Overview

overview

10

Static

static

3

CeleryInstaller.exe

windows7-x64

CeleryInstaller.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CeleryInstaller.exe

  • Size

    828KB

  • Sample

    241016-n6q5kasbkn

  • MD5

    3c8603f5225052c1375f87ecb572690c

  • SHA1

    9ad1026b68030bd1ec7bc6fd25e3a3a8f6be5ad7

  • SHA256

    e0365edc35c855afe7ff301328f265b363d81afca23efa88bcb5f2f8f35c739b

  • SHA512

    cbd0df325cad43c56847765d9327774c91fdb15a558ee93a75189a3d94465231c375d64bcd777d176734cc95c6d095cd25f3e27c37ae9361b9e63c1fa9973cec

  • SSDEEP

    24576:3f0ZvkIP9VM9aexhgaBPbhhhchhhwSf8SDf0Z:+vkIP93F8SDu

Score
10/10
fantombootkitdiscoveryevasionpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>d9j4a4/cLVjOf0K3N9srcPYt/syA9tRDML+lo4EgpOgw6quQ19iCqEf2O5SX3cRiRbdHP91uATalMUYvQJLOY4PvNMB9qNo7blFZ7NElTvtIfSqdf+1o7IZOXPvdyW6fyyRnq7uca9qmtPwIodzFy2qOpPqrQpXAin7hrZiLJgdXA2qmvy1fq3krbeEaKbmYNHVhv0Ah0A9fQAeI1LQ9b1TrJFGZGBZFge27dfoQxiugUiYgzZ+GB/av3om63T0U/F4a95lKaq68fkP8wZ+Uzyyrl1ZO44ZYOipzfVWh4ds8V0gxYycUEFKHF6M2PS/5sVhCN59NmU5ETpvbKwaR5A==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>EuflpFqsn88R3PDdPn4gnhFmLyHw7K08BD+1pPfRIrScU2xDuRRUNYKwQ7Kr0d312yLQQ1Vbneg6XC41iUa51ny5qfrUxfcmJjAWerOCfaNkQZs+sBqM7AjVf7AMlgLliY9RYRHcR4NWR2az50aHHO8rjTMebZXCa+BKoSf/AQ31zSemA9roBM+vUQmXmDbADWOcJwyVZpEl3UbQl6RCynSccQt3e24dQP0ck3VI0xWM0b2K/TIyibkrk8URgnMH3+OXM/tTAhlf5SaLWes29rEtS0Mk5MEDYRH1or8vaSQN2E6lROqdNOZr6Q2MzPHOfI/e/dHU2sB7Ph1Ff/AZng==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Targets

    • Target

      CeleryInstaller.exe

    • Size

      828KB

    • MD5

      3c8603f5225052c1375f87ecb572690c

    • SHA1

      9ad1026b68030bd1ec7bc6fd25e3a3a8f6be5ad7

    • SHA256

      e0365edc35c855afe7ff301328f265b363d81afca23efa88bcb5f2f8f35c739b

    • SHA512

      cbd0df325cad43c56847765d9327774c91fdb15a558ee93a75189a3d94465231c375d64bcd777d176734cc95c6d095cd25f3e27c37ae9361b9e63c1fa9973cec

    • SSDEEP

      24576:3f0ZvkIP9VM9aexhgaBPbhhhchhhwSf8SDf0Z:+vkIP93F8SDu

    Score
    10/10
    discoveryfantombootkitevasionpersistenceransomware

    • Fantom

      Ransomware which hides encryption process behind fake Windows Update screen.

      ransomwarefantom

    • Modifies WinLogon for persistence

      persistence

    • Renames multiple (1023) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks