Analysis
-
max time kernel
1565s -
max time network
1566s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
[CRACKED BY L1nc0In] Celestial.rar
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
[CRACKED BY L1nc0In] Celestial.rar
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
[CRACKED BY L1nc0In] Celestial.rar
Resource
win10v2004-20240426-en
General
-
Target
[CRACKED BY L1nc0In] Celestial.rar
-
Size
13.1MB
-
MD5
636c1ebadd92b21114fcb17c5c640032
-
SHA1
22eb7705a181bd1a0b1291c1304470e31761774d
-
SHA256
ef63fd911b2fae0822c9c35e513b9660890dd09e131add652856f8d5e3586162
-
SHA512
f9490f7354b025a8cba4d198e624beb5ec4ee5ce46c75ffca34fcd03b368beddacd9492ed2dfefdb0eb39d693092ccec56fbff3ffd652d3a58dcb68c6b076d04
-
SSDEEP
196608:LwKLUXdrrtFo6FH4tLKQEhkGTktUr8cNCZiX54kSIRwR8H6G5/Qj3d3GxPaP7QMs:Z+dfF/TNdNCZiJ3RcZ423d2g0X
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 2404 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1732 wrote to memory of 2404 1732 cmd.exe rundll32.exe PID 1732 wrote to memory of 2404 1732 cmd.exe rundll32.exe PID 1732 wrote to memory of 2404 1732 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\[CRACKED BY L1nc0In] Celestial.rar"1⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\[CRACKED BY L1nc0In] Celestial.rar2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2404