Analysis
-
max time kernel
274s -
max time network
277s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
08-09-2022 22:16
Static task
static1
Behavioral task
behavioral1
Sample
dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
Resource
win7-20220812-en
General
-
Target
dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe
-
Size
8.2MB
-
MD5
c50570558f1fa95225c72ac974eb631a
-
SHA1
caf2081be16dd9738ae06e85b8464bbeaac1fef0
-
SHA256
dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8
-
SHA512
e159c2f1c99a87c3aa47152edcd19145fec8b6fd06b3f65410487d0d7ba0b00b8e0fc1f2d4fdb26c9d425e1c2a216f7eb206f2d2086d100aa635b6102b894545
-
SSDEEP
196608:MS1SCw5ygwmaNPYL0q9aIeJhYDD8QWKaQ/s6HVf32gGgvHT4xt40aOgv:11SCw5umaetaIwYDIXQzf32sHTqt4j
Malware Config
Extracted
colibri
1.2.0
bot
http://oraycdn.com/gate.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
DllHelper.exepid process 4232 DllHelper.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exeDllHelper.exepid process 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe 4232 DllHelper.exe 4232 DllHelper.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DllHelper.exedescription pid process target process PID 4232 set thread context of 3968 4232 DllHelper.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exeDllHelper.exepid process 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe 4232 DllHelper.exe 4232 DllHelper.exe 4232 DllHelper.exe 4232 DllHelper.exe 4232 DllHelper.exe 4232 DllHelper.exe 4232 DllHelper.exe 4232 DllHelper.exe 4232 DllHelper.exe 4232 DllHelper.exe 4232 DllHelper.exe 4232 DllHelper.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.execmd.exeDllHelper.exedescription pid process target process PID 2424 wrote to memory of 4940 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe schtasks.exe PID 2424 wrote to memory of 4940 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe schtasks.exe PID 2424 wrote to memory of 4940 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe schtasks.exe PID 2424 wrote to memory of 4232 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe DllHelper.exe PID 2424 wrote to memory of 4232 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe DllHelper.exe PID 2424 wrote to memory of 4232 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe DllHelper.exe PID 2424 wrote to memory of 4952 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe cmd.exe PID 2424 wrote to memory of 4952 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe cmd.exe PID 2424 wrote to memory of 4952 2424 dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe cmd.exe PID 4952 wrote to memory of 3332 4952 cmd.exe chcp.com PID 4952 wrote to memory of 3332 4952 cmd.exe chcp.com PID 4952 wrote to memory of 3332 4952 cmd.exe chcp.com PID 4952 wrote to memory of 3708 4952 cmd.exe PING.EXE PID 4952 wrote to memory of 3708 4952 cmd.exe PING.EXE PID 4952 wrote to memory of 3708 4952 cmd.exe PING.EXE PID 4232 wrote to memory of 3968 4232 DllHelper.exe InstallUtil.exe PID 4232 wrote to memory of 3968 4232 DllHelper.exe InstallUtil.exe PID 4232 wrote to memory of 3968 4232 DllHelper.exe InstallUtil.exe PID 4232 wrote to memory of 3968 4232 DllHelper.exe InstallUtil.exe PID 4232 wrote to memory of 3968 4232 DllHelper.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe"C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\AppVerif\DllHelper.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppVerif\DllHelper.exe"C:\Users\Admin\AppVerif\DllHelper.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\dd6b0783dfd0ce4ff0d8a3f9fec6be4238ea99eef46d6000dbe04cb3c1d83ff8.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppVerif\DllHelper.exeFilesize
779.2MB
MD5b4fcfe7542b486b903c4996fab7f90dc
SHA1be8ab9515ef8b4033926e9651f7b680459e07ba2
SHA25663215b9ac465467bd86dada71780447146a9fb255b4018e42d2028f3ad3b5124
SHA5129897ab0f18cbd41d44a10ea4a1dcfda4e8619ce191a9f7780699f9c15c0f8755737f8344b6ebeb3a55d58b2853e147053f0bee4161a097df6cb855c49b8f102c
-
C:\Users\Admin\AppVerif\DllHelper.exeFilesize
779.2MB
MD5b4fcfe7542b486b903c4996fab7f90dc
SHA1be8ab9515ef8b4033926e9651f7b680459e07ba2
SHA25663215b9ac465467bd86dada71780447146a9fb255b4018e42d2028f3ad3b5124
SHA5129897ab0f18cbd41d44a10ea4a1dcfda4e8619ce191a9f7780699f9c15c0f8755737f8344b6ebeb3a55d58b2853e147053f0bee4161a097df6cb855c49b8f102c
-
memory/2424-162-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-155-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-125-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-127-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-116-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-129-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-126-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-124-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-123-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-122-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-121-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-119-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-118-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-117-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-115-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-130-0x0000000000280000-0x0000000001041000-memory.dmpFilesize
13.8MB
-
memory/2424-132-0x0000000000280000-0x0000000001041000-memory.dmpFilesize
13.8MB
-
memory/2424-134-0x00000000032D0000-0x0000000003879000-memory.dmpFilesize
5.7MB
-
memory/2424-135-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-137-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-139-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-142-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-143-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-141-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-144-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-145-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-147-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-148-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-150-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-151-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-153-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-164-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-156-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-154-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-157-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-152-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-158-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-149-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-146-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-160-0x0000000003880000-0x00000000039F0000-memory.dmpFilesize
1.4MB
-
memory/2424-128-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-120-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-163-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-161-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-159-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-140-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-165-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-166-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-138-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-167-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-169-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-168-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-170-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-171-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-173-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-172-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-174-0x0000000000280000-0x0000000001041000-memory.dmpFilesize
13.8MB
-
memory/2424-175-0x00000000032D0000-0x0000000003879000-memory.dmpFilesize
5.7MB
-
memory/2424-176-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-177-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-178-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-179-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-180-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-182-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-181-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/2424-213-0x0000000000280000-0x0000000001041000-memory.dmpFilesize
13.8MB
-
memory/3332-234-0x0000000000000000-mapping.dmp
-
memory/3708-242-0x0000000000000000-mapping.dmp
-
memory/3968-366-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/3968-334-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/4232-232-0x0000000000C50000-0x0000000001A11000-memory.dmpFilesize
13.8MB
-
memory/4232-233-0x0000000003280000-0x000000000381F000-memory.dmpFilesize
5.6MB
-
memory/4232-295-0x000000000E660000-0x000000000E6D8000-memory.dmpFilesize
480KB
-
memory/4232-231-0x0000000000C50000-0x0000000001A11000-memory.dmpFilesize
13.8MB
-
memory/4232-195-0x0000000000000000-mapping.dmp
-
memory/4232-302-0x0000000000C50000-0x0000000001A11000-memory.dmpFilesize
13.8MB
-
memory/4232-276-0x0000000003820000-0x000000000398C000-memory.dmpFilesize
1.4MB
-
memory/4940-183-0x0000000000000000-mapping.dmp
-
memory/4940-186-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/4940-185-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/4940-184-0x0000000077DF0000-0x0000000077F7E000-memory.dmpFilesize
1.6MB
-
memory/4952-203-0x0000000000000000-mapping.dmp