917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 18:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Size

383KB
MD5

15a53828f4f16193bd605eb648508ae0
SHA1

23f7aa1a7770100d24089ac10c24ce16d370065a
SHA256

917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d
SHA512

2c02d70e2ee2686d807e2296c38e1a285ec41c0891387ce4446ebcce9602d92410006fad9311d77760516d92e7f8ec4c5768b4ee5f8b0ab11d368c807ca2a60c
SSDEEP

3072:Tyx2XSyL7OZsvxQT7+WdzfJZWq6VbSe/tZw69Mt56Id8Kmc:TycgZsvxQT7+fq6VI6Cp

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\PROGRA~1\\MICROS~2\\root\\Office16\\ADDINS\\POWERM~1\\dfshim.exe"	coloraco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\PROGRA~1\\MICROS~2\\root\\vfs\\PROGRA~1\\MICROS~1\\THEMES16\\AXIS\\dxdiagn.exe"	coloraco.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	coloraco.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\(Default) = "C:\\PROGRA~1\\MICROS~2\\root\\Office16\\MSIPC\\sl\\dmloader.com"	coloraco.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	coloraco.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\(Default) = "C:\\PROGRA~1\\COMMON~1\\MICROS~1\\ink\\HWRCustomization\\contaico.bat"	coloraco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	coloraco.exe

Executes dropped EXE 2 IoCs

pid	Process
1756	coloraco.exe
5096	comppkco.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MsNet\ImagePath = "C:\\PROGRA~1\\MICROS~2\\root\\Office16\\MSIPC\\es\\diskperf.exe"	coloraco.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\admin = "win.com C:\\PROGRA~1\\MICROS~2\\root\\Office16\\FP6F01~1\\desktode.cpl"	coloraco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iymugyhl = "C:\\PROGRA~1\\MICROS~2\\root\\Office16\\sdxs\\FA0000~1\\cardview\\lib\\NATIVE~1\\dot3ui.exe"	coloraco.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\PROGRA~1\\MICROS~2\\root\\vfs\\PROGRA~1\\MICROS~1\\EURO\\dsccords.exe"	coloraco.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\autorun.inf	coloraco.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\autorun.inf	coloraco.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\cs-CZ\comppkco.exe	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\HWRCustomization\contaico.bat	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\VSTO\10.0\1033\cscobj.pif	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\ADDINS\POWERM~1\dfshim.exe	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\MSIPC\sl\dmloader.com	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\cs-CZ\comppkco.exe	comppkco.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\th-TH\credssp.exe	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\DOCUME~1\THEMEC~1\daxexec.exe	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\MSIPC\es\diskperf.exe	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\Office16\sdxs\FA0000~1\cardview\lib\NATIVE~1\dot3ui.exe	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\vfs\PROGRA~1\MICROS~1\THEMES16\AXIS\dxdiagn.exe	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\coloraco.exe	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
File opened for modification	C:\PROGRA~1\Google\Chrome\APPLIC~1\890438~1.114\c_is2022.com	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\vfs\PROGRA~1\MICROS~1\EURO\dsccords.exe	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\coloraco.exe	coloraco.exe
File opened for modification	C:\PROGRA~1\MICROS~2\root\vfs\PROGRA~1\MICROS~1\THEMES16\RIPPLE\efsui.cmd	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{649EEC1E-B012-4E8C-BB3B-4997F8000000}\InprocServer32	coloraco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	coloraco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	coloraco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{649EEC1E-B012-4E8C-BB3B-4997F8000000}	coloraco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{649EEC1E-B012-4E8C-BB3B-4997F8000000}\InprocServer32\ThreadingModel = "44906"	coloraco.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\win.com C:\PROGRA~1\MICROS~2\root\Office16\FP6F01~1\desktode.cpl	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\win.com C:\PROGRA~1\MICROS~2\root\Office16\FP6F01~1\desktode.cpl	coloraco.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
1756	coloraco.exe
1756	coloraco.exe
5096	comppkco.exe
5096	comppkco.exe
5096	comppkco.exe
5096	comppkco.exe
1756	coloraco.exe
1756	coloraco.exe
5096	comppkco.exe
5096	comppkco.exe
1756	coloraco.exe
1756	coloraco.exe
5096	comppkco.exe
5096	comppkco.exe
1756	coloraco.exe
1756	coloraco.exe
5096	comppkco.exe
5096	comppkco.exe
1756	coloraco.exe
1756	coloraco.exe
5096	comppkco.exe
5096	comppkco.exe
1756	coloraco.exe
1756	coloraco.exe
5096	comppkco.exe
5096	comppkco.exe
5096	comppkco.exe
5096	comppkco.exe
1756	coloraco.exe
1756	coloraco.exe
1756	coloraco.exe
1756	coloraco.exe
5096	comppkco.exe
5096	comppkco.exe
1756	coloraco.exe
1756	coloraco.exe
5096	comppkco.exe
5096	comppkco.exe
1756	coloraco.exe
1756	coloraco.exe
5096	comppkco.exe
5096	comppkco.exe
1756	coloraco.exe
1756	coloraco.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
Token: SeSystemtimePrivilege	1756	coloraco.exe
Token: SeSystemtimePrivilege	1756	coloraco.exe
Token: SeSystemtimePrivilege	1756	coloraco.exe
Token: SeSystemtimePrivilege	1756	coloraco.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
1756	coloraco.exe
5096	comppkco.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1756	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe	80
PID 1808 wrote to memory of 1756	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe	80
PID 1808 wrote to memory of 1756	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe	80
PID 1808 wrote to memory of 5096	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe	81
PID 1808 wrote to memory of 5096	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe	81
PID 1808 wrote to memory of 5096	1808	917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe	81

