hxxps://gofile[.]io/d/J4uHbS

Analysis

max time kernel
57s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/J4uHbS

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1800	attrib.exe
4916	attrib.exe
2244	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
4496	$77SubDir.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\Windows Online Service\\$77SubDir.exe\""	Celery V3.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
316	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4252	msedge.exe
4252	msedge.exe
2236	msedge.exe
2236	msedge.exe
2176	identity_helper.exe
2176	identity_helper.exe
2232	msedge.exe
2232	msedge.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
5004	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
4128	Celery V3.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	Celery V3.exe
Token: SeDebugPrivilege	4128	Celery V3.exe
Token: SeDebugPrivilege	1608	taskmgr.exe
Token: SeSystemProfilePrivilege	1608	taskmgr.exe
Token: SeCreateGlobalPrivilege	1608	taskmgr.exe
Token: 33	1608	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1608	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe

Suspicious use of SendNotifyMessage 58 IoCs

pid	Process
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 3088	2236	msedge.exe	83
PID 2236 wrote to memory of 3088	2236	msedge.exe	83
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4712	2236	msedge.exe	84
PID 2236 wrote to memory of 4252	2236	msedge.exe	85
PID 2236 wrote to memory of 4252	2236	msedge.exe	85
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86
PID 2236 wrote to memory of 4000	2236	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1800	attrib.exe
4916	attrib.exe
2244	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/J4uHbS
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff34af46f8,0x7fff34af4708,0x7fff34af4718
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,356708359824545899,3140641847543275506,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:2
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,356708359824545899,3140641847543275506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,356708359824545899,3140641847543275506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,356708359824545899,3140641847543275506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,356708359824545899,3140641847543275506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,356708359824545899,3140641847543275506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,356708359824545899,3140641847543275506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,356708359824545899,3140641847543275506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,356708359824545899,3140641847543275506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,356708359824545899,3140641847543275506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,356708359824545899,3140641847543275506,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1976,356708359824545899,3140641847543275506,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,356708359824545899,3140641847543275506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1976,356708359824545899,3140641847543275506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,356708359824545899,3140641847543275506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,356708359824545899,3140641847543275506,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:3244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3228

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Celery Executor\INSTRUCTIONS.txt
1⤵
PID:5032

C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe
"C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Windows Online Service"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1800
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Windows Online Service\$77SubDir.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2D83.tmp.bat""
  2⤵
  PID:1420
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:316
- - C:\Users\Admin\Windows Online Service\$77SubDir.exe
    "C:\Users\Admin\Windows Online Service\$77SubDir.exe"
    3⤵
    - Executes dropped EXE
    PID:4496

C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe
"C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Windows Online Service\$77SubDir.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2244
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /query /TN Celery V3.exe
  2⤵
  PID:1480
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /Create /SC ONCE /TN "Celery V3.exe" /TR "C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe \"\Celery V3.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:760
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /query /TN Celery V3.exe
  2⤵
  PID:1104

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1608

C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe
"C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe"
1⤵
PID:1336

C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe
"C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe"
1⤵
PID:2092

C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe
"C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe"
1⤵
PID:848

C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe
"C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe"
1⤵
PID:1176

C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe
"C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe"
1⤵
PID:3912

C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe
"C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe"
1⤵
PID:1560

C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe
"C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe"
1⤵
PID:4696

C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe
"C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe"
1⤵
PID:1084

C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe
"C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe"
1⤵
PID:2660

C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe
"C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe"
1⤵
PID:1608

C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe
"C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe"
1⤵
PID:2232

C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe
"C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe"
1⤵
PID:3924

C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe
"C:\Users\Admin\Desktop\Celery Executor\Celery V3.exe"
1⤵
PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Celery V3.exe.log

Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f424846d13eef75a8065348e647b5c3a

SHA1
be8a5c387e75f166f933402aca3f6e6f2129e4cf

SHA256
40be99629f284d8f3b43c24811b93d372757306f37adbaa90e785ff2604f52cf

SHA512
ffb2097c52a3baf18361348787dcb92cd10da54a25d85600184b0182d50f08420d91ac031141871868602ca788cd0eac66e302e8ecce220b2f707f8741e3d178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6c3a0da38ed31721bf66a6e7519f300a

SHA1
db05166b0c96c42e4f89402f1eecb0ce00c5ff7a

SHA256
e13bc70f7eee42221ce6f2ebe017538484dbc6ec1059450cae7c579dcb8e6199

SHA512
c38a4e591360ae323d9be207ce2af8375ce3797bd16c3da2b8ed96c480d64fd1fd3062b1cd178f7be2f01477b68fa3404c021903c51abaecc90881f96bec76f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
50a8288ad21ce40c135542cbb1dd3697

SHA1
2482e0a9294961718c134b0a8b2cfa78d738970d

SHA256
53926c1a84259224da7f249c8e87a094b106d7d93ba9eb33ccda94f4f3d69f82

SHA512
dd0333a901f35366bfbe7117517c7adfb0aad38e8a6d4b82d44662664d59f274ee159ab0499bd4aa11c18a54915f34e6ddbc82aec096f4fe5b2e63a3d8ea39cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c9f9b2af38d9f0ef60d97f78b75e0f60

