Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2024 20:58
Static task
static1
Behavioral task
behavioral1
Sample
Celestial.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Celestial.exe
Resource
win10v2004-20240802-en
General
-
Target
Celestial.exe
-
Size
297KB
-
MD5
9b650b738d97c0e39717fe86401a6726
-
SHA1
34f361ab5024ad4390a3906cb3fff5a7b5f7e656
-
SHA256
e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264
-
SHA512
a6664916c5c1bfd66e58face5c1811f95b6489c3e1d4728d4efee92233192fb145c8f0cca46582d560356b92732a8727794a7d8765d16c4df567eb5eb84b1e30
-
SSDEEP
6144:Ka4InuJg58BkgqPoDH49n8Bb/cQ/gW/tQtbgk3KlRWvWl/HrrACG7:Kat0EAH49n8BLgSZQKXW+l/HnACs
Malware Config
Extracted
xworm
engineering-thoroughly.gl.at.ply.gg:32901
20.ip.gl.ply.gg:32901
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\XClient.exe family_xworm C:\Users\Admin\AppData\Local\Temp\1Celestial.exe family_xworm behavioral2/memory/2356-25-0x0000000000A90000-0x0000000000AA6000-memory.dmp family_xworm behavioral2/memory/3728-26-0x0000000000780000-0x00000000007AE000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2356-40-0x000000001D5A0000-0x000000001D6BE000-memory.dmp family_stormkitty -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Celestial.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation Celestial.exe -
Drops startup file 2 IoCs
Processes:
1Celestial.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk 1Celestial.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk 1Celestial.exe -
Executes dropped EXE 2 IoCs
Processes:
XClient.exe1Celestial.exepid process 2356 XClient.exe 3728 1Celestial.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 27 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Celestial.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Celestial.exe -
System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
1Celestial.exeXClient.exeAUDIODG.EXEsvchost.exedescription pid process Token: SeDebugPrivilege 3728 1Celestial.exe Token: SeDebugPrivilege 2356 XClient.exe Token: SeDebugPrivilege 3728 1Celestial.exe Token: 33 1048 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1048 AUDIODG.EXE Token: SeBackupPrivilege 2992 svchost.exe Token: SeRestorePrivilege 2992 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Celestial.exedescription pid process target process PID 3784 wrote to memory of 2356 3784 Celestial.exe XClient.exe PID 3784 wrote to memory of 2356 3784 Celestial.exe XClient.exe PID 3784 wrote to memory of 3728 3784 Celestial.exe 1Celestial.exe PID 3784 wrote to memory of 3728 3784 Celestial.exe 1Celestial.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Celestial.exe"C:\Users\Admin\AppData\Local\Temp\Celestial.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\1Celestial.exe"C:\Users\Admin\AppData\Local\Temp\1Celestial.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3728
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4612,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:81⤵PID:4660
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x510 0x4141⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
- System Time Discovery
PID:2932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:4040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2992
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162KB
MD5d726f0f603538577a7e12448419fed1a
SHA11ea8047f9e825c9dd648a12c98689e1c6ad11c70
SHA256e4d2faf2aa895163625ea12416ce945b256f0e13b8327152d6eb80f3ee9fc332
SHA512a9643b891d7a092799ee032c032daa0e1303f639a1893fe1ea7e2830cbae12dbb0d754ebe7bbedcb2396f6bfed5539a932c8f8726b7ff13e217fc39f630b7dfd
-
Filesize
66KB
MD52c2bf7640b13839dcffc5524e9ff6972
SHA14e91d65f34a33498b39419dbffee5efd8703ca05
SHA25658588e19dac77c6689a6167865f9ad8f0fe531afbe4d66243d55f3e0e5a555c4
SHA512980afa1660da3522c5a0d6296fb1fe9ddcb53dfa829d6d64bd9c63714147536c090f12c9f533e67187d5250b5a219a9c9aa876ee375995a2e1cb1dac1e6de65e