Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 21:07
Behavioral task
behavioral1
Sample
Celestial.exe
Resource
win7-20240508-en
General
-
Target
Celestial.exe
-
Size
3.1MB
-
MD5
12bdd4b4c107fc3ffec7f9b29d7d6a93
-
SHA1
04bb395848578e22cef0c90215463e4efe4965c3
-
SHA256
af454978c652f9acb95b7c2f45d41ee0ba7923d6e3b3f554af853ef9efff9440
-
SHA512
ff4a2c42ac1fed5421955a949cf28c9abb714484bb68259f160516d10a7a179cc6e6327ab2fc2f099ba51a98b25fa5f41ea2af4f3815159e1ce7f75a698b8251
-
SSDEEP
49152:nv6lL26AaNeWgPhlmVqvMQ7XSKZkxNESElk/iULoGdldTHHB72eh2NT:nviL26AaNeWgPhlmVqkQ7XSKGxsa
Malware Config
Extracted
quasar
1.4.1
Office04
147.185.221.19:33365
ba5220e2-c4e8-4381-aad8-a85115ef955e
-
encryption_key
67C139F3E9A16FF8132A3DCF42197B8BA3C38609
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Miicrosoft Securiity
-
subdirectory
Miicrosoft Securiity
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1548-1-0x0000000000330000-0x0000000000654000-memory.dmp family_quasar C:\Program Files\Miicrosoft Securiity\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 752 Client.exe -
Drops file in Program Files directory 4 IoCs
Processes:
Celestial.exeClient.exedescription ioc process File opened for modification C:\Program Files\Miicrosoft Securiity\Client.exe Celestial.exe File opened for modification C:\Program Files\Miicrosoft Securiity Celestial.exe File opened for modification C:\Program Files\Miicrosoft Securiity Client.exe File created C:\Program Files\Miicrosoft Securiity\Client.exe Celestial.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2320 schtasks.exe 1484 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Celestial.exeClient.exedescription pid process Token: SeDebugPrivilege 1548 Celestial.exe Token: SeDebugPrivilege 752 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid process 752 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 752 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 752 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Celestial.exeClient.exedescription pid process target process PID 1548 wrote to memory of 2320 1548 Celestial.exe schtasks.exe PID 1548 wrote to memory of 2320 1548 Celestial.exe schtasks.exe PID 1548 wrote to memory of 752 1548 Celestial.exe Client.exe PID 1548 wrote to memory of 752 1548 Celestial.exe Client.exe PID 752 wrote to memory of 1484 752 Client.exe schtasks.exe PID 752 wrote to memory of 1484 752 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Celestial.exe"C:\Users\Admin\AppData\Local\Temp\Celestial.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Miicrosoft Securiity" /sc ONLOGON /tr "C:\Program Files\Miicrosoft Securiity\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files\Miicrosoft Securiity\Client.exe"C:\Program Files\Miicrosoft Securiity\Client.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Miicrosoft Securiity" /sc ONLOGON /tr "C:\Program Files\Miicrosoft Securiity\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Miicrosoft Securiity\Client.exeFilesize
3.1MB
MD512bdd4b4c107fc3ffec7f9b29d7d6a93
SHA104bb395848578e22cef0c90215463e4efe4965c3
SHA256af454978c652f9acb95b7c2f45d41ee0ba7923d6e3b3f554af853ef9efff9440
SHA512ff4a2c42ac1fed5421955a949cf28c9abb714484bb68259f160516d10a7a179cc6e6327ab2fc2f099ba51a98b25fa5f41ea2af4f3815159e1ce7f75a698b8251
-
memory/752-9-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmpFilesize
10.8MB
-
memory/752-10-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmpFilesize
10.8MB
-
memory/752-11-0x000000001E110000-0x000000001E160000-memory.dmpFilesize
320KB
-
memory/752-12-0x000000001E220000-0x000000001E2D2000-memory.dmpFilesize
712KB
-
memory/752-13-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmpFilesize
10.8MB
-
memory/1548-0-0x00007FFECB833000-0x00007FFECB835000-memory.dmpFilesize
8KB
-
memory/1548-1-0x0000000000330000-0x0000000000654000-memory.dmpFilesize
3.1MB
-
memory/1548-2-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmpFilesize
10.8MB
-
memory/1548-8-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmpFilesize
10.8MB