colibri | 792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f

General

Target

792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe
Size

425KB
MD5

9e7322df010fcaf39555b79849014ff2
SHA1

aa5f2d73b5dd6c0e6207b5cbb1b5d8dadff31008
SHA256

792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f
SHA512

97455f588328c467523c676449716e480e8638015bab280d194104da44a563d528645f7175b0a3f81d9c4cb62d7560893b143a70361a5ef3418e9bcd2e17f9a5

Score

10^/10

colibri build1 loader suricata

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata
suricata: ET MALWARE Win32/Colibri Loader Activity
suricata: ET MALWARE Win32/Colibri Loader Activity
suricata
Executes dropped EXE 1 IoCs

Processes:

tmpBCEC.tmp.exe

pid process

4960 tmpBCEC.tmp.exe

pid	process
4960	tmpBCEC.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5024 schtasks.exe

pid	process
5024	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe

description	pid	process	target process
PID 3208 wrote to memory of 4960	3208	792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe	tmpBCEC.tmp.exe
PID 3208 wrote to memory of 4960	3208	792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe	tmpBCEC.tmp.exe
PID 3208 wrote to memory of 4960	3208	792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe	tmpBCEC.tmp.exe

C:\Users\Admin\AppData\Local\Temp\792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe
"C:\Users\Admin\AppData\Local\Temp\792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Users\Admin\AppData\Local\Temp\tmpBCEC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBCEC.tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:4960
- - C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
    "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\schtasks.exe
    /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "powershell.exe -windowstyle hidden"
    3⤵
    - Creates scheduled task(s)
    PID:5024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden
1⤵
PID:4604
- C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
  "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe" Name host ValueOnly True
  2⤵
  PID:3588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBCEC.tmp.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBCEC.tmp.exe

Filesize
87KB

MD5
cab62deb76880ed5c49abfefa6f7862c

SHA1
c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

SHA256
45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

SHA512
57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

Download Submit
memory/3208-135-0x000000001EBF0000-0x000000001ECFA000-memory.dmp

Filesize
1.0MB

Download
memory/3208-137-0x000000001EB60000-0x000000001EB9C000-memory.dmp

Filesize
240KB

Download
memory/3208-136-0x000000001EB00000-0x000000001EB12000-memory.dmp

Filesize
72KB

Download
memory/3208-131-0x00007FF8C0B50000-0x00007FF8C1611000-memory.dmp

Filesize
10.8MB

Download
memory/3208-130-0x0000000000750000-0x00000000007BE000-memory.dmp

Filesize
440KB

Download
memory/3588-147-0x0000000000000000-mapping.dmp

Download
memory/4348-143-0x0000000000190000-0x00000000001A6000-memory.dmp

Filesize
88KB

Download
memory/4348-139-0x0000000000000000-mapping.dmp

Download
memory/4604-145-0x0000017863240000-0x0000017863284000-memory.dmp

Filesize
272KB

Download
memory/4604-144-0x000001784B050000-0x000001784B072000-memory.dmp

Filesize
136KB

Download
memory/4604-146-0x0000017864EC0000-0x0000017864F36000-memory.dmp

Filesize
472KB

Download
memory/4604-149-0x00007FF8C0B50000-0x00007FF8C1611000-memory.dmp

Filesize
10.8MB

Download
memory/4960-142-0x0000000000AF0000-0x0000000000B06000-memory.dmp

Filesize
88KB

Download
memory/4960-132-0x0000000000000000-mapping.dmp

Download
memory/5024-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads