Behavioral Report

Analysis

max time kernel
178s
max time network
224s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 23:43

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

625ed8296450d13587142822e16d7d61.exe
Size

1MB
MD5

625ed8296450d13587142822e16d7d61
SHA1

ead1ac1c30fc324d24e3cc48c8ecc853a65b5f96
SHA256

ffcd742b9d74fe93829e1b9955611e7cf9cd1e315776948a604a47cbd6aa6e93
SHA512

56357e909af6010e4e36282e646fff87febe8b3942905c3d0a05b97b19be10aceaa4ba3465cd4280c80c5a037ed200291af2823dea680ec14774302162471187
SSDEEP

24576:L3m8i6zoGcFauvhT+elS5EH4LR40AFfThq7metAHEk:

Score

10^/10

colibri dcrat build1 infostealer loader persistence rat

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

TTPs:

Winlogon Helper DLL Modify Registry

Processes:

625ed8296450d13587142822e16d7d61.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\lsass.exe\""	625ed8296450d13587142822e16d7d61.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	1540	schtasks.exe

Executes dropped EXE 3 IoCs

Processes:

lsass.exetmp385.tmp.exetmp385.tmp.exe

pid process

1204 lsass.exe
2376 tmp385.tmp.exe
3776 tmp385.tmp.exe

pid	process
1204	lsass.exe
2376	tmp385.tmp.exe
3776	tmp385.tmp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

TTPs:

Query Registry System Information Discovery

Processes:

625ed8296450d13587142822e16d7d61.exelsass.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	625ed8296450d13587142822e16d7d61.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	lsass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

625ed8296450d13587142822e16d7d61.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:/Users/Admin/AppData/Local/\\lsass.exe\""	625ed8296450d13587142822e16d7d61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:/Users/Admin/AppData/Local/\\lsass.exe\""	625ed8296450d13587142822e16d7d61.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp385.tmp.exe

description pid process target process

PID 2376 set thread context of 3776 2376 tmp385.tmp.exe tmp385.tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

TTPs:

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4940 schtasks.exe
4888 schtasks.exe
4960 schtasks.exe

description	pid	process	target process
PID 2376 set thread context of 3776	2376	tmp385.tmp.exe	tmp385.tmp.exe

pid	process
4940	schtasks.exe
4888	schtasks.exe
4960	schtasks.exe

Modifies registry class 1 IoCs

Processes:

625ed8296450d13587142822e16d7d61.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	625ed8296450d13587142822e16d7d61.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

625ed8296450d13587142822e16d7d61.exelsass.exe

pid	process
908	625ed8296450d13587142822e16d7d61.exe
1204	lsass.exe
1204	lsass.exe
1204	lsass.exe
1204	lsass.exe
1204	lsass.exe
1204	lsass.exe
1204	lsass.exe
1204	lsass.exe
1204	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

625ed8296450d13587142822e16d7d61.exelsass.exe

description pid process

Token: SeDebugPrivilege 908 625ed8296450d13587142822e16d7d61.exe
Token: SeDebugPrivilege 1204 lsass.exe

description	pid	process
Token: SeDebugPrivilege	908	625ed8296450d13587142822e16d7d61.exe
Token: SeDebugPrivilege	1204	lsass.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

625ed8296450d13587142822e16d7d61.execmd.exelsass.exetmp385.tmp.exe

description	pid	process	target process
PID 908 wrote to memory of 4892	908	625ed8296450d13587142822e16d7d61.exe	cmd.exe
PID 908 wrote to memory of 4892	908	625ed8296450d13587142822e16d7d61.exe	cmd.exe
PID 4892 wrote to memory of 4040	4892	cmd.exe	w32tm.exe
PID 4892 wrote to memory of 4040	4892	cmd.exe	w32tm.exe
PID 4892 wrote to memory of 1204	4892	cmd.exe	lsass.exe
PID 4892 wrote to memory of 1204	4892	cmd.exe	lsass.exe
PID 1204 wrote to memory of 2376	1204	lsass.exe	tmp385.tmp.exe
PID 1204 wrote to memory of 2376	1204	lsass.exe	tmp385.tmp.exe
PID 1204 wrote to memory of 2376	1204	lsass.exe	tmp385.tmp.exe
PID 2376 wrote to memory of 3776	2376	tmp385.tmp.exe	tmp385.tmp.exe
PID 2376 wrote to memory of 3776	2376	tmp385.tmp.exe	tmp385.tmp.exe
PID 2376 wrote to memory of 3776	2376	tmp385.tmp.exe	tmp385.tmp.exe
PID 2376 wrote to memory of 3776	2376	tmp385.tmp.exe	tmp385.tmp.exe
PID 2376 wrote to memory of 3776	2376	tmp385.tmp.exe	tmp385.tmp.exe
PID 2376 wrote to memory of 3776	2376	tmp385.tmp.exe	tmp385.tmp.exe
PID 2376 wrote to memory of 3776	2376	tmp385.tmp.exe	tmp385.tmp.exe

