Analysis Overview
SHA256
ef63fd911b2fae0822c9c35e513b9660890dd09e131add652856f8d5e3586162
Threat Level: Shows suspicious behavior
The file [CRACKED BY L1nc0In] Celestial.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Themida packer
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-10 23:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 23:57
Reported
2024-06-11 00:42
Platform
win7-20240419-en
Max time kernel
1565s
Max time network
1566s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1732 wrote to memory of 2404 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1732 wrote to memory of 2404 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1732 wrote to memory of 2404 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\[CRACKED BY L1nc0In] Celestial.rar"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\[CRACKED BY L1nc0In] Celestial.rar
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 23:57
Reported
2024-06-11 00:42
Platform
win10-20240404-en
Max time kernel
615s
Max time network
1596s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\CelestialPatcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Celestial.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Celestial.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Celestial.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Celestial.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\CelestialPatcher.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\CelestialPatcher.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3584 wrote to memory of 8 | N/A | C:\Users\Admin\Desktop\CelestialPatcher.exe | C:\Users\Admin\Desktop\Celestial.exe |
| PID 3584 wrote to memory of 8 | N/A | C:\Users\Admin\Desktop\CelestialPatcher.exe | C:\Users\Admin\Desktop\Celestial.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\[CRACKED BY L1nc0In] Celestial.rar"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\[CRACKED BY L1nc0In] Celestial.rar"
C:\Users\Admin\Desktop\CelestialPatcher.exe
"C:\Users\Admin\Desktop\CelestialPatcher.exe"
C:\Users\Admin\Desktop\Celestial.exe
"Celestial.exe"
C:\Users\Admin\Desktop\Celestial.exe
"C:\Users\Admin\Desktop\Celestial.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | 59fb8397f884573a975ab45c4fa213ea |
| SHA1 | 74618ae7c949d0fb2614e7ff633f50bd5160cd6c |
| SHA256 | f70f95d3e6e48c35829d1c128ad6640da09dc2430fb072fcb0d756e154365415 |
| SHA512 | 9905a2fbfbff5bc28a880c276bc4487b97fb61e94e04f74d6f55a987ad2ad7136c7f41d7cb43c86ba59ebcfb71bf30e6b1b7e159ec4be1cbf8a7916b9d2d27da |
C:\Users\Admin\Desktop\CelestialPatcher.exe
| MD5 | ee61359e7e1ceaed2a297f66baa7c7fc |
| SHA1 | 01e5940c52ca2db5c295fd4865f2db9bfa720653 |
| SHA256 | 02ac9261c1588b3d464c112cc34b4b29e315ec9f0c2d305f6d8567fc92bd9b90 |
| SHA512 | 1a6bfe99e0289c7e9e964386a6776b7ceaee6fc13ee2fae7d21bc28a766ee2f0b8329cad4edcb92f8254374dd13fe7450029e6020f9fc6456f6fd771fd142006 |
C:\Users\Admin\Desktop\Celestial.exe
| MD5 | 86cae458b120a8c8f336d30590cc3c4f |
| SHA1 | 68f0a11a37c01f79db978ef19c03ee9c3457a6db |
| SHA256 | 4a9d64583260db1c1e4ff7d763341a1ab2bdf1d6e840dd622efad07da12a1d32 |
| SHA512 | 489eb0bc1d465c713e4670a2743499ed256bd535332e211fd37f900f3d4a707c35d9dbee391e33d07eb4a9421f4312f74ecaf924f0b86ddecfe4190186093dbb |
memory/8-75-0x000002432D9B0000-0x000002432EEF0000-memory.dmp
memory/8-76-0x000002432F270000-0x000002432F271000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Celestial.exe.log
| MD5 | d78293ab15ad25b5d6e8740fe5fd3872 |
| SHA1 | 51b70837f90f2bff910daee706e6be8d62a3550e |
| SHA256 | 4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3 |
| SHA512 | 1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-10 23:57
Reported
2024-06-11 00:42
Platform
win10v2004-20240426-en
Max time kernel
1355s
Max time network
1178s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\[CRACKED BY L1nc0In] Celestial.rar"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\[CRACKED BY L1nc0In] Celestial.rar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.110.63.41.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |