colibri | 8006c7dca010f19218147a16ccec14db546027bebba8ce7870e515824f532edf

General

Target

run.exe
Size

363KB
MD5

6a3269d9c04f370d1d2e7384c716d26f
SHA1

860b4afab55af28c0eb99f49c8c7e95b90313f80
SHA256

8006c7dca010f19218147a16ccec14db546027bebba8ce7870e515824f532edf
SHA512

91b20f066964178633691a741e4b0ceae2f7af17d15965b4fbdfeb8ac1defe4964f5172d18f51c3efe9d7b3bab64fccfd51091ddc2616b5a51b500e47daa330c

Score

10^/10

colibri build1 loader

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Executes dropped EXE 6 IoCs

Processes:

tmpA54D.tmp.exetmpA54D.tmp.exeGet-Variable.exeGet-Variable.exeGet-Variable.exeGet-Variable.exe

pid process

4412 tmpA54D.tmp.exe
4388 tmpA54D.tmp.exe
1992 Get-Variable.exe
4268 Get-Variable.exe
1340 Get-Variable.exe
4608 Get-Variable.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

run.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation run.exe

pid	process
4412	tmpA54D.tmp.exe
4388	tmpA54D.tmp.exe
1992	Get-Variable.exe
4268	Get-Variable.exe
1340	Get-Variable.exe
4608	Get-Variable.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	run.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmpA54D.tmp.exeGet-Variable.exeGet-Variable.exe

description	pid	process	target process
PID 4412 set thread context of 4388	4412	tmpA54D.tmp.exe	tmpA54D.tmp.exe
PID 1992 set thread context of 4268	1992	Get-Variable.exe	Get-Variable.exe
PID 1340 set thread context of 4608	1340	Get-Variable.exe	Get-Variable.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4692 schtasks.exe

pid	process
4692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

run.exe

pid	process
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe
3992	run.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

run.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3992 run.exe
Token: SeDebugPrivilege 4560 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3992	run.exe
Token: SeDebugPrivilege	4560	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

run.exetmpA54D.tmp.exetmpA54D.tmp.exeGet-Variable.exepowershell.exeGet-Variable.exe

description	pid	process	target process
PID 3992 wrote to memory of 4412	3992	run.exe	tmpA54D.tmp.exe
PID 3992 wrote to memory of 4412	3992	run.exe	tmpA54D.tmp.exe
PID 3992 wrote to memory of 4412	3992	run.exe	tmpA54D.tmp.exe
PID 4412 wrote to memory of 4388	4412	tmpA54D.tmp.exe	tmpA54D.tmp.exe
PID 4412 wrote to memory of 4388	4412	tmpA54D.tmp.exe	tmpA54D.tmp.exe
PID 4412 wrote to memory of 4388	4412	tmpA54D.tmp.exe	tmpA54D.tmp.exe
PID 4412 wrote to memory of 4388	4412	tmpA54D.tmp.exe	tmpA54D.tmp.exe
PID 4412 wrote to memory of 4388	4412	tmpA54D.tmp.exe	tmpA54D.tmp.exe
PID 4412 wrote to memory of 4388	4412	tmpA54D.tmp.exe	tmpA54D.tmp.exe
PID 4412 wrote to memory of 4388	4412	tmpA54D.tmp.exe	tmpA54D.tmp.exe
PID 4388 wrote to memory of 4692	4388	tmpA54D.tmp.exe	schtasks.exe
PID 4388 wrote to memory of 4692	4388	tmpA54D.tmp.exe	schtasks.exe
PID 4388 wrote to memory of 4692	4388	tmpA54D.tmp.exe	schtasks.exe
PID 4388 wrote to memory of 1992	4388	tmpA54D.tmp.exe	Get-Variable.exe
PID 4388 wrote to memory of 1992	4388	tmpA54D.tmp.exe	Get-Variable.exe
PID 4388 wrote to memory of 1992	4388	tmpA54D.tmp.exe	Get-Variable.exe
PID 1992 wrote to memory of 4268	1992	Get-Variable.exe	Get-Variable.exe
PID 1992 wrote to memory of 4268	1992	Get-Variable.exe	Get-Variable.exe
PID 1992 wrote to memory of 4268	1992	Get-Variable.exe	Get-Variable.exe
PID 1992 wrote to memory of 4268	1992	Get-Variable.exe	Get-Variable.exe
PID 1992 wrote to memory of 4268	1992	Get-Variable.exe	Get-Variable.exe
PID 1992 wrote to memory of 4268	1992	Get-Variable.exe	Get-Variable.exe
PID 1992 wrote to memory of 4268	1992	Get-Variable.exe	Get-Variable.exe
PID 4560 wrote to memory of 1340	4560	powershell.exe	Get-Variable.exe
PID 4560 wrote to memory of 1340	4560	powershell.exe	Get-Variable.exe
PID 4560 wrote to memory of 1340	4560	powershell.exe	Get-Variable.exe
PID 1340 wrote to memory of 4608	1340	Get-Variable.exe	Get-Variable.exe
PID 1340 wrote to memory of 4608	1340	Get-Variable.exe	Get-Variable.exe
PID 1340 wrote to memory of 4608	1340	Get-Variable.exe	Get-Variable.exe
PID 1340 wrote to memory of 4608	1340	Get-Variable.exe	Get-Variable.exe
PID 1340 wrote to memory of 4608	1340	Get-Variable.exe	Get-Variable.exe
PID 1340 wrote to memory of 4608	1340	Get-Variable.exe	Get-Variable.exe
PID 1340 wrote to memory of 4608	1340	Get-Variable.exe	Get-Variable.exe

