Analysis
-
max time kernel
66s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 17:07
Behavioral task
behavioral1
Sample
Celery/Celery Bootstrapper.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Celery/Celery Bootstrapper.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
cstealer.pyc
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
cstealer.pyc
Resource
win10v2004-20240419-en
General
-
Target
cstealer.pyc
-
Size
39KB
-
MD5
8c90ffe525d980a3115be90a6a275a2d
-
SHA1
8bab4eec2c508a8735bb218affbf0e83f8bd9cb7
-
SHA256
450a0bdf0c033773d23c4e163ce7022addd8a7650e14e8371d3c4b832ece2b79
-
SHA512
29f5615b0eb37756b57052f9efa296d6543a654ebe84d88dd529df9c45358312edae916378b04a4852218fde7395141ba314c1aa408029edeea43f6af4a7586f
-
SSDEEP
768:fu46JcMk17WnMGF+5JsylM3jprKBBbxoZUM4PqVfqrY9Wygqxie3HrKl4HYiBeHP:FgdkW0JsyC3F6OUM6qVirY9WygWiMujP
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4580 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 2172 OpenWith.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
OpenWith.exepid process 2172 OpenWith.exe 2172 OpenWith.exe 2172 OpenWith.exe 2172 OpenWith.exe 2172 OpenWith.exe 2172 OpenWith.exe 2172 OpenWith.exe 2172 OpenWith.exe 2172 OpenWith.exe 2172 OpenWith.exe 2172 OpenWith.exe 2172 OpenWith.exe 2172 OpenWith.exe 2172 OpenWith.exe 2172 OpenWith.exe 2172 OpenWith.exe 2172 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 2172 wrote to memory of 4580 2172 OpenWith.exe NOTEPAD.EXE PID 2172 wrote to memory of 4580 2172 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cstealer.pyc1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cstealer.pyc2⤵
- Opens file in notepad (likely ransom note)