Analysis
-
max time kernel
105s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
-
submitted
01-08-2024 21:08
Errors
General
-
Target
CeleryInstaller.exe
-
Size
822KB
-
MD5
0bd82e264be214414d6dd26bac3e1770
-
SHA1
5325e64053dcf599a9c5cedec532418716f9d357
-
SHA256
60593ced1e78fd4b3fdffcd58bcde989d8e9b031b3ad9132815fdf614e0449d4
-
SHA512
842a80fed2286d06987cd2dde7ae94fc6c7986eb49cc62684f62f148973e5080df7866e1d2f81d53cb5ac95ef9d88489f6765265e29104be0ae349c6a3164592
-
SSDEEP
12288:c5SsIg0ZvkY29slOLJFbJZXM1Eg/2QAu4NRFNxIg0Z:Ru0ZvkY29+OLfzI2Q0NH10Z
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 25 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Network Service Discovery 1 TTPs 2 IoCs
Attempt to gather information on host's network.
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 57 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\CeleryInstaller.exe"C:\Users\Admin\AppData\Local\Temp\CeleryInstaller.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Downloads\Celery\Celery.exe"C:\Users\Admin\Downloads\Celery\Celery.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Downloads\Celery\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\Downloads\Celery\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\Downloads\Celery\cache" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\Downloads\Celery\debug.log" --field-trial-handle=2012,i,8777223187289606736,2951318899328888261,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=1896 /prefetch:2 --host-process-id=8803⤵
- Executes dropped EXE
- Loads dropped DLL
- Network Service Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\Celery\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\Downloads\Celery\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\Downloads\Celery\cache" --cefsharpexitsub --log-file="C:\Users\Admin\Downloads\Celery\debug.log" --field-trial-handle=2468,i,8777223187289606736,2951318899328888261,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=2464 /prefetch:3 --host-process-id=8803⤵
- Executes dropped EXE
- Loads dropped DLL
- Network Service Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\Celery\bin\lsp\main.exe"C:\Users\Admin\Downloads\Celery\bin\lsp\main.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3974055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\bootim.exebootim.exe /startpage:11⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116B
MD553bd3a85ae0f3c6b08b3c6a6fc58c127
SHA1686e0e83a7b5279d4efb62b0dd3cd7b9a94195cf
SHA25669b2c2fa52825ccd32572f2a9083388c8a6d799a6ac72c788fb7a63c1a18387a
SHA5123c2fdfc69977de09b71cc7dd35e3a63c269bccbbc5e065856336ec3f94fa134f57d763a72069ed98e0bea585b590f45922ae8513478e0c711d8429294e56091a
-
Filesize
1.1MB
MD55b745ee879e65f7a47c56265881f16e7
SHA1e6a90771b8f1bf53beeb7c9e4268756ff07a088d
SHA256c8944a83938c39fbea72700485db8a61ab82e1c51d8e16d5dd48de4e36a6f264
SHA5123b4bef98a1f751c3a747de0eb050828bf8474efa68aa7a26d0369f1c3b42829eaab221cb612c005a54ed5b84f19180700e51aab39adb84fe7246d9e91e6899c8