C:\Users\Admin\AppData\Local\Temp\917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe
"C:\Users\Admin\AppData\Local\Temp\917ee0b5334ea1866a33571a5ca7c01a77e3f95a0ac6b8a24a3afd655f65a45d.exe"
1⤵
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808
- C:\PROGRA~1\COMMON~1\System\coloraco.exe
  C:\PROGRA~1\COMMON~1\System\coloraco.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Sets service image path in registry
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1756
- C:\PROGRA~1\COMMON~1\MICROS~1\ink\cs-CZ\comppkco.exe
  C:\PROGRA~1\COMMON~1\MICROS~1\ink\cs-CZ\comppkco.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\COMMON~1\MICROS~1\ink\cs-CZ\comppkco.exe

Filesize
377KB

MD5
d1b89ee4534279b038722e6a30f52b42

SHA1
4bbde698ce2b384539b96924dde81a7cd0c73017

SHA256
a28244024cb9e472070f1d642834a9b9ac24d9b083bb166dcbd43e30661c7940

SHA512
af728dc67395301e5317a2496937d74c01ae91cefe808779689d456bf0859d852f9e8ba28c745294b36cf7585a580cf9f69f97708a49ed2217c9c14eab285f26

Download Submit
C:\PROGRA~1\COMMON~1\System\coloraco.exe

Filesize
377KB

MD5
8ae1680f3c11a0ad39acf5f95afaeafe

SHA1
89aa3e30c7fcf5e3c695c8e19fa1dde33d05dadb

SHA256
ede5914e39bede77ded9ffe893ac56eaed8851aaea5f5a0f10f79597db45804a

SHA512
05ebb03e44ef35ddeceb36ffd93ad83d2d2a17f3ad78ee558de25a3b8d995534a0e3d3fcf6d7513f3abc7d0716ac3018b8a232f44eddd7023798174a06042e06

Download Submit
C:\Program Files\Common Files\System\coloraco.exe

Filesize
377KB

MD5
8ae1680f3c11a0ad39acf5f95afaeafe

SHA1
89aa3e30c7fcf5e3c695c8e19fa1dde33d05dadb

SHA256
ede5914e39bede77ded9ffe893ac56eaed8851aaea5f5a0f10f79597db45804a

SHA512
05ebb03e44ef35ddeceb36ffd93ad83d2d2a17f3ad78ee558de25a3b8d995534a0e3d3fcf6d7513f3abc7d0716ac3018b8a232f44eddd7023798174a06042e06

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\comppkco.exe

Filesize
377KB

MD5
d1b89ee4534279b038722e6a30f52b42

SHA1
4bbde698ce2b384539b96924dde81a7cd0c73017

SHA256
a28244024cb9e472070f1d642834a9b9ac24d9b083bb166dcbd43e30661c7940

SHA512
af728dc67395301e5317a2496937d74c01ae91cefe808779689d456bf0859d852f9e8ba28c745294b36cf7585a580cf9f69f97708a49ed2217c9c14eab285f26

Download Submit
memory/1756-139-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1756-148-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1808-134-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1808-146-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5096-147-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5096-149-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download