Resubmissions

23-10-2021 13:49

211023-q4pj3acda6 9

27-09-2021 16:25

210927-tw86aahecn 10

27-09-2021 16:15

210927-tp7c4shebk 10

25-09-2021 21:37

210925-1glj1adhh7 9

24-09-2021 00:57

210924-bbd6asfdgj 10

24-09-2021 00:56

210924-bad4xafdfr 9

Analysis

  • max time kernel
    591s
  • max time network
    381s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    24-09-2021 00:43

General

  • Target

    APP.exe

  • Size

    5.2MB

  • MD5

    a0b4d2c96937104bcffd21ce69885a59

  • SHA1

    6cda6e2bee6d67a5f407e4d7e96af9d76bfa7c79

  • SHA256

    72cb50e5791e1fcb11d24bc4cff3b44379a529c5549fbf6f500adcd67bfe9139

  • SHA512

    17b1b4de1bddb7f357744ace07509481e80eb8a63fa9c39ee00ecd7eba3b03611eb0e2329e88e20b05e8a2655fa67a7b699c8455c1fa9aebeba4384151ae2ee0

Malware Config

Extracted

Path

C:\Windows\HOW_TO_RECOVER_FILES.Colossus.txt

Ransom Note
[+] What's Happened? [+] Your files have been encrypted and currently unavailable. You can check it. All files in your system have "Colossus" extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data. [+] What are our guarantees? [+] It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should come to talk to us we can decrypt one of your files for free. That is our guarantee. It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. time is much more valuable than money. [+] Data Leak [+] We uploaded your data and if you dont contact with us then we will publish your data. Example of data: - Accounting data - Executive data - Sales data - Customer support data - Marketing data - And more other ... [+] How to Contact? [+] You have two options : 1. Chat with me : -Visit our website: http://colossus.support/LPc6EwBqmyC8Tv9Glawleycars/ -When you visit our website, put the following KEY into the input form. -Then start talk to me. 2. Email me at : colossussupport@protonmail.com KEY: MjdhZDUzM2Y3MTVhZmUxZjI2NTk2ZGM4YjVhN2EwMDEzODk2M2ZhNWEzMGU2Mjc5MTU4ODFjYjhiNWE3YTAwMTM4OTYzZmE1YTMwZTYyNzkxNTg4MWNiZmRkNDkwNDhiNzA0MjVhNGU0YTc0N2FhYzY0MWU5MTFjODY3M2RhZGQ= !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss! !!! !!! !!! ONE MORE TIME: It's in your best interests to get your files back. From our side we ready to make everything for restoring but please do not interfere. !!! !!! !!
Emails

colossussupport@protonmail.com

URLs

http://colossus.support/LPc6EwBqmyC8Tv9Glawleycars/

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Checks BIOS information in registry 2 TTPs 22 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 11 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 11 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\APP.exe
    "C:\Users\Admin\AppData\Local\Temp\APP.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    PID:808
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
    1⤵
      PID:1200
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2032
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp'
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3912
        • C:\Users\Admin\AppData\Local\Temp\APP.exe
          "C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8
          2⤵
          • Checks BIOS information in registry
          • Checks whether UAC is enabled
          PID:1168
        • C:\Users\Admin\AppData\Local\Temp\APP.exe
          "C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8 GFBFPSXA
          2⤵
          • Checks BIOS information in registry
          • Checks whether UAC is enabled
          PID:2184
        • C:\Users\Admin\AppData\Local\Temp\APP.exe
          "C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8 GFBFPSXA -Verbose
          2⤵
          • Checks BIOS information in registry
          • Checks whether UAC is enabled
          PID:2188
        • C:\Users\Admin\AppData\Local\Temp\APP.exe
          "C:\Users\Admin\AppData\Local\Temp\APP.exe" -ArgumentList 6e42f05c8e4d24c3fa0ce2f2a8d203c8 GFBFPSXA
          2⤵
          • Checks BIOS information in registry
          • Checks whether UAC is enabled
          PID:2708
        • C:\Users\Admin\AppData\Local\Temp\APP.exe
          "C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8 GFBFPSXA
          2⤵
          • Checks BIOS information in registry
          • Checks whether UAC is enabled
          PID:1836
        • C:\Users\Admin\AppData\Local\Temp\APP.exe
          "C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8 C:\Windows
          2⤵
          • Checks BIOS information in registry
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          PID:3616
        • C:\Users\Admin\AppData\Local\Temp\APP.exe
          "C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8 C
          2⤵
          • Checks BIOS information in registry
          • Checks whether UAC is enabled
          PID:3348
        • C:\Users\Admin\AppData\Local\Temp\APP.exe
          "C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8 .\wmsetup.log
          2⤵
          • Checks BIOS information in registry
          • Checks whether UAC is enabled
          PID:3168
        • C:\Users\Admin\AppData\Local\Temp\APP.exe
          "C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8 C:\Users\Admin\Desktop\*
          2⤵
          • Checks BIOS information in registry
          • Checks whether UAC is enabled
          PID:1900
        • C:\Users\Admin\AppData\Local\Temp\APP.exe
          "C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8
          2⤵
          • Checks BIOS information in registry
          • Checks whether UAC is enabled
          PID:1656

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Defense Evasion

      Virtualization/Sandbox Evasion

      1
      T1497

      Discovery

      Query Registry

      2
      T1012

      Virtualization/Sandbox Evasion

      1
      T1497

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/808-115-0x0000000000891000-0x0000000000977000-memory.dmp
        Filesize

        920KB

      • memory/808-114-0x0000000000890000-0x000000000156B000-memory.dmp
        Filesize

        12.9MB

      • memory/1168-167-0x0000000000000000-mapping.dmp
      • memory/1168-168-0x0000000000890000-0x000000000156B000-memory.dmp
        Filesize

        12.9MB

      • memory/1656-229-0x0000000000890000-0x000000000156B000-memory.dmp
        Filesize

        12.9MB

      • memory/1656-228-0x0000000000000000-mapping.dmp
      • memory/1836-181-0x0000000000890000-0x000000000156B000-memory.dmp
        Filesize

        12.9MB

      • memory/1836-180-0x0000000000000000-mapping.dmp
      • memory/1900-193-0x0000000000890000-0x000000000156B000-memory.dmp
        Filesize

        12.9MB

      • memory/1900-192-0x0000000000000000-mapping.dmp
      • memory/2184-171-0x0000000000000000-mapping.dmp
      • memory/2184-172-0x0000000000890000-0x000000000156B000-memory.dmp
        Filesize

        12.9MB

      • memory/2188-174-0x0000000000000000-mapping.dmp
      • memory/2188-175-0x0000000000890000-0x000000000156B000-memory.dmp
        Filesize

        12.9MB

      • memory/2708-177-0x0000000000000000-mapping.dmp
      • memory/2708-178-0x0000000000890000-0x000000000156B000-memory.dmp
        Filesize

        12.9MB

      • memory/3168-189-0x0000000000000000-mapping.dmp
      • memory/3168-190-0x0000000000890000-0x000000000156B000-memory.dmp
        Filesize

        12.9MB

      • memory/3348-187-0x0000000000890000-0x000000000156B000-memory.dmp
        Filesize

        12.9MB

      • memory/3348-186-0x0000000000000000-mapping.dmp
      • memory/3616-184-0x0000000000890000-0x000000000156B000-memory.dmp
        Filesize

        12.9MB

      • memory/3616-183-0x0000000000000000-mapping.dmp
      • memory/3912-162-0x000001F39C050000-0x000001F39C051000-memory.dmp
        Filesize

        4KB

      • memory/3912-152-0x000001F39C230000-0x000001F39C231000-memory.dmp
        Filesize

        4KB

      • memory/3912-141-0x000001F39C010000-0x000001F39C011000-memory.dmp
        Filesize

        4KB

      • memory/3912-138-0x000001F399B93000-0x000001F399B95000-memory.dmp
        Filesize

        8KB

      • memory/3912-205-0x000001F399B98000-0x000001F399B99000-memory.dmp
        Filesize

        4KB

      • memory/3912-204-0x000001F399B96000-0x000001F399B98000-memory.dmp
        Filesize

        8KB

      • memory/3912-137-0x000001F399B90000-0x000001F399B92000-memory.dmp
        Filesize

        8KB

      • memory/3912-121-0x000001F39BB70000-0x000001F39BB71000-memory.dmp
        Filesize

        4KB