C:\Users\Admin\AppData\Local\Temp\run.exe
"C:\Users\Admin\AppData\Local\Temp\run.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992

C:\Users\Admin\AppData\Local\Temp\tmpA54D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA54D.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4412

C:\Users\Admin\AppData\Local\Temp\tmpA54D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA54D.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\schtasks.exe
/create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "powershell.exe -windowstyle hidden"
4⤵
- Creates scheduled task(s)
PID:4692

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
5⤵
- Executes dropped EXE
PID:4268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe" Name host ValueOnly True
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
3⤵
- Executes dropped EXE
PID:4608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA54D.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA54D.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA54D.tmp.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
memory/1340-157-0x0000000000000000-mapping.dmp

Download
memory/1340-159-0x0000000000993000-0x0000000000999000-memory.dmp

Filesize
24KB

Download
memory/1992-145-0x0000000000000000-mapping.dmp

Download
memory/3992-136-0x000000001D260000-0x000000001D36A000-memory.dmp

Filesize
1.0MB

Download
memory/3992-142-0x00007FFBFABE0000-0x00007FFBFB6A1000-memory.dmp

Filesize
10.8MB

Download
memory/3992-141-0x000000001B530000-0x000000001B56C000-memory.dmp

Filesize
240KB

Download
memory/3992-130-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/3992-131-0x00007FFBFABE0000-0x00007FFBFB6A1000-memory.dmp

Filesize
10.8MB

Download
memory/3992-139-0x000000001B4D0000-0x000000001B4E2000-memory.dmp

Filesize
72KB

Download
memory/4268-149-0x0000000000000000-mapping.dmp

Download
memory/4268-152-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4388-143-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4388-140-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4388-135-0x0000000000000000-mapping.dmp

Download
memory/4388-148-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4388-137-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4412-132-0x0000000000000000-mapping.dmp

Download
memory/4560-156-0x000001ACB0BC0000-0x000001ACB0C36000-memory.dmp

Filesize
472KB

Download
memory/4560-155-0x000001ACB0760000-0x000001ACB07A4000-memory.dmp

Filesize
272KB

Download
memory/4560-154-0x00007FFBFABE0000-0x00007FFBFB6A1000-memory.dmp

Filesize
10.8MB

Download
memory/4560-153-0x000001ACB05A0000-0x000001ACB05C2000-memory.dmp

Filesize
136KB

Download
memory/4560-163-0x00007FFBFABE0000-0x00007FFBFB6A1000-memory.dmp

Filesize
10.8MB

Download
memory/4608-160-0x0000000000000000-mapping.dmp

Download
memory/4692-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads