colibri | 7513d19dab3fc25a8276ec33132b9114856e01c67c90dbd0318c7aa6dc2b3561

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
06-07-2022 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae.exe
Size

124KB
MD5

5a8bc676cf03b77f3d81a2907119d4d5
SHA1

2114152d909c30d68af23c8526df2599c94d87cc
SHA256

ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae
SHA512

ee500b493c0062e69b2fa9d90ed0e5e64049aecddd37fdec19f36e6d5d8562dd6f5f2d5c32216061da640e09bf943a9f1c94777869dc7db260276becbed711db

Score

10^/10

colibri build1 loader persistence suricata

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
suricata: ET MALWARE Win32/Colibri Loader Activity
suricata: ET MALWARE Win32/Colibri Loader Activity
suricata
suricata: ET MALWARE Win32/Colibri Loader Activity M2
suricata: ET MALWARE Win32/Colibri Loader Activity M2
suricata
suricata: ET MALWARE Win32/Colibri Loader Activity M3
suricata: ET MALWARE Win32/Colibri Loader Activity M3
suricata
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

Get-Variable.exeGet-Variable.exesigned.exeMsDrvSrvc.exemnr.execloudwindrar.exe

pid process

4396 Get-Variable.exe
4816 Get-Variable.exe
2260 signed.exe
4436 MsDrvSrvc.exe
4520 mnr.exe
3340 cloudwindrar.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mnr.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation mnr.exe

pid	process
4396	Get-Variable.exe
4816	Get-Variable.exe
2260	signed.exe
4436	MsDrvSrvc.exe
4520	mnr.exe
3340	cloudwindrar.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	mnr.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

signed.exemnr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Service = "C:\\ProgramData\\MsDrvSrvc.exe"	signed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cloudwindrar-System-API = "C:\\ProgramData\\sfsxzipper\\cloudwindrar.exe"	mnr.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	signed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4756 schtasks.exe
1956 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2908 timeout.exe

pid	process
4756	schtasks.exe
1956	schtasks.exe

pid	process
2908	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exesigned.exeMsDrvSrvc.exemnr.exe

pid	process
2708	powershell.exe
2708	powershell.exe
2260	signed.exe
2260	signed.exe
4436	MsDrvSrvc.exe
4436	MsDrvSrvc.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe
4520	mnr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exemnr.execloudwindrar.exe

description	pid	process
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	4520	mnr.exe
Token: SeDebugPrivilege	4520	mnr.exe
Token: SeDebugPrivilege	3340	cloudwindrar.exe
Token: SeDebugPrivilege	3340	cloudwindrar.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae.exepowershell.exeGet-Variable.exesigned.exemnr.execmd.exe

description	pid	process	target process
PID 3116 wrote to memory of 1956	3116	ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae.exe	schtasks.exe
PID 3116 wrote to memory of 1956	3116	ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae.exe	schtasks.exe
PID 3116 wrote to memory of 1956	3116	ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae.exe	schtasks.exe
PID 3116 wrote to memory of 4396	3116	ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae.exe	Get-Variable.exe
PID 3116 wrote to memory of 4396	3116	ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae.exe	Get-Variable.exe
PID 3116 wrote to memory of 4396	3116	ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae.exe	Get-Variable.exe
PID 2708 wrote to memory of 4816	2708	powershell.exe	Get-Variable.exe
PID 2708 wrote to memory of 4816	2708	powershell.exe	Get-Variable.exe
PID 2708 wrote to memory of 4816	2708	powershell.exe	Get-Variable.exe
PID 4396 wrote to memory of 2260	4396	Get-Variable.exe	signed.exe
PID 4396 wrote to memory of 2260	4396	Get-Variable.exe	signed.exe
PID 2260 wrote to memory of 4436	2260	signed.exe	MsDrvSrvc.exe
PID 2260 wrote to memory of 4436	2260	signed.exe	MsDrvSrvc.exe
PID 4396 wrote to memory of 4520	4396	Get-Variable.exe	mnr.exe
PID 4396 wrote to memory of 4520	4396	Get-Variable.exe	mnr.exe
PID 4520 wrote to memory of 4756	4520	mnr.exe	schtasks.exe
PID 4520 wrote to memory of 4756	4520	mnr.exe	schtasks.exe
PID 4520 wrote to memory of 3340	4520	mnr.exe	cloudwindrar.exe
PID 4520 wrote to memory of 3340	4520	mnr.exe	cloudwindrar.exe
PID 4520 wrote to memory of 3436	4520	mnr.exe	cmd.exe
PID 4520 wrote to memory of 3436	4520	mnr.exe	cmd.exe
PID 3436 wrote to memory of 2908	3436	cmd.exe	timeout.exe
PID 3436 wrote to memory of 2908	3436	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae.exe
"C:\Users\Admin\AppData\Local\Temp\ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\schtasks.exe
/create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "powershell.exe -windowstyle hidden"
2⤵
- Creates scheduled task(s)
PID:1956

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396

C:\Users\Admin\AppData\Local\Temp\signed.exe
"C:\Users\Admin\AppData\Local\Temp\signed.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260

C:\ProgramData\MsDrvSrvc.exe
"C:\ProgramData\MsDrvSrvc.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4436

C:\Users\Admin\AppData\Local\Temp\mnr.exe
"C:\Users\Admin\AppData\Local\Temp\mnr.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /create /tn cloudwindrar-System-API /tr "C:\ProgramData\sfsxzipper\cloudwindrar.exe" /st 20:37 /du 23:59 /sc daily /ri 1 /f
4⤵
- Creates scheduled task(s)
PID:4756

C:\ProgramData\sfsxzipper\cloudwindrar.exe
"C:\ProgramData\sfsxzipper\cloudwindrar.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9441.tmp.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\system32\timeout.exe
timeout 6
5⤵
- Delays execution with timeout.exe
PID:2908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe" Name host ValueOnly True
2⤵
- Executes dropped EXE
PID:4816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MsDrvSrvc.exe
Filesize
354KB

MD5
9216f18d38d88e8693c23522e5599233

SHA1
efa9f4a1f3bac7d47f1f87a7979cdbc041a24541

SHA256
73631825f61c5f3c30c79e2edbc164e378e38c82ee0047c3de4be4f979227701

SHA512
569cc6d1cf58932427e24f70a48f718e1ae00e9673ba3b206c4dc5cf22a727fd33ba1228fa97dd9ceed89212350c0125c112539e5c44506cc642a878150daed3

Download Submit
C:\ProgramData\MsDrvSrvc.exe
Filesize
354KB

MD5
9216f18d38d88e8693c23522e5599233

SHA1
efa9f4a1f3bac7d47f1f87a7979cdbc041a24541

SHA256
73631825f61c5f3c30c79e2edbc164e378e38c82ee0047c3de4be4f979227701

SHA512
569cc6d1cf58932427e24f70a48f718e1ae00e9673ba3b206c4dc5cf22a727fd33ba1228fa97dd9ceed89212350c0125c112539e5c44506cc642a878150daed3

Download Submit
C:\ProgramData\sfsxzipper\cloudwindrar.exe
Filesize
176KB

MD5
1809e89d7914b9da7071b04d6aca57f3

SHA1
d005795761e1b53fa2495f290f64b699b3e8c189

SHA256
d5d3b50be1f0ba6f790adb1ca36f46133bd6878774bc6eac441be4db1b1c29c5

SHA512
0faa90d69699cf9bc54f269e40086c09ba745324e77975c715ea6be84e33b3bf4f2afe4b26a22c9c721fc1592974d0084484743daf09683ac65a80207c2b8554

Download Submit
C:\ProgramData\sfsxzipper\cloudwindrar.exe
Filesize
176KB

MD5
1809e89d7914b9da7071b04d6aca57f3

SHA1
d005795761e1b53fa2495f290f64b699b3e8c189

SHA256
d5d3b50be1f0ba6f790adb1ca36f46133bd6878774bc6eac441be4db1b1c29c5

SHA512
0faa90d69699cf9bc54f269e40086c09ba745324e77975c715ea6be84e33b3bf4f2afe4b26a22c9c721fc1592974d0084484743daf09683ac65a80207c2b8554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
124KB

MD5
5a8bc676cf03b77f3d81a2907119d4d5

SHA1
2114152d909c30d68af23c8526df2599c94d87cc

SHA256
ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae

SHA512
ee500b493c0062e69b2fa9d90ed0e5e64049aecddd37fdec19f36e6d5d8562dd6f5f2d5c32216061da640e09bf943a9f1c94777869dc7db260276becbed711db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
124KB

MD5
5a8bc676cf03b77f3d81a2907119d4d5

SHA1
2114152d909c30d68af23c8526df2599c94d87cc

SHA256
ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae

SHA512
ee500b493c0062e69b2fa9d90ed0e5e64049aecddd37fdec19f36e6d5d8562dd6f5f2d5c32216061da640e09bf943a9f1c94777869dc7db260276becbed711db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
124KB

MD5
5a8bc676cf03b77f3d81a2907119d4d5

SHA1
2114152d909c30d68af23c8526df2599c94d87cc

SHA256
ebd5e6832c0730fecf0e2aac1e13981601c5d089e75ad0833d95cc4b8dc04fae

SHA512
ee500b493c0062e69b2fa9d90ed0e5e64049aecddd37fdec19f36e6d5d8562dd6f5f2d5c32216061da640e09bf943a9f1c94777869dc7db260276becbed711db

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnr.exe
Filesize
176KB

MD5
1809e89d7914b9da7071b04d6aca57f3

SHA1
d005795761e1b53fa2495f290f64b699b3e8c189

SHA256
d5d3b50be1f0ba6f790adb1ca36f46133bd6878774bc6eac441be4db1b1c29c5

SHA512
0faa90d69699cf9bc54f269e40086c09ba745324e77975c715ea6be84e33b3bf4f2afe4b26a22c9c721fc1592974d0084484743daf09683ac65a80207c2b8554

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnr.exe
Filesize
176KB

MD5
1809e89d7914b9da7071b04d6aca57f3

SHA1
d005795761e1b53fa2495f290f64b699b3e8c189

SHA256
d5d3b50be1f0ba6f790adb1ca36f46133bd6878774bc6eac441be4db1b1c29c5

SHA512
0faa90d69699cf9bc54f269e40086c09ba745324e77975c715ea6be84e33b3bf4f2afe4b26a22c9c721fc1592974d0084484743daf09683ac65a80207c2b8554

Download Submit
C:\Users\Admin\AppData\Local\Temp\signed.exe
Filesize
354KB

MD5
9216f18d38d88e8693c23522e5599233

SHA1
efa9f4a1f3bac7d47f1f87a7979cdbc041a24541

SHA256
73631825f61c5f3c30c79e2edbc164e378e38c82ee0047c3de4be4f979227701

SHA512
569cc6d1cf58932427e24f70a48f718e1ae00e9673ba3b206c4dc5cf22a727fd33ba1228fa97dd9ceed89212350c0125c112539e5c44506cc642a878150daed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\signed.exe
Filesize
354KB

MD5
9216f18d38d88e8693c23522e5599233

SHA1
efa9f4a1f3bac7d47f1f87a7979cdbc041a24541

SHA256
73631825f61c5f3c30c79e2edbc164e378e38c82ee0047c3de4be4f979227701

SHA512
569cc6d1cf58932427e24f70a48f718e1ae00e9673ba3b206c4dc5cf22a727fd33ba1228fa97dd9ceed89212350c0125c112539e5c44506cc642a878150daed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9441.tmp.bat
Filesize
155B

MD5
58c5d6c11263d0e6075d44d02c066e34

SHA1
f2cfc86fe0c2c59f4528e46a95df7826cf02f1c3

SHA256
7855783aa02e1db6b66681f58d2d02b525470f177040948336f14471a36f9ad4

SHA512
a85fd095b6c3bbce2391e96d766698caaf3773c11c4935bd86bbd47ba13c5cd97724e3b4a68f4504d65a24e8b5c2073420ced93b99717a28f0b5f81c14645e01

Download Submit
memory/1956-131-0x0000000000000000-mapping.dmp

Download
memory/2260-145-0x0000000000000000-mapping.dmp

Download
memory/2708-140-0x000002806F5A0000-0x000002806F616000-memory.dmp

Filesize
472KB

Download
memory/2708-144-0x00007FFDCF720000-0x00007FFDD01E1000-memory.dmp

Filesize
10.8MB

Download
memory/2708-139-0x000002806F2C0000-0x000002806F304000-memory.dmp

Filesize
272KB

Download
memory/2708-138-0x00007FFDCF720000-0x00007FFDD01E1000-memory.dmp

Filesize
10.8MB

Download
memory/2708-137-0x0000028055820000-0x0000028055842000-memory.dmp

Filesize
136KB

Download
memory/2908-162-0x0000000000000000-mapping.dmp

Download
memory/3116-130-0x000000007FE20000-0x000000007FE27000-memory.dmp

Filesize
28KB

Download
memory/3116-135-0x000000007FE20000-0x000000007FE27000-memory.dmp

Filesize
28KB

Download
memory/3340-157-0x0000000000000000-mapping.dmp

Download
memory/3340-165-0x00007FFDCF720000-0x00007FFDD01E1000-memory.dmp

Filesize
10.8MB

Download
memory/3340-164-0x00007FFDCF720000-0x00007FFDD01E1000-memory.dmp

Filesize
10.8MB

Download
memory/3436-160-0x0000000000000000-mapping.dmp

Download
memory/4396-136-0x000000007FAB0000-0x000000007FAB7000-memory.dmp

Filesize
28KB

Download
memory/4396-132-0x0000000000000000-mapping.dmp

Download
memory/4436-148-0x0000000000000000-mapping.dmp

Download
memory/4520-163-0x00007FFDCF720000-0x00007FFDD01E1000-memory.dmp

Filesize
10.8MB

Download
memory/4520-154-0x00000000007B0000-0x00000000007E0000-memory.dmp

Filesize
192KB

Download
memory/4520-155-0x00007FFDCF720000-0x00007FFDD01E1000-memory.dmp

Filesize
10.8MB

Download
memory/4520-151-0x0000000000000000-mapping.dmp

Download
memory/4756-156-0x0000000000000000-mapping.dmp

Download
memory/4816-141-0x0000000000000000-mapping.dmp

Download
memory/4816-143-0x000000007EE80000-0x000000007EE87000-memory.dmp

Filesize
28KB

Download