Resubmissions
23-10-2021 13:49
211023-q4pj3acda6 927-09-2021 16:25
210927-tw86aahecn 1027-09-2021 16:15
210927-tp7c4shebk 1025-09-2021 21:37
210925-1glj1adhh7 924-09-2021 00:57
210924-bbd6asfdgj 1024-09-2021 00:56
210924-bad4xafdfr 9Analysis
-
max time kernel
88s -
max time network
92s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-09-2021 16:15
Static task
static1
Behavioral task
behavioral1
Sample
APP.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
APP.exe
-
Size
5.2MB
-
MD5
a0b4d2c96937104bcffd21ce69885a59
-
SHA1
6cda6e2bee6d67a5f407e4d7e96af9d76bfa7c79
-
SHA256
72cb50e5791e1fcb11d24bc4cff3b44379a529c5549fbf6f500adcd67bfe9139
-
SHA512
17b1b4de1bddb7f357744ace07509481e80eb8a63fa9c39ee00ecd7eba3b03611eb0e2329e88e20b05e8a2655fa67a7b699c8455c1fa9aebeba4384151ae2ee0
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\HOW_TO_RECOVER_FILES.Colossus.txt
Ransom Note
[+] What's Happened? [+]
Your files have been encrypted and currently unavailable. You can check it. All files in your system have "Colossus" extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data.
[+] What are our guarantees? [+]
It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should come to talk to us we can decrypt one of your files for free. That is our guarantee.
It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. time is much more valuable than money.
[+] Data Leak [+]
We uploaded your data and if you dont contact with us then we will publish your data.
Example of data:
- Accounting data
- Executive data
- Sales data
- Customer support data
- Marketing data
- And more other ...
[+] How to Contact? [+]
You have two options :
1. Chat with me :
-Visit our website: http://colossus.support/LPc6EwBqmyC8Tv9Glawleycars/
-When you visit our website, put the following KEY into the input form.
-Then start talk to me.
2. Email me at : [email protected]
KEY:
MjdhZDUzM2Y3MTVhZmUxZjI2NTk2ZGM4YjVhN2EwMDEzODk2M2ZhNWEzMGU2Mjc5MTU4ODFjYjhiNWE3YTAwMTM4OTYzZmE1YTMwZTYyNzkxNTg4MWNiZmRkNDkwNDhiNzA0MjVhNGU0YTc0N2FhYzY0MWU5MTFjODY3M2RhZGQ=
!!! DANGER !!!
DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss!
!!! !!! !!!
ONE MORE TIME: It's in your best interests to get your files back. From our side we ready to make everything for restoring but please do not interfere.
!!! !!! !!
Emails
URLs
http://colossus.support/LPc6EwBqmyC8Tv9Glawleycars/
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion APP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion APP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion APP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion APP.exe -
resource yara_rule behavioral1/memory/4060-114-0x0000000000B90000-0x000000000186B000-memory.dmp themida behavioral1/memory/632-117-0x0000000000B90000-0x000000000186B000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA APP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA APP.exe -
resource yara_rule Colossus_Note behavioral1/files/0x000600000001ab2c-119.dat Colossus_Note -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3552 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3168 wrote to memory of 632 3168 cmd.exe 81 PID 3168 wrote to memory of 632 3168 cmd.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\APP.exe"C:\Users\Admin\AppData\Local\Temp\APP.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4060
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1840
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Users\Admin\AppData\Local\Temp\APP.exe.\APP.exe 6e42f05c8e4d24c3fa0ce2f2a8d203c8 C:\Users\Admin2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:632
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\HOW_TO_RECOVER_FILES.Colossus.txt1⤵
- Opens file in notepad (likely ransom note)
PID:3552