Analysis
-
max time kernel
79s -
max time network
82s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02-09-2022 08:05
Static task
static1
General
-
Target
34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe
-
Size
487KB
-
MD5
8dff0d3f99d12d37b665c9d8a8316a19
-
SHA1
f0bdaf7f749656907bb0861c715c1a818d78fd41
-
SHA256
34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1
-
SHA512
6ce36c92b7d6d52dd77383a9847f1bbf17af11a8a92da90efc8b6f6c1ab2b0985eea5983a553556d5a63e4b86d9b2711b870729557782bd0456e6fe10eb16464
-
SSDEEP
12288:nl2OK20PQTcTMa08IndWaWU/6aoZvf3hSFmu4zApqDB:lI2ouWf8dJx1oOFmpAgDB
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
tmp9455.tmp.exetmp9455.tmp.exepid process 4728 tmp9455.tmp.exe 4488 tmp9455.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp9455.tmp.exedescription pid process target process PID 4728 set thread context of 4488 4728 tmp9455.tmp.exe tmp9455.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exepid process 1656 34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe 1656 34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exedescription pid process Token: SeDebugPrivilege 1656 34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exetmp9455.tmp.exedescription pid process target process PID 1656 wrote to memory of 4728 1656 34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe tmp9455.tmp.exe PID 1656 wrote to memory of 4728 1656 34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe tmp9455.tmp.exe PID 1656 wrote to memory of 4728 1656 34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe tmp9455.tmp.exe PID 4728 wrote to memory of 4488 4728 tmp9455.tmp.exe tmp9455.tmp.exe PID 4728 wrote to memory of 4488 4728 tmp9455.tmp.exe tmp9455.tmp.exe PID 4728 wrote to memory of 4488 4728 tmp9455.tmp.exe tmp9455.tmp.exe PID 4728 wrote to memory of 4488 4728 tmp9455.tmp.exe tmp9455.tmp.exe PID 4728 wrote to memory of 4488 4728 tmp9455.tmp.exe tmp9455.tmp.exe PID 4728 wrote to memory of 4488 4728 tmp9455.tmp.exe tmp9455.tmp.exe PID 4728 wrote to memory of 4488 4728 tmp9455.tmp.exe tmp9455.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe"C:\Users\Admin\AppData\Local\Temp\34cdcd0ccda9ba7a51d1f6aaaa8a2a6d6c64f2fb58627a5f0b94d922be6adce1.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp9455.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9455.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp9455.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9455.tmp.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9455.tmp.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Local\Temp\tmp9455.tmp.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Local\Temp\tmp9455.tmp.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
memory/1656-135-0x000000001AC40000-0x000000001AC7C000-memory.dmpFilesize
240KB
-
memory/1656-136-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmpFilesize
10.8MB
-
memory/1656-149-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmpFilesize
10.8MB
-
memory/1656-145-0x000000001E640000-0x000000001E802000-memory.dmpFilesize
1.8MB
-
memory/1656-134-0x00000000021E0000-0x00000000021F2000-memory.dmpFilesize
72KB
-
memory/1656-148-0x000000001E5F0000-0x000000001E60E000-memory.dmpFilesize
120KB
-
memory/1656-147-0x000000001E890000-0x000000001E906000-memory.dmpFilesize
472KB
-
memory/1656-146-0x000000001ED40000-0x000000001F268000-memory.dmpFilesize
5.2MB
-
memory/1656-133-0x000000001D460000-0x000000001D56A000-memory.dmpFilesize
1.0MB
-
memory/1656-132-0x0000000000100000-0x000000000017E000-memory.dmpFilesize
504KB
-
memory/4488-144-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/4488-142-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/4488-141-0x0000000000000000-mapping.dmp
-
memory/4728-140-0x000000000163B000-0x0000000001641000-memory.dmpFilesize
24KB
-
memory/4728-137-0x0000000000000000-mapping.dmp