Overview

overview

10

Static

static

10

celex.exe

windows10-ltsc 2021-x64

Analysis

  • max time kernel
    211s
  • max time network
    214s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    02-12-2024 17:18

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    celex.exe

  • Size

    55KB

  • MD5

    059fd4cebd6fa3272a145fc6ef42f5f9

  • SHA1

    064b17bfc80151c060e2c2863390bcf7af90a467

  • SHA256

    5437080e89ca02f2de4f23eb66533155888bdbf257612326194f6de85a28b524

  • SHA512

    4c323cdcd21c10451f5345eeb40ac1b3ccafb80180d46bfc1e85bf40747d45481e649efafd9a01d79e8099cd1b65fba2138919ee9be282f94ecb4d0df2bcec79

  • SSDEEP

    1536:sEYADn8fLN2/SbJtDDcwsNMDpXExI3pmmm:+ADnccqbXDDcwsNMDpXExI3pm

Score
10/10
njratcredential_accessdiscoverypersistencespywarestealertrojanupx

Malware Config

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 32 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 56 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\celex.exe
    "C:\Users\Admin\AppData\Local\Temp\celex.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Users\Admin\AppData\Local\Temp\celex.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Views/modifies file attributes
      PID:5104
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\2083046"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4484
    • C:\Users\Admin\AppData\Local\Temp\0c3e256212134c48bf50596ceb947664.exe
      "C:\Users\Admin\AppData\Local\Temp\0c3e256212134c48bf50596ceb947664.exe"
      2⤵
      • Executes dropped EXE
      PID:3492
    • C:\Users\Admin\AppData\Local\Temp\101d97deef794dcc8b5c056d6b8f595f.exe
      "C:\Users\Admin\AppData\Local\Temp\101d97deef794dcc8b5c056d6b8f595f.exe"
      2⤵
      • Executes dropped EXE
      PID:4688
    • C:\Users\Admin\AppData\Local\Temp\3774889a4d244fbfac9821d55fff51bb.exe
      "C:\Users\Admin\AppData\Local\Temp\3774889a4d244fbfac9821d55fff51bb.exe"
      2⤵
      • Executes dropped EXE
      PID:1344
    • C:\Users\Admin\AppData\Local\Temp\983c8b6ab2334585a8939cf4a70b3a16.exe
      "C:\Users\Admin\AppData\Local\Temp\983c8b6ab2334585a8939cf4a70b3a16.exe"
      2⤵
      • Executes dropped EXE
      PID:3188
    • C:\Users\Admin\AppData\Local\Temp\9fdbfab1750940baacd9f1a85e0dff82.exe
      "C:\Users\Admin\AppData\Local\Temp\9fdbfab1750940baacd9f1a85e0dff82.exe"
      2⤵
      • Executes dropped EXE
      PID:820
    • C:\Users\Admin\AppData\Local\Temp\b7c7eb82082d44d6bc0702a9f1be80be.exe
      "C:\Users\Admin\AppData\Local\Temp\b7c7eb82082d44d6bc0702a9f1be80be.exe"
      2⤵
      • Executes dropped EXE
      PID:4904
    • C:\Users\Admin\AppData\Local\Temp\0905ca2c3c944e38b97e56a162ce9e7a.exe
      "C:\Users\Admin\AppData\Local\Temp\0905ca2c3c944e38b97e56a162ce9e7a.exe"
      2⤵
      • Executes dropped EXE
      PID:1684
    • C:\Users\Admin\AppData\Local\Temp\ea4d58d102994c449376bb57d5e2cb45.exe
      "C:\Users\Admin\AppData\Local\Temp\ea4d58d102994c449376bb57d5e2cb45.exe"
      2⤵
      • Executes dropped EXE
      PID:4244
    • C:\Users\Admin\AppData\Local\Temp\405123eaa0474629b5053a259e234739.exe
      "C:\Users\Admin\AppData\Local\Temp\405123eaa0474629b5053a259e234739.exe"
      2⤵
      • Executes dropped EXE
      PID:1436
    • C:\Users\Admin\AppData\Local\Temp\33c4d28e2c5646f9bfde82ddba182fdc.exe
      "C:\Users\Admin\AppData\Local\Temp\33c4d28e2c5646f9bfde82ddba182fdc.exe"
      2⤵
      • Executes dropped EXE
      PID:216
    • C:\Users\Admin\AppData\Local\Temp\7000f9394bce42b384b5254f280a8aad.exe
      "C:\Users\Admin\AppData\Local\Temp\7000f9394bce42b384b5254f280a8aad.exe"
      2⤵
      • Executes dropped EXE
      PID:680
    • C:\Users\Admin\AppData\Local\Temp\f55f735d7ed54335ab4e273fd3947f06.exe
      "C:\Users\Admin\AppData\Local\Temp\f55f735d7ed54335ab4e273fd3947f06.exe"
      2⤵
      • Executes dropped EXE
      PID:3800
    • C:\Users\Admin\AppData\Local\Temp\5f2dcd9333dc489d97abb336775f57d2.exe
      "C:\Users\Admin\AppData\Local\Temp\5f2dcd9333dc489d97abb336775f57d2.exe"
      2⤵
      • Executes dropped EXE
      PID:3772
    • C:\Users\Admin\AppData\Local\Temp\6b01cad0ae6a4cbf9c66449809983006.exe
      "C:\Users\Admin\AppData\Local\Temp\6b01cad0ae6a4cbf9c66449809983006.exe"
      2⤵
      • Executes dropped EXE
      PID:1864
