Resubmissions

23-10-2021 13:49

211023-q4pj3acda6 9

27-09-2021 16:25

210927-tw86aahecn 10

27-09-2021 16:15

210927-tp7c4shebk 10

25-09-2021 21:37

210925-1glj1adhh7 9

24-09-2021 00:57

210924-bbd6asfdgj 10

24-09-2021 00:56

210924-bad4xafdfr 9

Analysis

  • max time kernel
    88s
  • max time network
    92s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27-09-2021 16:15

General

  • Target

    APP.exe

  • Size

    5.2MB

  • MD5

    a0b4d2c96937104bcffd21ce69885a59

  • SHA1

    6cda6e2bee6d67a5f407e4d7e96af9d76bfa7c79

  • SHA256

    72cb50e5791e1fcb11d24bc4cff3b44379a529c5549fbf6f500adcd67bfe9139

  • SHA512

    17b1b4de1bddb7f357744ace07509481e80eb8a63fa9c39ee00ecd7eba3b03611eb0e2329e88e20b05e8a2655fa67a7b699c8455c1fa9aebeba4384151ae2ee0

Malware Config

Extracted

Path

C:\Users\Admin\HOW_TO_RECOVER_FILES.Colossus.txt

Ransom Note
[+] What's Happened? [+] Your files have been encrypted and currently unavailable. You can check it. All files in your system have "Colossus" extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data. [+] What are our guarantees? [+] It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should come to talk to us we can decrypt one of your files for free. That is our guarantee. It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. time is much more valuable than money. [+] Data Leak [+] We uploaded your data and if you dont contact with us then we will publish your data. Example of data: - Accounting data - Executive data - Sales data - Customer support data - Marketing data - And more other ... [+] How to Contact? [+] You have two options : 1. Chat with me : -Visit our website: http://colossus.support/LPc6EwBqmyC8Tv9Glawleycars/ -When you visit our website, put the following KEY into the input form. -Then start talk to me. 2. Email me at : [email protected] KEY: MjdhZDUzM2Y3MTVhZmUxZjI2NTk2ZGM4YjVhN2EwMDEzODk2M2ZhNWEzMGU2Mjc5MTU4ODFjYjhiNWE3YTAwMTM4OTYzZmE1YTMwZTYyNzkxNTg4MWNiZmRkNDkwNDhiNzA0MjVhNGU0YTc0N2FhYzY0MWU5MTFjODY3M2RhZGQ= !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss! !!! !!! !!! ONE MORE TIME: It's in your best interests to get your files back. From our side we ready to make everything for restoring but please do not interfere. !!! !!! !!
URLs

http://colossus.support/LPc6EwBqmyC8Tv9Glawleycars/

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Colossus Note 2 IoCs

    Detect Colossus ransomware note.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\APP.exe
    "C:\Users\Admin\AppData\Local\Temp\APP.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    PID:4060
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1840
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3168
      • C:\Users\Admin\AppData\Local\Temp\APP.exe
        .\APP.exe 6e42f05c8e4d24c3fa0ce2f2a8d203c8 C:\Users\Admin
        2⤵
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        PID:632
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\HOW_TO_RECOVER_FILES.Colossus.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:3552

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/632-117-0x0000000000B90000-0x000000000186B000-memory.dmp

      Filesize

      12.9MB

    • memory/4060-114-0x0000000000B90000-0x000000000186B000-memory.dmp

      Filesize

      12.9MB

    • memory/4060-115-0x0000000000B91000-0x0000000000C77000-memory.dmp

      Filesize

      920KB