Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2024 20:58

General

  • Target

    Celestial.exe

  • Size

    297KB

  • MD5

    9b650b738d97c0e39717fe86401a6726

  • SHA1

    34f361ab5024ad4390a3906cb3fff5a7b5f7e656

  • SHA256

    e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264

  • SHA512

    a6664916c5c1bfd66e58face5c1811f95b6489c3e1d4728d4efee92233192fb145c8f0cca46582d560356b92732a8727794a7d8765d16c4df567eb5eb84b1e30

  • SSDEEP

    6144:Ka4InuJg58BkgqPoDH49n8Bb/cQ/gW/tQtbgk3KlRWvWl/HrrACG7:Kat0EAH49n8BLgSZQKXW+l/HnACs

Malware Config

Extracted

Family

xworm

C2

engineering-thoroughly.gl.at.ply.gg:32901

20.ip.gl.ply.gg:32901

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Time Discovery 1 TTPs 1 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Celestial.exe
    "C:\Users\Admin\AppData\Local\Temp\Celestial.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3784
    • C:\Users\Admin\AppData\Local\Temp\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2356
    • C:\Users\Admin\AppData\Local\Temp\1Celestial.exe
      "C:\Users\Admin\AppData\Local\Temp\1Celestial.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3728
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4612,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:8
    1⤵
      PID:4660
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x510 0x414
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1048
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
      1⤵
        PID:456
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
        1⤵
        • System Time Discovery
        PID:2932
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
        1⤵
          PID:4040
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2992

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1Celestial.exe

          Filesize

          162KB

          MD5

          d726f0f603538577a7e12448419fed1a

          SHA1

          1ea8047f9e825c9dd648a12c98689e1c6ad11c70

          SHA256

          e4d2faf2aa895163625ea12416ce945b256f0e13b8327152d6eb80f3ee9fc332

          SHA512

          a9643b891d7a092799ee032c032daa0e1303f639a1893fe1ea7e2830cbae12dbb0d754ebe7bbedcb2396f6bfed5539a932c8f8726b7ff13e217fc39f630b7dfd

        • C:\Users\Admin\AppData\Local\Temp\XClient.exe

          Filesize

          66KB

          MD5

          2c2bf7640b13839dcffc5524e9ff6972

          SHA1

          4e91d65f34a33498b39419dbffee5efd8703ca05

          SHA256

          58588e19dac77c6689a6167865f9ad8f0fe531afbe4d66243d55f3e0e5a555c4

          SHA512

          980afa1660da3522c5a0d6296fb1fe9ddcb53dfa829d6d64bd9c63714147536c090f12c9f533e67187d5250b5a219a9c9aa876ee375995a2e1cb1dac1e6de65e

        • memory/2356-38-0x00007FFDE8E40000-0x00007FFDE9901000-memory.dmp

          Filesize

          10.8MB

        • memory/2356-35-0x00007FFDE8E43000-0x00007FFDE8E45000-memory.dmp

          Filesize

          8KB

        • memory/2356-79-0x0000000001510000-0x000000000151A000-memory.dmp

          Filesize

          40KB

        • memory/2356-78-0x000000001D6C0000-0x000000001D87A000-memory.dmp

          Filesize

          1.7MB

        • memory/2356-28-0x00007FFDE8E40000-0x00007FFDE9901000-memory.dmp

          Filesize

          10.8MB

        • memory/2356-76-0x000000001D0B0000-0x000000001D0D2000-memory.dmp

          Filesize

          136KB

        • memory/2356-34-0x0000000002C10000-0x0000000002C1C000-memory.dmp

          Filesize

          48KB

        • memory/2356-25-0x0000000000A90000-0x0000000000AA6000-memory.dmp

          Filesize

          88KB

        • memory/2356-36-0x000000001D110000-0x000000001D19E000-memory.dmp

          Filesize

          568KB

        • memory/2356-40-0x000000001D5A0000-0x000000001D6BE000-memory.dmp

          Filesize

          1.1MB

        • memory/2356-22-0x00007FFDE8E43000-0x00007FFDE8E45000-memory.dmp

          Filesize

          8KB

        • memory/3728-39-0x00007FFDE8E40000-0x00007FFDE9901000-memory.dmp

          Filesize

          10.8MB

        • memory/3728-37-0x00007FFDE8E40000-0x00007FFDE9901000-memory.dmp

          Filesize

          10.8MB

        • memory/3728-29-0x00007FFDE8E40000-0x00007FFDE9901000-memory.dmp

          Filesize

          10.8MB

        • memory/3728-27-0x00007FFDE8E40000-0x00007FFDE9901000-memory.dmp

          Filesize

          10.8MB

        • memory/3728-26-0x0000000000780000-0x00000000007AE000-memory.dmp

          Filesize

          184KB