12c168aed059a8a916b002d184c26825f4934f6e5d9f8cdd0a0ac46b8d3c85ba

Resubmissions

28-04-2024 17:10

240428-vp2nascg6x 7

28-04-2024 17:07

240428-vne3xace45 7

Analysis

max time kernel
72s
max time network
17s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Celery.zip
Size

17.7MB
MD5

ebab6d8c1f5b0e050573ec0703438266
SHA1

a3029b01a075c714ed73af1752d481c1ac63c84c
SHA256

12c168aed059a8a916b002d184c26825f4934f6e5d9f8cdd0a0ac46b8d3c85ba
SHA512

ad6dfa9cdfb70dfac457bb3bd51b0ac2f2bda23be97659870a5248f93718fcecc73e8597a23c8dddc0eb778965e4bf0431b563f5abc976aefa1a339e942e135d
SSDEEP

393216:cwYtevhjwk+4HPAx6gfkXC6fT+op9coKmwJ8YshuR:cwCev2+Hi6gQqaOoKQYQuR

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 14 IoCs

Processes:

Celery Bootstrapper.exeCelery Bootstrapper.exe

pid	process
1292	Celery Bootstrapper.exe
1292	Celery Bootstrapper.exe
1292	Celery Bootstrapper.exe
1292	Celery Bootstrapper.exe
1292	Celery Bootstrapper.exe
1292	Celery Bootstrapper.exe
1292	Celery Bootstrapper.exe
1604	Celery Bootstrapper.exe
1604	Celery Bootstrapper.exe
1604	Celery Bootstrapper.exe
1604	Celery Bootstrapper.exe
1604	Celery Bootstrapper.exe
1604	Celery Bootstrapper.exe
1604	Celery Bootstrapper.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Celery Bootstrapper.exeCelery Bootstrapper.exe

description	pid	process	target process
PID 268 wrote to memory of 1292	268	Celery Bootstrapper.exe	Celery Bootstrapper.exe
PID 268 wrote to memory of 1292	268	Celery Bootstrapper.exe	Celery Bootstrapper.exe
PID 268 wrote to memory of 1292	268	Celery Bootstrapper.exe	Celery Bootstrapper.exe
PID 840 wrote to memory of 1604	840	Celery Bootstrapper.exe	Celery Bootstrapper.exe
PID 840 wrote to memory of 1604	840	Celery Bootstrapper.exe	Celery Bootstrapper.exe
PID 840 wrote to memory of 1604	840	Celery Bootstrapper.exe	Celery Bootstrapper.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Celery.zip
1⤵
PID:2280

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2032

C:\Users\Admin\Desktop\Celery\Celery Bootstrapper.exe
"C:\Users\Admin\Desktop\Celery\Celery Bootstrapper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Users\Admin\Desktop\Celery\Celery Bootstrapper.exe
"C:\Users\Admin\Desktop\Celery\Celery Bootstrapper.exe"
2⤵
- Loads dropped DLL
PID:1292

C:\Users\Admin\Desktop\Celery\Celery Bootstrapper.exe
"C:\Users\Admin\Desktop\Celery\Celery Bootstrapper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\Desktop\Celery\Celery Bootstrapper.exe
"C:\Users\Admin\Desktop\Celery\Celery Bootstrapper.exe"
2⤵
- Loads dropped DLL
PID:1604

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI2682\api-ms-win-core-file-l1-2-0.dll
Filesize
22KB

MD5
2083c4c18b0b2d501995bf1af79bbcf1

SHA1
9cbd7dd86fba3f1829d2f9614caa83958f690e99

SHA256
01b61d57ba1290bf2640ecee28de3d240eeb09e9c664c0f4d0f9402cd1da5eaf

SHA512
5eb5455989e1dbc8655c510d2b596d422078ecef8342d9d10797eba2d8aa1562b9037ede35f00222c3cfb6f46e003bd4bd1e17faa2d19e0aeb63e970c978da23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2682\api-ms-win-core-file-l2-1-0.dll
Filesize
22KB

MD5
aaf93ef5c6eca9434286274ef91794dd

SHA1
b68cd2f56e5c840346e3ad52255a6061c1797a7b

SHA256
4413208101061038455b7e0752fb37d4108b3ec4642d10cbaddf835b3843888e

SHA512
04a30769851b829e71ba0ab3f1a76eceae565dd639047b4c6ff9952bc4d6502d117eec81e151843dfaa147894e3046a333e39d2dae2ae65effd7dc1b91368541

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2682\api-ms-win-core-localization-l1-2-0.dll
Filesize
22KB

MD5
9e1e3021560384db14b76243df9604e4

SHA1
f79a3241314f18db0b979af8e114c191d499a7c9

SHA256
197b29ba3989e8d974e29f81fbddd0731051399dc40763bda998a1e36d1c3ab4

SHA512
3187122bd3e20dc74efac802b86c612573682370a8b24c3ec7769e67de525b68c91506b85df3ea2d028d4018d14833c980ab2b220aee41b96e2dd9c9d0a67914

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2682\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
22KB

MD5
bf87834418025b5894d2130668352125

SHA1
ef15f9b1ae6fb271549dd2cef8fb11ba5633c865

SHA256
408081a4655ee846c1067aaafe462a62fa3a562341e681d0dbbf3400362f5cf7

SHA512
b115687e542fc1a7f342cf610c450dc726d79e7b8e63bb2d5761a47464796fbf8c880ed811149443734f0d47c4cf8b2694a3703004d69cbd62fbf2a96d9667ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2682\api-ms-win-core-timezone-l1-1-0.dll
Filesize
22KB

MD5
80bd4ecd52c736047b21f0c4c6bdaa95

SHA1
8ac491285818f19485351253129889839d97aedf

SHA256
04f932559f3e5eec0d929d60ab501fc0f6037e97b241e2b3ddd3ad16fedaa23c

SHA512
3f79a2c1635eec05c7a9e561842e2bed227d1d3db72b6cc34e121bfeb29755d51db707bee955a1d1e24e4faea8ef8426283b8c0820a528001851600ab20cf7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2682\python310.dll
Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2682\ucrtbase.dll
Filesize
1.1MB

MD5
8f53604f28132832353c099fadb2a54c

SHA1
7679e25d80e7d551c390e6ac6f7561bf2368f734

SHA256
5d652e1ba943587035b573e0dbcdc8a2f114030ac5cae4894805cc228dda3d22

SHA512
5b7e3775a0eca8ade32e092287342f20c80ba3f96ce2008eff5a68e0ac952087f4a19ca5f6a7bf1e3a8add8aed49ec8168238461f777445104bae9d89b99a43a

Download Submit