-
Filesize
6KB
MD5bcd22b9511d5383e23d875e2cf3c339e
SHA10ef86afaef536cc4b046ea2866414bb193d60702
SHA25695dd31f11ac1317559b6eee0479739930d503a4938283f5d831ac8add92ad792
SHA512c4e6821858720895c0bfae797097e3307bb7ea8f03dde4fefc16cce03b2a50fecfe8ed5c3225136fcd9d74ee0ed8673f795b410cd14890d22df58c1f03b693c6
-
Filesize
1.7MB
MD521719cf581f5cc98b21c748498f1cbfe
SHA1aaada7a02fadcbd25b836c924e936ce7d7ee0c2a
SHA2566fd2685e02ef7c92ba5080faadb44f22fee528713f5101e2841c1230cba691e6
SHA5126394ddabc7ad03895ecddb9943371935e0a2320e933b380a563eaf03d1a039c7180aee763834170c85485416b1af38b55c1dafff7311b25513369b01dce22598
-
Filesize
897KB
MD516f8a4945f5bdd5c1c6c73541e1ebec3
SHA14342762c43f54c4caafaae40f933599a9bb93cb5
SHA256636f8f865f23f2d47b73f3c16622e10b46437bbf7c89b0a2f70bae6129ab046a
SHA51204115c425c3015ee4355cde2a6e5e28ec24745ea77761a40c0986b54dc14bc67cb142986988d79df87e75ea54d21ded9384842e01cf0714b84f7378e6a13400d
-
Filesize
114KB
MD536946182df277e84a313c3811adac855
SHA1bcd21305861e22878271e37604b7b033ec347eb3
SHA2568507a4662220eca49d7d511183be801cd394f13dc0e9898c55361020fe9a4720
SHA51280b1e947b1940dccfe5be8a1ba1e8c1d9eacb122d73724a21233164f5b318fa57c249256f621f0f9c1e6a9e4c902eec58827bb899e20f2990f4ade1d685f1abd
-
Filesize
272KB
MD5715c534060757613f0286e1012e0c34a
SHA18bf44c4d87b24589c6f08846173015407170b75d
SHA256f7ad2bbbeb43f166bbbf986bdb2b08c462603c240c605f1c6a7749c643dff3fe
SHA512fcaec0c107a8703a8263ce5ccc64c2f5bfc01628756b2319fde21b0842652fbeee04c9f8f6d93f7200412d9bd9fad01494bc902501fb92e7d6b319f8d9db78d7
-
Filesize
17.3MB
MD5eeaa7f07f411869b721077bc9f998d5d
SHA1af4890e4866990a8cab38c65f51579341d09f5c2
SHA2567182d622a275b9cdabfd50a5431469c48acb8d8543bf5d5b182dd68326d64f62
SHA51291c478721a58fbf9ec23e425af114d57b5e342aa1d58b3d30242fad79188f4127514a0ca52773a624e7b54281bf219bd703549e85cfa4c2409d26a822f6a9e1a
-
Filesize
189B
MD59dbad5517b46f41dbb0d8780b20ab87e
SHA1ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e
SHA25647e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf
SHA51243825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8
-
Filesize
26KB
MD5ff34978b62d5e0be84a895d9c30f99ae
SHA174dc07a8cccee0ca3bf5cf64320230ca1a37ad85
SHA25680678203bd0203a6594f4e330b22543c0de5059382bb1c9334b7868b8f31b1bc
SHA5127f207f2e3f9f371b465bca5402db0e5cec3cb842a1f943d3e3dcedc8e5d134f58c7c4df99303c24501c103494b4f16160f86db80893779ce41b287a23574ee28
-
Filesize
62KB
MD500053ff3b5744853b9ebf90af4fdd816
SHA113c0a343f38b1bb21a3d90146ed92736a8166fe6
SHA256c5a119ec89471194b505140fba13001fa05f81c4b4725b80bb63ccb4e1408c1e
SHA512c99fcda5165f8dc7984fb97ce45d00f8b00ca9813b8c591ad86691bd65104bbb86c36b49bb6c638f3b1e9b2642ec9ac830003e894df338acfca2d11296ff9da4
-
Filesize
94KB
MD53452007cab829c2ba196f72b261f7dec
SHA1c5e7cfd490839f2b34252bd26020d7f8961b221b
SHA25618b39777ee45220217459641991ab700bc9253acaf0940cf6e017e9392b43698
SHA512a8b83a8582dfee144925a821d09c40f5730f6337b29446c3bce8b225659bdc57a48778081fa866c092d59b4108c1d992e33f9543ae2b4c7554b8ff27b5332cdf
