Analysis

  • max time kernel
    68s
  • max time network
    69s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 15:26

Errors

Reason
Machine shutdown

General

  • Target

    Celex.exe

  • Size

    37KB

  • MD5

    502c8a1e9ebf182539816cd73e6fb745

  • SHA1

    6d9b0ef9538c91b2546b6f07015769887a77b08b

  • SHA256

    1baf26fadab02970d6f09a9711944ed069d32577f1e0da07967e93f71bb7efb8

  • SHA512

    f197f8eb4bb4ddcd11221f066c367dcdf722e72b45efb1cbf80b5ba2db9a04a0d9d10e5a642eb879d1cc184476729765426c5dde9ff69066179a2bc8fe747ad0

  • SSDEEP

    384:StP97LsikX9zNf/1uyU7/I3/9sWAnurAF+rMRTyN/0L+EcoinblneHQM3epzXDJv:UPlil1lU7/I1dAurM+rMRa8NupJVt

Malware Config

Signatures

  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Celex.exe
    "C:\Users\Admin\AppData\Local\Temp\Celex.exe"
    1⤵
    • Disables RegEdit via registry modification
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Celex.exe" "Celex.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2760
    • C:\Windows\SysWOW64\shutdown.exe
      shutdown -s -t 00
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1960
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2920
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x1a0
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1984
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2504
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2372

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1792-0-0x0000000074621000-0x0000000074622000-memory.dmp

        Filesize

        4KB

      • memory/1792-1-0x0000000074620000-0x0000000074BCB000-memory.dmp

        Filesize

        5.7MB

      • memory/1792-2-0x0000000074620000-0x0000000074BCB000-memory.dmp

        Filesize

        5.7MB

      • memory/1792-3-0x0000000074620000-0x0000000074BCB000-memory.dmp

        Filesize

        5.7MB

      • memory/1792-4-0x0000000074620000-0x0000000074BCB000-memory.dmp

        Filesize

        5.7MB

      • memory/1792-5-0x0000000074620000-0x0000000074BCB000-memory.dmp

        Filesize

        5.7MB

      • memory/1792-9-0x0000000074620000-0x0000000074BCB000-memory.dmp

        Filesize

        5.7MB