44c6

SHA1
be5bf24b750c98a39dd8bd1a87afb68040076f1c

SHA256
917f14355ef5af68bfcfb17dda48798e8f7c5bdbc174e8a901168a2c74e50ec9

SHA512
5bd3c0117663211e9de380cafa76525e9f9ff2f1a402eb0f0bbc22c31e70c308e0a4a4be1b8ed769f655eb6aeada0fc484a6afa0e945fa23d2a09c57dc478b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Harold
Filesize
281KB

MD5
98382177fcb8f94280fe6161dc5bd947

SHA1
5b17b68b1113608ac6813b74bda9a41f96434c18

SHA256
2af18739a52648121ff89f5d5ca440c6a827b2371d808b08827da7555c43bca8

SHA512
5a8f1731eec3b2dc37342644eb450c8fd2d0feba0da2c9d414ace5ef07ff0cc622b1c145b784e69a5befa48a567e874e23490ef09e1e29199e629f0c161e71b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\He
Filesize
137KB

MD5
7328c53b25849bbfaae94346e50f6884

SHA1
def55d4b548414ed80e19f14d9c8f0b000a96009

SHA256
ace16185c0ad1a3b52d91c7f02a956f1f3354266abeb2430cf3db821b570a33b

SHA512
4d02ac36d1a5e0c8f826080492e114a4c59cef5756b938166f9db18a207c40114fbca04efa2d595701c4e5d6b3dc698dbf8db9944765999dd21412cc0084af3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Herb
Filesize
149KB

MD5
1688119d00c8a5da63a2321e1ca532ce

SHA1
6dfe155dbce255d87e4c06db93ec96d5018ddae2

SHA256
45c5d22a296843ad19409eea019c634cbb25a394ead7698460d79e886a63fcaa

SHA512
84c8685a17fd4438a7f0c9fbc9f6491dd346cc0f70ddbcf0d4fe6bd1356dc2dd7890dc4701d1b0127ceea49fd3b9563e234dfbf577cb93d96cec0f618b48cca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Indiana
Filesize
197B

MD5
ed19ffcfd341f0e04d2e4e6cee02efeb

SHA1
22216f02cb4d146a2c5f207bd4f62934e82a0cac

SHA256
58c2bdb1517566272d4b0ea2e8bcc9b61031fb44b19127c0b5cf9fb1a0739dae

SHA512
291e23d6b993c0a15bc94c1a11770f20ff449b08f1040527a55e2304cdf374d990babdd3bb74c188e63d71b1a587379b7602693eaac299c4758e6a022f69f881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kent
Filesize
248KB

MD5
09a75a7672dacb0212987b5934cc7f69

SHA1
6e2ac25ede8438ca3b2bea01707b87c430099088

SHA256
ac2c44b3e720bbc3df04dd0e2e32497bc7a508f571bf1b54fce19489c982181e

SHA512
090bf2a18e6504d061ca9f3dcfad7e4781fdbbd4840d830d6edd93a05d0cf148be8c9aad21b473f7b301b166898bde2550fc635c0862f7b8d24beb14c9e6342b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Option
Filesize
91KB

MD5
09dbf2c646acb481876674dad686b3cd

SHA1
d12b89c2721390bcce5df81b5e8e2dc11463721c

SHA256
ad09a9f6d2ccc9723227af3320344c9f76fc7c5d26b7ebca4a5fc9402437ed3b

SHA512
36b3057b16a699b795ca5293af49811285d4078380c65ecc7486d961733b5fd6a68375448fee0eeb7235f6e0d94ded5f73d510115719a04de100750cb91cfe95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Organizer
Filesize
249KB

MD5
6a0bd7dacaedfa73cea2bb32849f2d31

SHA1
a6bea8d93e5d57ac33bdc956e03e3ae4fe05adcb

SHA256
bc547361eef145bd411c033cbd548f9658fac5df197dd051e28e8bc1f39a20ae

SHA512
4867a63f3ccfb47351eefd501f35ae76e3fe7ebc2db4596b8cf0d8a486a87dd92dcc6e8aaab5d4d18bbcd8ec78dd9d51d8e65c1f7f7f8fa708a6c112f32862b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Outlet
Filesize
260KB

MD5
e1ba0a7e90985597f9b0866b326ce9aa

SHA1
597c113a65c3da1e969b865565a1a7be467c9cbd

SHA256
1c8d829da27fa3eca23d75d187c8dcc4d9c3d146720fe2199b68961015f04475

SHA512
331ff0c786d396b72b28d4b190fecd202590cd5946df1814dc812ba4c3ae08d9b89f8b96b1b27ec6d780b49febbbe3499301fd478725edf07540eb9902dd5fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Reminder
Filesize
294KB

MD5
2edcb044c8cf70b6afec411b1cfaf5c8

SHA1
0246bfc0d18924736106dff7a9fc5cf6208a372b

SHA256
2eb96d615b84db034e0dd692aac5f0a239cfda3c44babc7833c2a3e369298f20

SHA512
9c458fd7e410f9950fd52a164a41792faeac5ee2aa13ea43ab74189659925bc1eb4f5288fec543c2d00810001d9ec899c742e508298c07c865881d3244964b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Requests
Filesize
151KB

MD5
a6ae575cb7aef7791cf81a60a794c924

SHA1
56cf2a645948461887a4eef5aa00fc2d76b2a343

SHA256
aea55379939f0c1b0690031b64e8338f33c9abaf7ab29ed168338e26e0652d64

SHA512
bbb39599eac28be9ae285db1c8b47c25c73443b0f12e08e425f35fc01cacec65e5467440f437e2314ac8de8a6e4a6a368375f1948ebff8372deecfef5a441661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Somebody
Filesize
15KB

MD5
7b6406e22b8b8bbd386e1b1108e6ddc9

SHA1
7ef14e132bce74f43a55d5c317205cacfba99c00

SHA256
ef8e05c01549775fdb2fc614f5e07dad510c4573f5c77a26ddd27bcb73417de0

SHA512
ffc4ae959dcf735de00b9f36c19c50757ef6a2d685626122fd17500ae49013ea2b1d22838a0859f685accc1c60bb20c5d5373588cd8d45e209a7ca711b0fc8ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Suited
Filesize
290KB

MD5
3b22ce8417c532e155e553c22bbe2d70

SHA1
b40c477c3b3ce50db14a2e2241a8c4e7b9c38324

SHA256
d5b4ba3e25150ab13cc71def74e12c9d902ed7a87d6faee6818d0d9970c45945

SHA512
30b3fa14df0dac4ae64bb548ff14cf2665b19b912e598d0c4ca0a10255e8d243bb8ab8a08ca9c588eb59b79a21ebf7c6421229650f0ef718374bd3f9b34ea776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Temple
Filesize
48KB

MD5
0304133398abd9df0b208efbb0b7cf03

SHA1
2b0fe6740cdec064fec627a09119c6adaae71db4

SHA256
b6a8158b0272b83ffd4eefcc0408d89028d916560901195faaf4a8bf3da8df12

SHA512
e2873b2a01845dd161c556252e2cc507fde8f3d09e08471dbd99d87a2cefa06d49330fd03583e2279d27b18dba38e4fde7566fd2da3365212167e25af62518bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Vbulletin
Filesize
208KB

MD5
02438f6759aa3e9ee883b24b1f272aa6

SHA1
b78db1e5cc6a6b6a58a4eca200ce53c1668316c6

SHA256
33377b8d3b799487eefeb40b8d9f874cf93516e5dbf1ee67671870178523d512

SHA512
7725b939d04a8891b247d6b60cbed2022ede21ec5452e4092373433f1c6391b374a42f38651af0ddbef4d060b2221ff6c920436127e00df23c7fda74dea7a5cd

Download Submit
memory/848-48-0x0000000001400000-0x000000000155B000-memory.dmp

Filesize
1.4MB

Download
memory/848-49-0x0000000001400000-0x000000000155B000-memory.dmp

Filesize
1.4MB

Download
memory/848-51-0x0000000001400000-0x000000000155B000-memory.dmp

Filesize
1.4MB

Download
memory/4588-45-0x0000000077261000-0x0000000077381000-memory.dmp

Filesize
1.1MB

Download
memory/4588-46-0x0000000004070000-0x0000000004071000-memory.dmp

Filesize
4KB

Download