-
Filesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
Filesize
25KB
MD5e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA12242627282f9e07e37b274ea36fac2d3cd9c9110
SHA2564f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11
-
Filesize
39KB
MD53ab57a33a6e3a1476695d5a6e856c06a
SHA1dabb4ecffd0c422a8eebff5d4ec8116a6e90d7e7
SHA2564aace8c8a330ae8429cd8cc1b6804076d3a9ffd633470f91fd36bdd25bb57876
SHA51258dbfcf9199d72d370e2d98b8ef2713d74207a597c9494b0ecf5e4c7bf7cf60c5e85f4a92b2a1896dff63d9d5107f0d81d7dddbc7203e9e559ab7219eca0df92
-
Filesize
390B
MD553140e18fb33e7e9a25e13f57a4190aa
SHA1dd72190319ae2b7ddb12a137f50fad2579fcc897
SHA2561cbd08945e5e8612b690e1eb663917cfb4f84f0083bf7d2c2a61f43e6c455e9b
SHA512fb9b0456c7c9d468b14db242659d2cda36f7457f9035628d92538850a509e78116972e9890edc3b69d4379aaafb6da76ff2876b446b6953e14914cdfe7dc7b94
-
Filesize
36.1MB
MD543ad962c7acda3e30300e7d0f1add3fb
SHA1362c217d315f288f375fec7289a2606ed6d4f432
SHA256534e6212f155fba25a38fba248ce7970e69335492d57443d04037b617260dd9b
SHA5123822b6b426c85a61c4d754de7c33fdfbca45c9e80f2ba52f4c6ac98ad726109e276851af3612ebb39a6cefa4de9589d412e2805a3bacf7845d2aa22189396e4b
-
Filesize
682KB
MD5d3e06f624bf92e9d8aecb16da9731c52
SHA1565bdcbfcbfcd206561080c2000d93470417d142
SHA2564ee67f0b0b9ad2898e0d70ddfad3541fbd37520686f9e827a845d1930a590362
SHA512497126af59961054155fbb8c3789d6278a1f5426000342f25f54115429ff024e629783f50f0c5350500007854712b07f7d8174ecfe60d59c4fdd5f3d72dac262
-
Filesize
1.1MB
MD534572fb491298ed95ad592351fb1f172
SHA14590080451f11ff4796d0774de3ff638410abdba
SHA256c4363d6ecfa5770b021ce72cc7d2ab9be56b0ce88075ec051ad1de99b736dbbd
SHA512e0e7deccb26b7df78d6193750bfb9aad575b807424a0a5d124bd944e568c1bb1ae29f584246f753d619081a48d2897815145028ffedd9488e9a8f102cdc67e2f
-
Filesize
1.3MB
MD55b3802f150c42ad6d24674ae78f9d3e8
SHA1428139f0a862128e55e5231798f7c8e2df34a92a
SHA2569f455612e32e5da431c7636773e34bd08dae79403cc8cf5b782b0ea4f1955799
SHA51207afbd49e17d67957c65929ca7bdfe03b33b299c66c48aa738262da480ed945712d891be83d35bd42833d5465ef60e09c7a5956df0a369ec92d3bc2d25a09007
-
Filesize
4.7MB
MD52191e768cc2e19009dad20dc999135a3
SHA1f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA2567353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA5125adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970
-
Filesize
20.8MB
MD5141f621285ed586f9423844a83e8a03f
SHA19c58feee992c3d42383bde55f0ff7688bc3bd579
SHA2565592056f52768ba41aad10785d21c1b18baf850a7e6a9e35526f43a55e6ada6d
SHA512951a55bbe86a7ebecfc946bf1c9a8c629f0e09510089a79a352cd6d89b7c42e0e23fd4f26232b0e73bd6d4ec158b86728cda2ab25745abcabfafadd964b55896
-
Filesize
1.4MB
MD5cb72bef6ce55aa7c9e3a09bd105dca33
SHA1d48336e1c8215ccf71a758f2ff7e5913342ea229
SHA25647ffdbd85438891b7963408ea26151ba26ae1b303bbdab3a55f0f11056085893
SHA512c89eebcf43196f8660eee19ca41cc60c2a00d93f4b3bf118fe7a0deccb3f831cac0db04b2f0c5590fa8d388eb1877a3706ba0d58c7a4e38507c6e64cfd6a50a0
