b64f1ae363def3f1ed59b99340142279cb626d99a562573deeae1a35cb86e7cb

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Celestial Builds.exe
Size

14.5MB
MD5

ab42170cab56768f31450308df971b2d
SHA1

d1a6ba8a81bb19d42509f89d9d809073b0aa273e
SHA256

b64f1ae363def3f1ed59b99340142279cb626d99a562573deeae1a35cb86e7cb
SHA512

4392bdc8a3f20a5e69bb8a9b77bcf80c53dbd07559f0a16e0676c3e726dc71ee528b9f12b37a5053ff8cca33e6eaa6cda50cbff0ff894b78460ef365f5a35fd3
SSDEEP

393216:QThgdIBFP8sgAQTeXuxnse8r3cE7hPIccZfZYitv6aJuF:QThoIDk5oosXr3cJcO+itk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2732	main.exe

Loads dropped DLL 2 IoCs

pid	Process
2200	Celestial Builds.exe
2732	main.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2732	2200	Celestial Builds.exe	31
PID 2200 wrote to memory of 2732	2200	Celestial Builds.exe	31
PID 2200 wrote to memory of 2732	2200	Celestial Builds.exe	31

C:\Users\Admin\AppData\Local\Temp\Celestial Builds.exe
"C:\Users\Admin\AppData\Local\Temp\Celestial Builds.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\onefile_2200_133814595683840000\main.exe
  "C:\Users\Admin\AppData\Local\Temp\Celestial Builds.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2200_133814595683840000\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2200_133814595683840000\main.exe

Filesize
27.0MB

MD5
11d4f42bb330a281591a8dd0b8c7dc83

SHA1
441a7c78da060e702f8342f0d187f62e40132509

SHA256
a31a0771096ed752bf3bd6343edff5e92e0835145257f9ca93544d3bdedab40f

SHA512
b5d727855b7866e1565891e5a309f89065ec03b262fd6a6292257ea9f96579539ff710adec6fbafa8d86a7fbdd3dce9d8b4841e8fd979bd6ba3c0182f8d9a7a5

Download Submit