Analysis
-
max time kernel
68s -
max time network
69s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 15:26
Behavioral task
behavioral1
Sample
Celex.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Celex.exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
Celex.exe
-
Size
37KB
-
MD5
502c8a1e9ebf182539816cd73e6fb745
-
SHA1
6d9b0ef9538c91b2546b6f07015769887a77b08b
-
SHA256
1baf26fadab02970d6f09a9711944ed069d32577f1e0da07967e93f71bb7efb8
-
SHA512
f197f8eb4bb4ddcd11221f066c367dcdf722e72b45efb1cbf80b5ba2db9a04a0d9d10e5a642eb879d1cc184476729765426c5dde9ff69066179a2bc8fe747ad0
-
SSDEEP
384:StP97LsikX9zNf/1uyU7/I3/9sWAnurAF+rMRTyN/0L+EcoinblneHQM3epzXDJv:UPlil1lU7/I1dAurM+rMRa8NupJVt
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Celex.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2760 netsh.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Celex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.Hacker.com/" Celex.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe 1792 Celex.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1792 Celex.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 1792 Celex.exe Token: 33 1792 Celex.exe Token: SeIncBasePriorityPrivilege 1792 Celex.exe Token: 33 1792 Celex.exe Token: SeIncBasePriorityPrivilege 1792 Celex.exe Token: 33 1792 Celex.exe Token: SeIncBasePriorityPrivilege 1792 Celex.exe Token: 33 1792 Celex.exe Token: SeIncBasePriorityPrivilege 1792 Celex.exe Token: 33 1792 Celex.exe Token: SeIncBasePriorityPrivilege 1792 Celex.exe Token: 33 1792 Celex.exe Token: SeIncBasePriorityPrivilege 1792 Celex.exe Token: 33 1792 Celex.exe Token: SeIncBasePriorityPrivilege 1792 Celex.exe Token: 33 1984 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1984 AUDIODG.EXE Token: 33 1984 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1984 AUDIODG.EXE Token: SeShutdownPrivilege 1960 shutdown.exe Token: SeRemoteShutdownPrivilege 1960 shutdown.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1792 wrote to memory of 2760 1792 Celex.exe 30 PID 1792 wrote to memory of 2760 1792 Celex.exe 30 PID 1792 wrote to memory of 2760 1792 Celex.exe 30 PID 1792 wrote to memory of 2760 1792 Celex.exe 30 PID 1792 wrote to memory of 1960 1792 Celex.exe 35 PID 1792 wrote to memory of 1960 1792 Celex.exe 35 PID 1792 wrote to memory of 1960 1792 Celex.exe 35 PID 1792 wrote to memory of 1960 1792 Celex.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Celex.exe"C:\Users\Admin\AppData\Local\Temp\Celex.exe"1⤵
- Disables RegEdit via registry modification
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Celex.exe" "Celex.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2760
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown -s -t 002⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
PID:2920
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1a01⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2504
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2372
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1