-
Filesize
10.2MB
MD574bded81ce10a426df54da39cfa132ff
SHA1eb26bcc7d24be42bd8cfbded53bd62d605989bbf
SHA2567bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9
SHA512bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a
-
Filesize
459KB
MD5ce2c45983f63a6cf0cddce68778124e9
SHA16553dc5b4bc68dcb1e9628a718be9c5b481a6677
SHA2569ca8840bbb5f587848e66d08d36cb5eb30c1c448ef49ce504961ff4ac810c605
SHA512df81a3356168e78d9810f5e87ca86eb4f56e5f0cb6afdb13408b50778a2d8b18c70b02c6348cd7ba59609ab2956d28eed324706eb65d04bce1159a2d8f1e0e8f
-
Filesize
7.3MB
MD5c9b090ed25f61aa311a6d03fd8839433
SHA1f1567aa2fb1fcad3cde1e181a62f5e2bccadaf68
SHA256c7a7a59cf3c26d6c8b2505996065d49f339764f5718e6f53a9ecec8686c489db
SHA51221cd4618b6ad011afa78abe8fbc42ecafbb992322912c4a77e5f193a04aeb97a5655dedfc513e1a7667db55b92a322e3d9a6dfe7e845af25f37a6666a1798470
-
Filesize
455KB
MD5a8d060aa17ed42b6b2c4a9fcbab8a7e1
SHA116e4e544eca024f8b5a70b4f3ca339a7a0a51ebf
SHA25655e4ae861aa1cacb09db070a4be0e9dd9a24d2d45e4168824364307120a906b2
SHA5128f3820e3c5aca560344a253d068936bdb797d07eb22711020d287a949c97d7a98879ff9ff5a4fb2f3fe804bf502300b6f4c92918d973bef351d587483bc43723
-
Filesize
7.9MB
MD55955471c84eaad269c23f8a22b71f781
SHA1d625fb0b12d132fec9f91cbc7db54887589f202e
SHA256b8ae091d95e927a75a9b0a367a8ee9bc5fae0a10427eb77cb3c3460097cd4f5e
SHA512537fa6f414c7759e70ad6e70350571221ba69afaf89427c7450acf117e58a97fc7beb2a1758cf05b2ef76a14ad50e762f01b1c65d1ccbc63e4d714af445988df
-
Filesize
672KB
MD512c20b1ea7dccafb8250e13e46bc9914
SHA16ed3625dffea1ad3e1aceae4c55caaf195fd7c18
SHA2565591258720aed178de57b4e61eb59b2c4af2566caa1d18a7157cf8d0feca11d7
SHA512e520e67eba1dcf236a0daf43ec57182821b1e9142592ef471c724caf74292ed85291bd3b84fef6107ee2c258f93ea4fff2df18485537d73ddfd973b863c76727
-
Filesize
4.9MB
MD53262e23f3fef8b021b93c801f5649c92
SHA1de49b94cfc981a0af5a4e134854f69620e7ba566
SHA2561c9098e8a6f21462864a91e74555f299ebc41d3bc79d6ee1b9c577c929957285
SHA51254b0b26b95f6fc799b3e24863a65ef3896786811be3cc9fffa2a06e95e98daf32b16f0ede6b8a87acc319ea17650cdd089c56798236476b894054195738e1797
-
Filesize
1KB
MD5b84b4a29ffa5419c6f362d2a38c2aa05
SHA1fdb8b69e67b922267324cb308b01147790c392ef
SHA25628648d1593fd19838407001c2d3918841e7f65b51e7ebc874658613ab04880ed
SHA512f951a8e6d15d3461b9eb8945d2b4e82bd689ffdd097a88721db79e1636b7f9a0b0876c84b4693eade114d49446886988a3ce31e303c1ac6556a8f2956f840ec3
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
224KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
296KB
-
Filesize
16.0MB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
712KB
-
Filesize
1.8MB
-
Filesize
144KB
-
Filesize
920KB
-
Filesize
17.3MB
-
Filesize
72KB
-
Filesize
112KB
-
Filesize
1.1MB
-
Filesize
24KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
7.7MB
-
Filesize
224KB
-
Filesize
7.7MB
-
Filesize
56KB
-
Filesize
7.7MB
-
Filesize
1.5MB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
840KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
7.7MB