Analysis
-
max time kernel
44s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
04-08-2024 16:44
Behavioral task
behavioral1
Sample
celery installer.exe
Resource
win7-20240708-en
General
-
Target
celery installer.exe
-
Size
3.1MB
-
MD5
45f959942912fbcd1653b538332c5ec9
-
SHA1
7fdcd65b7bd7d5bdbc279e0b4fa6eebb8c36fca1
-
SHA256
6b400e1fc91d48c849aa79f355b641d35658188d668686ad7192333e9b92a1ae
-
SHA512
9072548e7a5e8f92a910c8621ff1a67fba6dcc4aa3c7af82047bdfdb86165d6d3466ed32081ef87816ccc04b6549367ec65fa2d69e8865ef0d42b6befe26f466
-
SSDEEP
49152:PvflL26AaNeWgPhlmVqvMQ7XSK5+DkE2Hak/+F+oGdzuLTHHB72eh2NT:PvtL26AaNeWgPhlmVqkQ7XSK5+DbQC
Malware Config
Extracted
quasar
1.4.1
Office04
Joesnazzy-26854.portmap.host:26854
0e3df0a7-c843-43da-81c8-d9c01f85801a
-
encryption_key
FE31C9B3146C7F6C565D8024D45CF71A2F7A3888
-
install_name
celery.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
windows defender
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2348-1-0x0000000000A20000-0x0000000000D44000-memory.dmp family_quasar C:\Windows\System32\SubDir\celery.exe family_quasar behavioral1/memory/1824-8-0x0000000000D80000-0x00000000010A4000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
celery.exepid process 1824 celery.exe -
Drops file in System32 directory 5 IoCs
Processes:
celery installer.execelery.exedescription ioc process File opened for modification C:\Windows\system32\SubDir\celery.exe celery installer.exe File opened for modification C:\Windows\system32\SubDir celery installer.exe File opened for modification C:\Windows\system32\SubDir\celery.exe celery.exe File opened for modification C:\Windows\system32\SubDir celery.exe File created C:\Windows\system32\SubDir\celery.exe celery installer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2052 schtasks.exe 2456 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
celery installer.execelery.exedescription pid process Token: SeDebugPrivilege 2348 celery installer.exe Token: SeDebugPrivilege 1824 celery.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
celery.exepid process 1824 celery.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
celery installer.execelery.exedescription pid process target process PID 2348 wrote to memory of 2052 2348 celery installer.exe schtasks.exe PID 2348 wrote to memory of 2052 2348 celery installer.exe schtasks.exe PID 2348 wrote to memory of 2052 2348 celery installer.exe schtasks.exe PID 2348 wrote to memory of 1824 2348 celery installer.exe celery.exe PID 2348 wrote to memory of 1824 2348 celery installer.exe celery.exe PID 2348 wrote to memory of 1824 2348 celery installer.exe celery.exe PID 1824 wrote to memory of 2456 1824 celery.exe schtasks.exe PID 1824 wrote to memory of 2456 1824 celery.exe schtasks.exe PID 1824 wrote to memory of 2456 1824 celery.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\celery installer.exe"C:\Users\Admin\AppData\Local\Temp\celery installer.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Windows\system32\SubDir\celery.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2052 -
C:\Windows\system32\SubDir\celery.exe"C:\Windows\system32\SubDir\celery.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Windows\system32\SubDir\celery.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD545f959942912fbcd1653b538332c5ec9
SHA17fdcd65b7bd7d5bdbc279e0b4fa6eebb8c36fca1
SHA2566b400e1fc91d48c849aa79f355b641d35658188d668686ad7192333e9b92a1ae
SHA5129072548e7a5e8f92a910c8621ff1a67fba6dcc4aa3c7af82047bdfdb86165d6d3466ed32081ef87816ccc04b6549367ec65fa2d69e8865ef0d42b6befe26f466