50075722aa0970650d88d6c29e8c3f45e684c99be8d4865e8c4daf5ef937bd72

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Celery.exe
Size

17.3MB
MD5

433bb23192adb1d78a2fd99ca652eab4
SHA1

40087ada7a5020046c30d8ffb9fd70949450151e
SHA256

06a7351cbbb9e794e8ee5793114cb74cda3b55f23eb634ea3b994adf851ddd3a
SHA512

d74a2156ea003640774a1139aa4c1b5b76f0f97ebbeec1dd3cebbf902eb667d369f7ea8e1d3c6aff140da6f75e5c64cee23cd1e2cb988873db95723ea9cca93e
SSDEEP

393216:xUa57DdNAuyvw4wK/gsrlVwgqI59D8exrbwANXg5yH4LVvIz:p1d2toVKrR5qI59woPXlOLmz

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Celery.exe

Executes dropped EXE 1 IoCs

pid	Process
5064	main.exe

Network Service Discovery 1 TTPs 4 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3356	CefSharp.BrowserSubprocess.exe
4316	CefSharp.BrowserSubprocess.exe
1084	CefSharp.BrowserSubprocess.exe
3216	CefSharp.BrowserSubprocess.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	CefSharp.BrowserSubprocess.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	CefSharp.BrowserSubprocess.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1312_369462933\manifest.fingerprint	Celery.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1312_369462933\_platform_specific\win_x64\widevinecdm.dll.sig	Celery.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1312_369462933\_platform_specific\win_x64\widevinecdm.dll	Celery.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1312_369462933\LICENSE	Celery.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1312_369462933\manifest.json	Celery.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1312_369462933\_metadata\verified_contents.json	Celery.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3356	CefSharp.BrowserSubprocess.exe
3356	CefSharp.BrowserSubprocess.exe
4316	CefSharp.BrowserSubprocess.exe
4316	CefSharp.BrowserSubprocess.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe
1312	Celery.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3356	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	4316	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe
Token: SeCreatePagefilePrivilege	1312	Celery.exe
Token: SeShutdownPrivilege	1312	Celery.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 3356	1312	Celery.exe	89
PID 1312 wrote to memory of 3356	1312	Celery.exe	89
PID 1312 wrote to memory of 4316	1312	Celery.exe	90
PID 1312 wrote to memory of 4316	1312	Celery.exe	90
PID 1312 wrote to memory of 5064	1312	Celery.exe	91
PID 1312 wrote to memory of 5064	1312	Celery.exe	91
PID 1312 wrote to memory of 1084	1312	Celery.exe	102
PID 1312 wrote to memory of 1084	1312	Celery.exe	102
PID 1312 wrote to memory of 3216	1312	Celery.exe	110
PID 1312 wrote to memory of 3216	1312	Celery.exe	110

C:\Users\Admin\AppData\Local\Temp\Celery.exe
"C:\Users\Admin\AppData\Local\Temp\Celery.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cache" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2016,i,4616498326656780240,5125835335230208996,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=2008 /prefetch:2 --host-process-id=1312
  2⤵
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3356
- C:\Users\Admin\AppData\Local\Temp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cache" --cefsharpexitsub --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2332,i,4616498326656780240,5125835335230208996,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=2428 /prefetch:3 --host-process-id=1312
  2⤵
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Users\Admin\AppData\Local\Temp\bin\lsp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\lsp\main.exe"
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Users\Admin\AppData\Local\Temp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cache" --cefsharpexitsub --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=3680,i,4616498326656780240,5125835335230208996,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=4568 /prefetch:8 --host-process-id=1312
  2⤵
  - Network Service Discovery
  PID:1084
- C:\Users\Admin\AppData\Local\Temp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cache" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=4500,i,4616498326656780240,5125835335230208996,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=4564 /prefetch:8 --host-process-id=1312
  2⤵
  - Network Service Discovery
  - Drops file in System32 directory
  PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping1312_369462933\manifest.json

Filesize
1001B

MD5
2648d437c53db54b3ebd00e64852687e

SHA1
66cfe157f4c8e17bfda15325abfef40ec6d49608

SHA256
68a3d7cb10f3001f40bc583b7fff0183895a61d3bd1b7a1c34e602df6f0f8806

SHA512
86d5c3129bec156b17b8ebd5dec5a6258e10cb426b84dd3e4af85c9c2cd7ebf4faea01fd10dd906a18ea1042394c3f41a835eae2d83dc8146dfe4b6d71147828

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CefSharp.BrowserSubprocess.exe.log

Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\Monaco\assets\theme.json

Filesize
390B

MD5
53140e18fb33e7e9a25e13f57a4190aa

SHA1
dd72190319ae2b7ddb12a137f50fad2579fcc897

SHA256
1cbd08945e5e8612b690e1eb663917cfb4f84f0083bf7d2c2a61f43e6c455e9b

SHA512
fb9b0456c7c9d468b14db242659d2cda36f7457f9035628d92538850a509e78116972e9890edc3b69d4379aaafb6da76ff2876b446b6953e14914cdfe7dc7b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\lsp\main.exe

Filesize
36.1MB

MD5
43ad962c7acda3e30300e7d0f1add3fb

SHA1
362c217d315f288f375fec7289a2606ed6d4f432

SHA256
534e6212f155fba25a38fba248ce7970e69335492d57443d04037b617260dd9b

SHA512
3822b6b426c85a61c4d754de7c33fdfbca45c9e80f2ba52f4c6ac98ad726109e276851af3612ebb39a6cefa4de9589d412e2805a3bacf7845d2aa22189396e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cache\LocalPrefs.json

Filesize
755B

MD5
8260e67d1617a257d6760ed72711b2f7

SHA1
434ff3380ae18e7246923379cc124ab3f466330b

SHA256
35d637d5af58520d9dfa2fe5d1f0757288b7cb9d066432320493116dc39deafd

SHA512
31c2225cfe20559a4ed9eadf97c838e971e1f02c31eca086e8cc16d0ed35fcf24f60be06960b80eace1abe17f25ede6817418afdc191cd4ffe56b30f5cb32a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cache\LocalPrefs.json

Filesize
643B

MD5
4d52972f385d9f554c0a7b7485e12bb7

SHA1
edf316e044396fd154b55d5a06f0c60362f51a2e

SHA256
e3002ed73528146903eb389ed6b3d9b99a06b471d5b4c72fe74982f6fef98913

SHA512
0eec47ef718ba7cc6e075f9029a551f0e3b8c85ac0d9a24001ebbea0ecb3726be70b9718e394022ad7be40527102295ddc81984543fcdc300ceb1ce64df29623

Download Submit
C:\Users\Admin\AppData\Local\Temp\cache\LocalPrefs.json~RFe589cb8.TMP

Filesize
434B

MD5
39a74fbab1b74bf46b4ac0f9f1ddb2b2

SHA1
bf347cbbc3bfeb9bc9d45f34e0115758dc21b58e

SHA256
bb813e62440075541c08ec8d2f9ad4055cffd4ba2bb020fb8aca4d6f2daa1e6c

SHA512
592e27d0dd01e8323a92c8456bfd9ca76c15c26768512a66b90c71e513f2f13b2441a4e96f541abc55a74c672954cc4957a6de0138d9a1383c3ef4ef30701808

Download Submit
C:\Users\Admin\AppData\Roaming\Celery\settings.json

Filesize
95B

MD5
549e0849b62ac1edd0e200f6821cf237

SHA1
c38c5e610a29fe868404c0a6c1dd28dc46c32654

SHA256
45907882a0e460ceb2cc46205083aae3eae5b874c1863bc6ff332d683486925c

SHA512
318d6c6f86460742f2890734d39d1c5291c3e0d18f6ba0bf22e7c8f327c2cae24cb1b468ff89f422a76eea63e6aed18e07b60159c96c0243f9f48fcfc631c243