C:\Users\Admin\AppData\Local\Temp\625ed8296450d13587142822e16d7d61.exe

"C:\Users\Admin\AppData\Local\Temp\625ed8296450d13587142822e16d7d61.exe"

Modifies WinLogon for persistence
Checks computer location settings
Adds Run key to start application
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:908

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UL3T4xvBTm.bat"

Suspicious use of WriteProcessMemory

PID:4892

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

PID:4040

C:\Users\Admin\AppData\Local\lsass.exe

"C:/Users/Admin/AppData/Local/\lsass.exe"

Executes dropped EXE
Checks computer location settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1204

C:\Users\Admin\AppData\Local\Temp\tmp385.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp385.tmp.exe"

Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:2376

C:\Users\Admin\AppData\Local\Temp\tmp385.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp385.tmp.exe"

Executes dropped EXE

PID:3776

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:/Users/Admin/AppData/Local/\lsass.exe'" /f

Process spawned unexpected child process
Creates scheduled task(s)

PID:4888

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\lsass.exe'" /rl HIGHEST /f

Process spawned unexpected child process
Creates scheduled task(s)

PID:4960

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:/Users/Admin/AppData/Local/\lsass.exe'" /rl HIGHEST /f

Process spawned unexpected child process
Creates scheduled task(s)

PID:4940

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

T1112

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Winlogon Helper DLL

T1004

Scheduled Task

T1053

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\UL3T4xvBTm.bat
Filesize
204B

MD5
63f5cda2aeea17c69d9ea3fd33c5b0c5

SHA1
ca933d1c2ec21404bda4c1f4946ead753ee4e3bb

SHA256
a766bc4323c2755a47d69d615d495c8a62d7758d12fc60d3ea8a0dd0bdbbc382

SHA512
07d865d55f134552b0388a9d8b3a4f096434cadfca161b098cb4df6784c2abdd538c4d2373292fac8cf9e4daf9ed0299759efbb86e1b20f630d539eb921441b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp385.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp385.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp385.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe
Filesize
1MB

MD5
625ed8296450d13587142822e16d7d61

SHA1
ead1ac1c30fc324d24e3cc48c8ecc853a65b5f96

SHA256
ffcd742b9d74fe93829e1b9955611e7cf9cd1e315776948a604a47cbd6aa6e93

SHA512
56357e909af6010e4e36282e646fff87febe8b3942905c3d0a05b97b19be10aceaa4ba3465cd4280c80c5a037ed200291af2823dea680ec14774302162471187

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe
Filesize
1MB

MD5
625ed8296450d13587142822e16d7d61

SHA1
ead1ac1c30fc324d24e3cc48c8ecc853a65b5f96

SHA256
ffcd742b9d74fe93829e1b9955611e7cf9cd1e315776948a604a47cbd6aa6e93

SHA512
56357e909af6010e4e36282e646fff87febe8b3942905c3d0a05b97b19be10aceaa4ba3465cd4280c80c5a037ed200291af2823dea680ec14774302162471187

Download Submit
memory/908-132-0x0000000000BA0000-0x0000000000D2E000-memory.dmp

Filesize
1MB

Download
memory/908-133-0x00007FFA96410000-0x00007FFA96ED1000-memory.dmp

Filesize
10MB

Download
memory/908-137-0x00007FFA96410000-0x00007FFA96ED1000-memory.dmp

Filesize
10MB

Download
memory/1204-138-0x0000000000000000-mapping.dmp

Download
memory/1204-141-0x00007FFA96410000-0x00007FFA96ED1000-memory.dmp

Filesize
10MB

Download
memory/1204-142-0x00007FFA96410000-0x00007FFA96ED1000-memory.dmp

Filesize
10MB

Download
memory/2376-143-0x0000000000000000-mapping.dmp

Download
memory/2376-146-0x0000000000990000-0x0000000000992000-memory.dmp

Filesize
8KB

Download
memory/3776-147-0x0000000000000000-mapping.dmp

Download
memory/3776-148-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3776-150-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4040-136-0x0000000000000000-mapping.dmp

Download
memory/4892-134-0x0000000000000000-mapping.dmp

Download