SHA1
346d5d7a95f42aaa6914ef57641e05efc01cc409

SHA256
f3c080e4680f3a497a09b3058aa8651aab93eeb6ad417f7a69b3dc0eff6253a3

SHA512
df65004e92f976a2ee6172e0dd253334569f90a5a5c3ddb63f25b02cc838c78d37bec158c5500dc914af79f2791ff151da225e06a3028a1b04078f95c73fa743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73d5ef11b843674476b401e5f21c60fc

SHA1
ab938fdb077bc95208a9d06d8f782cce15c3bb3c

SHA256
58377eb66ec3d126757d0f8f7b54aa66e6356f8dbad5c3a901164928d0dac1f7

SHA512
37c73771f0de1341f29fa3f064ec4cf2e45cc95cc1938e94cd597b68bffcbc32489fbc2f10ae415b26983878e0344b6ec0df33444d4bbc65a9fc329b1dc288a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b2a3ea56fa1a8e25e838cf8316591319

SHA1
85222cda6656c738c72c59df67d0e4b08db9cd95

SHA256
91f3bb54ea2819c7da9c51c5d392efa141e2ae2616e408f1d3b7b13fad26dd7b

SHA512
48bc8af91b45fbe7d553f5b6440a02ab639454d5f1664336f296a260b066fde3a195e77181718096579747c71b1f0c1afbc36bf77d78cf9589d6eab90f492f0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e2feb7b0651166db735c660c680edcfd

SHA1
243037adc8c4a3c775a777abc38825ad25336d6d

SHA256
7af7b9d4f389f3901ae63c63ffae7f69160e044f542fbc8626630360894bfc95

SHA512
9e0d369bf2f1916d6169cb8a591645b7fc0f3d537e5c18ca83ad70edd6943356f1cbe44744fd8dbd64da37c837e445da3be6d09277299515cf860b2ca5376b05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
92617f0d00628c9c0b8d81e33058a2e2

SHA1
1ac14e0dc43a2ff89fe0782291ab38d6346a3cc7

SHA256
6c6a8f45530ba3be327a1021ea9a9d8551720c987da62e8c7f80e47bcb324dea

SHA512
d0cc4cc3e4e287bcdafaac1133333fbe258489cf7beec7cb53ba717a436fe8315023160756b9bfa067d7c6dfbc3f12fdd1b406720bf4c2d76b943c74e52fca37

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D83.tmp.bat

Filesize
160B

MD5
84c59624060dd5ccc17cac3414da27e9

SHA1
2661bb9b1f7008b75ecb70b6ba17d3d857fafe71

SHA256
3f6e0147d03aad5d22d85294814ea90db778a0781d8f710b4eee326700cfa86b

SHA512
596a95be5e167a00a103ae2fd974ec104f84c666dfa067e3ae4c82769d474c2205e0bd34ae61598e23f38e6175f96ea07ebdc88640b741e043d88144bfb7f048

Download Submit
C:\Users\Admin\Downloads\Celery+Executor.zip

Filesize
201KB

MD5
f064cb255063acdc07426f67e5c275fc

SHA1
2eab20e3a5e336425ec12212022e2ae58a008ed2

SHA256
c66336b2af4a04365d3351b352b10c9771e2a8d54fc9e9aa7b693b403f74c841

SHA512
6d82aa84bbbabc2903d1a734094423ae014f406f325af328fd2c112477b1e613aed0dd7d2ab31efb45b048456fb48b3ba70a90315f884f8873184cbfe914bc3f

Download Submit
C:\Users\Admin\Windows Online Service\$77SubDir.exe

Filesize
42KB

MD5
e45f3b52c904fdc1526188d71cf80cfd

SHA1
cd5894e8021e41f9f61df0b99456347be991aafe

SHA256
de2a2a99b56d3ea408c4beb7eb48407636cd2e310a4c242024cc45ea9c5427db

SHA512
f30b21f3ce4ffa932150b4f5ae3ff3ce530ed4f800c6902918f21e53e5968fef2b8903c992462d7571d96538d7c82055c241713bdf1e8dd6bb933a294cc9b0c2

Download Submit
memory/1608-126-0x00000253B6A00000-0x00000253B6A01000-memory.dmp

Filesize
4KB

Download
memory/1608-132-0x00000253B6A00000-0x00000253B6A01000-memory.dmp

Filesize
4KB

Download
memory/1608-133-0x00000253B6A00000-0x00000253B6A01000-memory.dmp

Filesize
4KB

Download
memory/1608-138-0x00000253B6A00000-0x00000253B6A01000-memory.dmp

Filesize
4KB

Download
memory/1608-137-0x00000253B6A00000-0x00000253B6A01000-memory.dmp

Filesize
4KB

Download
memory/1608-136-0x00000253B6A00000-0x00000253B6A01000-memory.dmp

Filesize
4KB

Download
memory/1608-135-0x00000253B6A00000-0x00000253B6A01000-memory.dmp

Filesize
4KB

Download
memory/1608-134-0x00000253B6A00000-0x00000253B6A01000-memory.dmp

Filesize
4KB

Download
memory/1608-128-0x00000253B6A00000-0x00000253B6A01000-memory.dmp

Filesize
4KB

Download
memory/1608-127-0x00000253B6A00000-0x00000253B6A01000-memory.dmp

Filesize
4KB

Download
memory/4128-160-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/5004-125-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

Filesize
56KB

Download