Download Submit
memory/1312-10-0x00000259F4F20000-0x00000259F4F6A000-memory.dmp

Filesize
296KB

Download
memory/1312-184-0x00007FFCA0190000-0x00007FFCA0C51000-memory.dmp

Filesize
10.8MB

Download
memory/1312-0-0x00007FFCA0193000-0x00007FFCA0195000-memory.dmp

Filesize
8KB

Download
memory/1312-1-0x00000259D9180000-0x00000259DA2CE000-memory.dmp

Filesize
17.3MB

Download
memory/1312-2-0x00000259F4640000-0x00000259F4664000-memory.dmp

Filesize
144KB

Download
memory/1312-28-0x00000259F6FD0000-0x00000259F6FE2000-memory.dmp

Filesize
72KB

Download
memory/1312-29-0x00000259F6FC0000-0x00000259F6FCA000-memory.dmp

Filesize
40KB

Download
memory/1312-143-0x00000259F7550000-0x00000259F7602000-memory.dmp

Filesize
712KB

Download
memory/1312-5-0x00000259F4A90000-0x00000259F4AAC000-memory.dmp

Filesize
112KB

Download
memory/1312-155-0x00000259F7840000-0x00000259F7862000-memory.dmp

Filesize
136KB

Download
memory/1312-6-0x00000259F4620000-0x00000259F462A000-memory.dmp

Filesize
40KB

Download
memory/1312-8-0x00000259F4630000-0x00000259F463A000-memory.dmp

Filesize
40KB

Download
memory/1312-170-0x00000259F9AB0000-0x00000259F9AB8000-memory.dmp

Filesize
32KB

Download
memory/1312-171-0x00000259F9AE0000-0x00000259F9AF0000-memory.dmp

Filesize
64KB

Download
memory/1312-173-0x00000259FA240000-0x00000259FA24E000-memory.dmp

Filesize
56KB

Download
memory/1312-172-0x00000259FA280000-0x00000259FA2B8000-memory.dmp

Filesize
224KB

Download
memory/1312-183-0x00007FFCA0193000-0x00007FFCA0195000-memory.dmp

Filesize
8KB

Download
memory/1312-9-0x00000259F4C50000-0x00000259F4E11000-memory.dmp

Filesize
1.8MB

Download
memory/1312-7-0x00007FFCA0190000-0x00007FFCA0C51000-memory.dmp

Filesize
10.8MB

Download
memory/1312-4-0x00000259F4A70000-0x00000259F4A84000-memory.dmp

Filesize
80KB

Download
memory/1312-3-0x00000259F4B60000-0x00000259F4C46000-memory.dmp

Filesize
920KB

Download
memory/3216-238-0x000001D9747B0000-0x000001D9747B1000-memory.dmp

Filesize
4KB

Download
memory/3216-240-0x000001D9747B0000-0x000001D9747B1000-memory.dmp

Filesize
4KB

Download
memory/3216-239-0x000001D9747B0000-0x000001D9747B1000-memory.dmp

Filesize
4KB

Download
memory/3216-250-0x000001D9747B0000-0x000001D9747B1000-memory.dmp

Filesize
4KB

Download
memory/3216-249-0x000001D9747B0000-0x000001D9747B1000-memory.dmp

Filesize
4KB

Download
memory/3216-248-0x000001D9747B0000-0x000001D9747B1000-memory.dmp

Filesize
4KB

Download
memory/3216-247-0x000001D9747B0000-0x000001D9747B1000-memory.dmp

Filesize
4KB

Download
memory/3216-246-0x000001D9747B0000-0x000001D9747B1000-memory.dmp

Filesize
4KB

Download
memory/3216-245-0x000001D9747B0000-0x000001D9747B1000-memory.dmp

Filesize
4KB

Download
memory/3216-244-0x000001D9747B0000-0x000001D9747B1000-memory.dmp

Filesize
4KB

Download
memory/3356-17-0x0000019870160000-0x000001987027E000-memory.dmp

Filesize
1.1MB

Download
memory/3356-16-0x0000019855D50000-0x0000019855D56000-memory.dmp

Filesize
24KB

Download