Overview

overview

10

Static

static

GrandTheft...at.exe

windows7-x64

10

GrandTheft...at.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-08-2022 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GrandTheftAutoVcheat.exe

  • Size

    421KB

  • MD5

    58fc3bb157e30334818c6f8a184ed14a

  • SHA1

    e89d26ebdd8585840094db45d60968455bcfd822

  • SHA256

    0c30a372c59133044f5e0c6c7a4779515f64b2a3f03c0ee66549c3216873a1dd

  • SHA512

    91a4cfe6cbab2db859eec1c0e24da16c77d88d17d9355ada82ab4728cd7b522387c864a6c379313f75f1334d4e78322cc7808d25703f3c72bcc74e56438ad895

Score
10/10
colibribuild1discoveryloaderspywarestealer

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • Executes dropped EXE 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GrandTheftAutoVcheat.exe
    "C:\Users\Admin\AppData\Local\Temp\GrandTheftAutoVcheat.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmp.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1604
          • C:\Windows\SysWOW64\schtasks.exe
            /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "powershell.exe -windowstyle hidden"
            5⤵
            • Creates scheduled task(s)
            PID:3616
          • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
            "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2804
            • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
              "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4056
              • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
                "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
                7⤵
                • Executes dropped EXE
                PID:3540
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -windowstyle hidden
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
      "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe" Name host ValueOnly True
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
        "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
        3⤵
        • Executes dropped EXE
        PID:4920
        • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
          "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
          4⤵
          • Executes dropped EXE
          PID:3968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmp.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmp.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmp.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmp.exe
    Filesize

    52KB

    MD5

    d8e1495b46cded57eb1423b8bb789834

    SHA1

    db64bc20550e51c602dbb92d07c8f02842efebcc

    SHA256

    aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

    SHA512

    8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

    Download Submit
  • memory/1604-162-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1604-142-0x0000000000000000-mapping.dmp
    Download
  • memory/1604-143-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1604-145-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1604-150-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1776-140-0x0000000000000000-mapping.dmp
    Download
  • memory/2220-137-0x0000000000000000-mapping.dmp
    Download
  • memory/2312-177-0x0000000001563000-0x0000000001569000-memory.dmp
    Filesize

    24KB

    Download
  • memory/2312-175-0x0000000000000000-mapping.dmp
    Download
  • memory/2804-171-0x0000000000710000-0x0000000000810000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2804-167-0x0000000000710000-0x0000000000810000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2804-158-0x0000000000000000-mapping.dmp
    Download
  • memory/3540-170-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/3540-166-0x0000000000000000-mapping.dmp
    Download
  • memory/3616-157-0x0000000000000000-mapping.dmp
    Download
  • memory/4056-163-0x0000000000000000-mapping.dmp
    Download
  • memory/4056-165-0x0000000000A33000-0x0000000000A39000-memory.dmp
    Filesize

    24KB

    Download
  • memory/4588-172-0x000001E9407A0000-0x000001E9407C2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4588-181-0x00007FFCE4E40000-0x00007FFCE5901000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4588-174-0x000001E9421E0000-0x000001E942224000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4588-173-0x00007FFCE4E40000-0x00007FFCE5901000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4908-151-0x000000001DF80000-0x000000001DFF6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4908-152-0x000000001B3E0000-0x000000001B3FE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4908-135-0x0000000000670000-0x00000000006DE000-memory.dmp
    Filesize

    440KB

    Download
  • memory/4908-153-0x000000001C850000-0x000000001C8A0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4908-154-0x000000001E450000-0x000000001E612000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4908-155-0x000000001F360000-0x000000001F888000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4908-149-0x00007FFCE4D90000-0x00007FFCE5851000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4908-148-0x000000001D960000-0x000000001D99C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4908-147-0x0000000002820000-0x0000000002832000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4908-146-0x000000001DA70000-0x000000001DB7A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4908-136-0x00007FFCE4D90000-0x00007FFCE5851000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4908-156-0x00007FFCE4D90000-0x00007FFCE5851000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4920-178-0x0000000000000000-mapping.dmp
    Download