Overview

overview

10

Static

static

7

APP.exe

windows10_x64

10

Resubmissions

23-10-2021 13:49

211023-q4pj3acda6 9

27-09-2021 16:25

210927-tw86aahecn 10

27-09-2021 16:15

210927-tp7c4shebk 10

25-09-2021 21:37

210925-1glj1adhh7 9

24-09-2021 00:57

210924-bbd6asfdgj 10

24-09-2021 00:56

210924-bad4xafdfr 9

Analysis

  • max time kernel
    877s
  • max time network
    752s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    24-09-2021 00:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    APP.exe

Score
10/10
colossusevasionransomwarethemidatrojan

Malware Config

Extracted

Path

C:\HOW_TO_RECOVER_FILES.Colossus.txt

Family

colossus

Ransom Note
[+] What's Happened? [+] Your files have been encrypted and currently unavailable. You can check it. All files in your system have "Colossus" extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data. [+] What are our guarantees? [+] It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should come to talk to us we can decrypt one of your files for free. That is our guarantee. It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. time is much more valuable than money. [+] Data Leak [+] We uploaded your data and if you dont contact with us then we will publish your data. Example of data: - Accounting data - Executive data - Sales data - Customer support data - Marketing data - And more other ... [+] How to Contact? [+] You have two options : 1. Chat with me : -Visit our website: http://colossus.support/LPc6EwBqmyC8Tv9Glawleycars/ -When you visit our website, put the following KEY into the input form. -Then start talk to me. 2. Email me at : [email protected] KEY: MjdhZDUzM2Y3MTVhZmUxZjI2NTk2ZGM4YjVhN2EwMDEzODk2M2ZhNWEzMGU2Mjc5MTU4ODFjYjhiNWE3YTAwMTM4OTYzZmE1YTMwZTYyNzkxNTg4MWNiZmRkNDkwNDhiNzA0MjVhNGU0YTc0N2FhYzY0MWU5MTFjODY3M2RhZGQ= !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss! !!! !!! !!! ONE MORE TIME: It's in your best interests to get your files back. From our side we ready to make everything for restoring but please do not interfere. !!! !!! !!
URLs

http://colossus.support/LPc6EwBqmyC8Tv9Glawleycars/

Signatures

  • Colossus

    Ransomware discovered by ZeroFox.

    ransomwarecolossus
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 7 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 6 IoCs
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\APP.exe
    "C:\Users\Admin\AppData\Local\Temp\APP.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    PID:2544
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3568
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp'
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Users\Admin\AppData\Local\Temp\APP.exe
        "C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8
        2⤵
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        PID:2324
      • C:\Users\Admin\AppData\Local\Temp\APP.exe
        "C:\Users\Admin\AppData\Local\Temp\APP.exe" -ArgumentList 6e42f05c8e4d24c3fa0ce2f2a8d203c8 c:\
        2⤵
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        PID:3680
      • C:\Users\Admin\AppData\Local\Temp\APP.exe
        "C:\Users\Admin\AppData\Local\Temp\APP.exe" -ArgumentList 6e42f05c8e4d24c3fa0ce2f2a8d203c8 c:\
        2⤵
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        PID:2204
      • C:\Users\Admin\AppData\Local\Temp\APP.exe
        "C:\Users\Admin\AppData\Local\Temp\APP.exe" -ArgumentList 6e42f05c8e4d24c3fa0ce2f2a8d203c8 *
        2⤵
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        PID:3788
      • C:\Users\Admin\AppData\Local\Temp\APP.exe
        "C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8 *
        2⤵
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        PID:1844
      • C:\Users\Admin\AppData\Local\Temp\APP.exe
        "C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8 C:\
        2⤵
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Drops file in Program Files directory
        • Drops file in Windows directory
        PID:2260

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/772-120-0x000001ABD85E0000-0x000001ABD85E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/772-136-0x000001ABBFEA0000-0x000001ABBFEA2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/772-138-0x000001ABBFEA3000-0x000001ABBFEA5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/772-139-0x000001ABD8A80000-0x000001ABD8A81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/772-150-0x000001ABD8B40000-0x000001ABD8B41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/772-161-0x000001ABD8AC0000-0x000001ABD8AC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/772-170-0x000001ABBFEA6000-0x000001ABBFEA8000-memory.dmp

      Filesize

      8KB

      Download

    • memory/772-171-0x000001ABBFEA8000-0x000001ABBFEA9000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1844-235-0x0000000000210000-0x0000000000EEB000-memory.dmp

      Filesize

      12.9MB

      Download

    • memory/2204-229-0x0000000000210000-0x0000000000EEB000-memory.dmp

      Filesize

      12.9MB

      Download

    • memory/2260-238-0x0000000000210000-0x0000000000EEB000-memory.dmp

      Filesize

      12.9MB

      Download

    • memory/2324-183-0x0000000000210000-0x0000000000EEB000-memory.dmp

      Filesize

      12.9MB

      Download

    • memory/2544-114-0x0000000000210000-0x0000000000EEB000-memory.dmp

      Filesize

      12.9MB

      Download

    • memory/2544-115-0x0000000000211000-0x00000000002F7000-memory.dmp

      Filesize

      920KB

      Download

    • memory/3680-226-0x0000000000210000-0x0000000000EEB000-memory.dmp

      Filesize

      12.9MB

      Download

    • memory/3788-232-0x0000000000210000-0x0000000000EEB000-memory.dmp

      Filesize

      12.9MB

      Download