Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2025, 00:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Celestial.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
300 seconds
General
-
Target
Celestial.exe
-
Size
348KB
-
MD5
fc1f93382c60f547c77459038d907bcb
-
SHA1
23799f6b9222e1c36ddad9aedb76acb4262577cf
-
SHA256
7c704c02ca2ba3cb4c46333fd85a0d2f4fc59fe4cf9fa364b5fb56f3115e7732
-
SHA512
2f4e9ffe4d351610b8be3d495e04ea87724973857fad7baa907cadeabd25c35f2be0e50706c79c2ff2c65c1f3788ff0081ef764babf4baf60d85462f30a5702f
-
SSDEEP
6144:QqHyuhbvbXC3ryhcbp96w8zT9p739CSH6t7FhLji8VENUkEkW:QqSEbve3ccbp96w8zhCXt7Fln2NUfkW
Score
10/10
Malware Config
Extracted
Family
asyncrat
Version
1.0.7
Botnet
GDFjbxc9as
Mutex
Gx0edRwRzsDs0gzwQ
Attributes
-
delay
1
-
install
true
-
install_file
GoogleUpdates.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/QLnQD5yh
aes.plain
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0031000000023b70-14.dat family_asyncrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Celestial.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation sk3d_club.exe -
Executes dropped EXE 2 IoCs
pid Process 5076 sk3d_club.exe 64 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Celestial.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sk3d_club.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1884 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1884 taskmgr.exe Token: SeSystemProfilePrivilege 1884 taskmgr.exe Token: SeCreateGlobalPrivilege 1884 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe 1884 taskmgr.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2888 wrote to memory of 5076 2888 Celestial.exe 83 PID 2888 wrote to memory of 5076 2888 Celestial.exe 83 PID 2888 wrote to memory of 5076 2888 Celestial.exe 83 PID 5076 wrote to memory of 64 5076 sk3d_club.exe 85 PID 5076 wrote to memory of 64 5076 sk3d_club.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\Celestial.exe"C:\Users\Admin\AppData\Local\Temp\Celestial.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\sk3d_club.exe"C:\Users\Admin\AppData\Local\Temp\sk3d_club.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"3⤵
- Executes dropped EXE
PID:64
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD53d5d9fcc50f0ee536db107a2bb181f2d
SHA15b05d924177a9adf852abefa4d0afa77082b8370
SHA256febd0d25c9dcea243c4cd39dbf90178d970fbfd6305555291176aaa86bcfb391
SHA512143f6ff7522c798802da4dce511a671a2f43ee2c1368a1bfb8455f181956bcb97e89bfe42a21b1b4d21814bea92fdbdfd423cdef5d6540f447da4a84d521ffb6
-
Filesize
103KB
MD502075363168c82697c7726c175740b6e
SHA10adf648a0c0eb63cfa5dc2057feab117bc8ea0cd
SHA256733abf5dda85c41d1ce08b60175da38c3b84fac864ad0c06e225530ac30332e1
SHA512d381292bac696d0f95682264ce144e13f31bbe4d0dc34b5c277874278155768824c2bf14904f297e3aa9a321dd6790084129cb6c9e91d05ca318ee0d75e36094