    • C:\Users\Admin\AppData\Local\Temp\e05b1d05cc1a465b96b1251850d98ab7.exe
      "C:\Users\Admin\AppData\Local\Temp\e05b1d05cc1a465b96b1251850d98ab7.exe"
      2⤵
      • Executes dropped EXE
      PID:3204
    • C:\Users\Admin\AppData\Local\Temp\9fbdf642a69b413caba2daeb3817d639.exe
      "C:\Users\Admin\AppData\Local\Temp\9fbdf642a69b413caba2daeb3817d639.exe"
      2⤵
      • Executes dropped EXE
      PID:4568
    • C:\Users\Admin\AppData\Local\Temp\e9c5e2b5464443cf9c045c2ae4ac3d18.exe
      "C:\Users\Admin\AppData\Local\Temp\e9c5e2b5464443cf9c045c2ae4ac3d18.exe"
      2⤵
      • Executes dropped EXE
      PID:4016
    • C:\Users\Admin\AppData\Local\Temp\c7857c1ff1b74bcc9d97020ffb71b3c6.exe
      "C:\Users\Admin\AppData\Local\Temp\c7857c1ff1b74bcc9d97020ffb71b3c6.exe"
      2⤵
      • Executes dropped EXE
      PID:868
    • C:\Users\Admin\AppData\Local\Temp\5b0e12d59b834eafa1bcccdc404a1a19.exe
      "C:\Users\Admin\AppData\Local\Temp\5b0e12d59b834eafa1bcccdc404a1a19.exe"
      2⤵
      • Executes dropped EXE
      PID:4588
    • C:\Users\Admin\AppData\Local\Temp\98a706749fd84ff9936c6c0ed890da52.exe
      "C:\Users\Admin\AppData\Local\Temp\98a706749fd84ff9936c6c0ed890da52.exe"
      2⤵
      • Executes dropped EXE
      PID:2076
    • C:\Users\Admin\AppData\Local\Temp\b98cda1307ba49de97bf73d57a0a594c.exe
      "C:\Users\Admin\AppData\Local\Temp\b98cda1307ba49de97bf73d57a0a594c.exe"
      2⤵
      • Executes dropped EXE
      PID:1756
    • C:\Users\Admin\AppData\Local\Temp\10ede2a9e5ab42f39c525fb9cee35c4d.exe
      "C:\Users\Admin\AppData\Local\Temp\10ede2a9e5ab42f39c525fb9cee35c4d.exe"
      2⤵
      • Executes dropped EXE
      PID:4200
    • C:\Users\Admin\AppData\Local\Temp\90c97d5eabff4f54ac0ec431d871dcf3.exe
      "C:\Users\Admin\AppData\Local\Temp\90c97d5eabff4f54ac0ec431d871dcf3.exe"
      2⤵
      • Executes dropped EXE
      PID:4784
    • C:\Users\Admin\AppData\Local\Temp\4ebeb48b22e54c3483d5864625403ad3.exe
      "C:\Users\Admin\AppData\Local\Temp\4ebeb48b22e54c3483d5864625403ad3.exe"
      2⤵
      • Executes dropped EXE
      PID:4452
    • C:\Users\Admin\AppData\Local\Temp\2c76a27e37444034a775dcb1cdb74e7f.exe
      "C:\Users\Admin\AppData\Local\Temp\2c76a27e37444034a775dcb1cdb74e7f.exe"
      2⤵
      • Executes dropped EXE
      PID:3644
    • C:\Users\Admin\AppData\Local\Temp\91ac396af74345fdb411af3b0521b56b.exe
      "C:\Users\Admin\AppData\Local\Temp\91ac396af74345fdb411af3b0521b56b.exe"
      2⤵
      • Executes dropped EXE
      PID:3528
    • C:\Users\Admin\AppData\Local\Temp\70e672523c144e10a62391b6176cba3f.exe
      "C:\Users\Admin\AppData\Local\Temp\70e672523c144e10a62391b6176cba3f.exe"
      2⤵
      • Executes dropped EXE
      PID:1376
    • C:\Users\Admin\AppData\Local\Temp\ad553df4b287459bb708c18d010e9574.exe
      "C:\Users\Admin\AppData\Local\Temp\ad553df4b287459bb708c18d010e9574.exe"
      2⤵
      • Executes dropped EXE
      PID:4792
    • C:\Users\Admin\AppData\Local\Temp\efa7593f4a6e451683500b9cdcd9491b.exe
      "C:\Users\Admin\AppData\Local\Temp\efa7593f4a6e451683500b9cdcd9491b.exe"
      2⤵
      • Executes dropped EXE
      PID:4912
    • C:\Users\Admin\AppData\Local\Temp\aa2519c2b456485e8dca676baa494495.exe
      "C:\Users\Admin\AppData\Local\Temp\aa2519c2b456485e8dca676baa494495.exe"
      2⤵
      • Executes dropped EXE
      PID:3396
    • C:\Users\Admin\AppData\Local\Temp\1bb8446a024d42fe807bdf642ca0b307.exe
      "C:\Users\Admin\AppData\Local\Temp\1bb8446a024d42fe807bdf642ca0b307.exe"
      2⤵
      • Executes dropped EXE
      PID:2340
    • C:\Users\Admin\AppData\Local\Temp\9e718a29a6184739b639bf2f9d63032e.exe
      "C:\Users\Admin\AppData\Local\Temp\9e718a29a6184739b639bf2f9d63032e.exe"
      2⤵
      • Executes dropped EXE
      PID:224
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start shutdown /s /f /t 0
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2588
      • C:\Windows\SysWOW64\shutdown.exe
        shutdown /s /f /t 0
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2384
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x518 0x2d4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2304
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39ed855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\9fdbfab1750940baacd9f1a85e0dff82.exe.log
    Filesize

