Overview

overview

10

Static

static

792536cb7e...2f.exe

windows7_x64

10

792536cb7e...2f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    14s
  • max time network
    81s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe

  • Size

    425KB

  • MD5

    9e7322df010fcaf39555b79849014ff2

  • SHA1

    aa5f2d73b5dd6c0e6207b5cbb1b5d8dadff31008

  • SHA256

    792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f

  • SHA512

    97455f588328c467523c676449716e480e8638015bab280d194104da44a563d528645f7175b0a3f81d9c4cb62d7560893b143a70361a5ef3418e9bcd2e17f9a5

Score
10/10
colibribuild1loadersuricata

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • suricata: ET MALWARE Generic gate .php GET with minimal headers

    suricata: ET MALWARE Generic gate .php GET with minimal headers

    suricata
  • suricata: ET MALWARE Win32/Colibri Loader Activity

    suricata: ET MALWARE Win32/Colibri Loader Activity

    suricata
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe
    "C:\Users\Admin\AppData\Local\Temp\792536cb7e72e25a03d2b9b2d54027106eb2003ab56f7104cd407f57693cfc2f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Users\Admin\AppData\Local\Temp\tmpBCEC.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpBCEC.tmp.exe"
      2⤵
      • Executes dropped EXE
      PID:4960
      • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
        "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
        3⤵
          PID:4348
        • C:\Windows\SysWOW64\schtasks.exe
          /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "powershell.exe -windowstyle hidden"
          3⤵
          • Creates scheduled task(s)
          PID:5024
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden
      1⤵
        PID:4604
        • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
          "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe" Name host ValueOnly True
          2⤵
            PID:3588

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
          Filesize

          87KB

          MD5

          cab62deb76880ed5c49abfefa6f7862c

          SHA1

          c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

          SHA256

          45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

          SHA512

          57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
          Filesize

          87KB

          MD5

          cab62deb76880ed5c49abfefa6f7862c

          SHA1

          c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

          SHA256

          45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

          SHA512

          57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
          Filesize

          87KB

          MD5

          cab62deb76880ed5c49abfefa6f7862c

          SHA1

          c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

          SHA256

          45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

          SHA512

          57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmpBCEC.tmp.exe
          Filesize

          87KB

          MD5

          cab62deb76880ed5c49abfefa6f7862c

          SHA1

          c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

          SHA256

          45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

          SHA512

          57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmpBCEC.tmp.exe
          Filesize

          87KB

          MD5

          cab62deb76880ed5c49abfefa6f7862c

          SHA1

          c8b358844131c983dd96b1ca74ea1b8d5d34c6a8

          SHA256

          45fff4489cc037313de8edf3589515197c184579658921fb06eb6fd4e860253e

          SHA512

          57c4ef898513b8c9c4e14e053e3d2beac2feb0f676e77577a20bbbde4c921cf830e9a803fd001a43b5441c1edff5a94e3b00837279286f613da3d9402f07ee06

          Download Submit
        • memory/3208-135-0x000000001EBF0000-0x000000001ECFA000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3208-137-0x000000001EB60000-0x000000001EB9C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/3208-136-0x000000001EB00000-0x000000001EB12000-memory.dmp
          Filesize

          72KB

          Download
        • memory/3208-131-0x00007FF8C0B50000-0x00007FF8C1611000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/3208-130-0x0000000000750000-0x00000000007BE000-memory.dmp
          Filesize

          440KB

          Download
        • memory/3588-147-0x0000000000000000-mapping.dmp
          Download
        • memory/4348-143-0x0000000000190000-0x00000000001A6000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4348-139-0x0000000000000000-mapping.dmp
          Download
        • memory/4604-145-0x0000017863240000-0x0000017863284000-memory.dmp
          Filesize

          272KB

          Download
        • memory/4604-144-0x000001784B050000-0x000001784B072000-memory.dmp
          Filesize

          136KB

          Download
        • memory/4604-146-0x0000017864EC0000-0x0000017864F36000-memory.dmp
          Filesize

          472KB

          Download
        • memory/4604-149-0x00007FF8C0B50000-0x00007FF8C1611000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4960-142-0x0000000000AF0000-0x0000000000B06000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4960-132-0x0000000000000000-mapping.dmp
          Download
        • memory/5024-138-0x0000000000000000-mapping.dmp
          Download