Overview
overview
8Static
static
1Celex-Crack-main.zip
windows7-x64
1Celex-Crack-main.zip
windows10-2004-x64
1Celex-Crac...ro.exe
windows7-x64
7Celex-Crac...ro.exe
windows10-2004-x64
8stub-o.pyc
windows7-x64
3stub-o.pyc
windows10-2004-x64
3Celex-Crac...SE.txt
windows7-x64
1Celex-Crac...SE.txt
windows10-2004-x64
1Celex-Crac...DME.md
windows7-x64
3Celex-Crac...DME.md
windows10-2004-x64
3Resubmissions
26/05/2024, 13:42
240526-qz4s7age6w 8Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 13:42
Static task
static1
Behavioral task
behavioral1
Sample
Celex-Crack-main.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Celex-Crack-main.zip
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
Celex-Crack-main/Adobe_Premiere_Pro.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Celex-Crack-main/Adobe_Premiere_Pro.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
stub-o.pyc
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
stub-o.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Celex-Crack-main/LICENSE.txt
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
Celex-Crack-main/LICENSE.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Celex-Crack-main/README.md
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Celex-Crack-main/README.md
Resource
win10v2004-20240508-en
General
-
Target
stub-o.pyc
-
Size
114KB
-
MD5
5a4a226dba4b705346900bc3e7640320
-
SHA1
decd95d4c419ecb4eb5ff48bfc0367cfa08f1e6d
-
SHA256
5716894da8af8ff97c3e09cf19dcaed63feb59914026c3fd89ced79ced83e2fa
-
SHA512
c8beed15a89fe061047251ede2c64b166a260d284788f970d508fbafd849f4493c06105392f9da96fbcd985edb2c98b0cff793a23d02f1254d8e59802748792f
-
SSDEEP
3072:UPUJVyUkznGFpktlgYCdDfh2aeJwomcjcfGU6S:U0obnGFCgRD52L1hYeU6S
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pyc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2704 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2704 AcroRd32.exe 2704 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2928 2392 cmd.exe 29 PID 2392 wrote to memory of 2928 2392 cmd.exe 29 PID 2392 wrote to memory of 2928 2392 cmd.exe 29 PID 2928 wrote to memory of 2704 2928 rundll32.exe 30 PID 2928 wrote to memory of 2704 2928 rundll32.exe 30 PID 2928 wrote to memory of 2704 2928 rundll32.exe 30 PID 2928 wrote to memory of 2704 2928 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\stub-o.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\stub-o.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\stub-o.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2704
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD599bf1eb4dccffbc408606ae3990647d6
SHA17a01156c5333cc7c9ad179c94954552c5eff4238
SHA256c1adde11a9eecbcda93bf50e2e7027faefc929622df87faf8098f1e733402312
SHA512103b6c9977aa8eb557a18292fa4540616da2fdc56dde6c5a628028bd6ba9776d1ef751e0ade61bd847aa3dd42826fcb838206b09eed4ef79592c5c29faa02489