    594B

    MD5

    a816867354b951008f631e6b91bd0a9b

    SHA1

    e16425b8b3dc063ba4513d372f6db576e12ea5ec

    SHA256

    861252472e58af0a86b3d9ed9c9ccab846327502151460b8281bf78fb165b7a1

    SHA512

    15ec052c601f98213545cd1eac4af370f79d67a7efd36acc7602969356e8b9ac363f6044ea0bd685ead2956a1436a5a9ef1d8c309ee2ba6f5cdfa3ce5a46d412

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\0c3e256212134c48bf50596ceb947664.exe
    Filesize

    997KB

    MD5

    28aaac578be4ce06cb695e4f927b4302

    SHA1

    880ab0560b81e05e920f9ec1d6c0ecf5e04eaa7e

    SHA256

    8929d3b749ff91527b8e407eff6bde4bb0bb27739313b5c0db0434cbf700dbfc

    SHA512

    068698bda0543c773b36830f6760456e40e9046d9d20089ad88cb646ef5c7bd6c6716c6d59cfc7abd5bffb9129f5a7076e2f9c9b321795f224923f00b7b91374

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10ede2a9e5ab42f39c525fb9cee35c4d.exe
    Filesize

    961KB

    MD5

    4723c3c04794c09bbcb6e03f48440f15

    SHA1

    a5ef69c9dc9eacc2099d9c239146a0e360f1837f

    SHA256

    0d635f035cdb2fd3afda768cd631481ff980957b614a3cf3fca6c592c6c06470

    SHA512

    5b68e1cd3d6bb85b5f449014cc288423faea76ff0ecf8834047dac1ed6e84c4d858a7ed23abe3625d781391f636893736bf5c00474ad0995e75611c1557c5c4a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2083046
    Filesize

    507B

    MD5

    6d0e849b0647746facd7c73f03b4d366

    SHA1

    3138201a6608428b922bd86168b51cf80615bc91

    SHA256

    c2f229ba47f29fccb6d35a908e887bf97e9e87cdb1110e855d5caa39571e5d72

    SHA512

    3839589f64141ba269f95e2726dd040ee09b6c9c09f5765dcdba847b02f68fa000b588a272f17e73ac42e81b3bb154535dc20da6dce0682b4b3a1ac2daada86a

    Download Submit

  • memory/2788-3-0x0000000074B82000-0x0000000074B83000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2788-5-0x0000000074B80000-0x0000000075131000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2788-6-0x0000000074B80000-0x0000000075131000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2788-7-0x0000000074B80000-0x0000000075131000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2788-508-0x0000000074B80000-0x0000000075131000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2788-4-0x0000000074B80000-0x0000000075131000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2788-2-0x0000000074B80000-0x0000000075131000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2788-0-0x0000000074B82000-0x0000000074B83000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2788-1-0x0000000074B80000-0x0000000075131000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3492-37-0x00007FF90B570000-0x00007FF90BF11000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3492-40-0x0000000000B40000-0x0000000000B48000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3492-35-0x00007FF90B825000-0x00007FF90B826000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3492-36-0x000000001B270000-0x000000001B316000-memory.dmp

    Filesize

    664KB

    Download

  • memory/3492-38-0x000000001B920000-0x000000001BDEE000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/3492-72-0x00007FF90B570000-0x00007FF90BF11000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3492-39-0x000000001BDF0000-0x000000001BE8C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3492-42-0x00007FF90B570000-0x00007FF90BF11000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3492-41-0x000000001BF70000-0x000000001BFBC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4484-15-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4484-13-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4484-12-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4484-11-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4484-9-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download