Analysis
-
max time kernel
132s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
06-03-2022 14:47
Behavioral task
behavioral1
Sample
dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe
Resource
win7-20220223-en
windows7_x64
0 signatures
0 seconds
General
-
Target
dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe
-
Size
88KB
-
MD5
5594fd3b929e2e30d3d70e4c0063085b
-
SHA1
90dc29422eef76512b554017c015ddfabd400784
-
SHA256
dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683
-
SHA512
48f152407cfeb71c86def1ed6ae84c1703649cfa5e2d2dfcf501bba17acfdfbc59f62c53a10d6e83bf17916a62115f658d0bd0f9ace68b1b2370cdd32c0df7dd
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
colorsxcl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 colorsxcl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE colorsxcl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies colorsxcl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 colorsxcl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
colorsxcl.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix colorsxcl.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" colorsxcl.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" colorsxcl.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
colorsxcl.exepid process 1280 colorsxcl.exe 1280 colorsxcl.exe 1280 colorsxcl.exe 1280 colorsxcl.exe 1280 colorsxcl.exe 1280 colorsxcl.exe 1280 colorsxcl.exe 1280 colorsxcl.exe 1280 colorsxcl.exe 1280 colorsxcl.exe 1280 colorsxcl.exe 1280 colorsxcl.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exepid process 3352 dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.execolorsxcl.exedescription pid process target process PID 3156 wrote to memory of 3352 3156 dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe PID 3156 wrote to memory of 3352 3156 dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe PID 3156 wrote to memory of 3352 3156 dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe PID 992 wrote to memory of 1280 992 colorsxcl.exe colorsxcl.exe PID 992 wrote to memory of 1280 992 colorsxcl.exe colorsxcl.exe PID 992 wrote to memory of 1280 992 colorsxcl.exe colorsxcl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe"C:\Users\Admin\AppData\Local\Temp\dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe--2e491d452⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\colorsxcl.exe"C:\Windows\SysWOW64\colorsxcl.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\colorsxcl.exe--82335b272⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses