Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
08-02-2023 21:50
General
-
Target
invoice.xll
-
Size
597KB
-
MD5
d9efc163b90630251fb7ff7c822e8f0f
-
SHA1
9e09cce65d2371bc95e213a9007337933b11c3f9
-
SHA256
6e68bcd52321a8d0443d5c5d6131410c07ef44a8cb3388550f78a3dea303e840
-
SHA512
33bef8014ce017591e79e7642ab3d0c48306cb1b98b254c9a0aa4aa07f1ddce696ddfb4e89e0d230d7f2ae535db58a133797280bfd26d41c69588e396a3a5031
-
SSDEEP
12288:xn/zDvGHAykHSzLW/4+8bzbBSreMdbYkBkgFK/UqW:lzbGHAzHAjX1IqcL
Malware Config
Extracted
Extracted
colibri
1.4.0
exploits
http://194.4.49.243/gate.php
Signatures
-
Colibri Loader
A loader sold as MaaS first seen in August 2021.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 15 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\invoice.xll"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dcr\newllootexpreol.exe"C:\Users\Admin\AppData\Local\Temp\dcr\newllootexpreol.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C start %temp%/Excel.xlsx2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Excel.xlsx"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
325KB
MD50e3e0fa602a0e208dce34c50704e2b56
SHA1e1ed5eab2d06872bb50a607b7966c01b81ecd2f5
SHA25628d53bd99ec106eef21de121509cdee6e575cde44613aa59aa3a70e6449678f5
SHA5121ca09a46e162064b05ce301df35ffad39afa13ae22c404248593bd6ce700e94019b4ac66fb129af1d6ba89d0c9c5369e32d498e80bdfccde860a9b94ec96112f
-
Filesize
4KB
MD5f138a66469c10d5761c6cbb36f2163c3
SHA1eea136206474280549586923b7a4a3c6d5db1e25
SHA256c712d6c7a60f170a0c6c5ec768d962c58b1f59a2d417e98c7c528a037c427ab6
SHA5129d25f943b6137dd2981ee75d57baf3a9e0ee27eea2df19591d580f02ec8520d837b8e419a8b1eb7197614a3c6d8793c56ebc848c38295ada23c31273daa302d9
-
Filesize
48KB
MD58fcad4842240c0f4b6b25eb228ef97bb
SHA1761ca74981d21dc3a8f389824f01fee61cf3dbb9
SHA2563d2e697f6df883a357fe776fa57993be657f3ec9ae74a9f1c0782eb6a43da90f
SHA512952b144f6a6e69c4b1fa28e9c6e68a3cc0f52fa0cfd74eedf7e75441dae3a4b48cbfcef87ca2f83bf8c954152620001fb4cd74a62e2095f0a6f00e0617ffcbdb
-
Filesize
28KB
MD5227309c38b94761602a95dd17430ee08
SHA1d079c80ce95b1c67b39b87f781ef920dfd30096e
SHA256defb3d374a7070805dadea394b81be97dce99d3417e9ceeb777d34a33a5ec86e
SHA512236195c3c434124deedc059f0e3797df24d1e6cdfc5549e58e79522045a94616c800f928f10f902cee1c38496ec9c852adcb43335f49c562a4668e53c8939066
-
Filesize
350.5MB
MD5b6263868c06f273e9163ea1012346743
SHA17b51675283bc2d15cadb4134c7001daacca6f622
SHA256ff9a3d98641589762961d53464b3a735fc103d61e8f99af6fb049ab63f897f6a
SHA5121a1cdfb8f3f00a81db4fded506533d4e20f56b637edbf57b581e31ad28f42d7739b1ba9f392091b2979c25c2d98d8eed7d755b4de5ed1f633c8520dbf65c61bd
-
Filesize
350.5MB
MD5b6263868c06f273e9163ea1012346743
SHA17b51675283bc2d15cadb4134c7001daacca6f622
SHA256ff9a3d98641589762961d53464b3a735fc103d61e8f99af6fb049ab63f897f6a
SHA5121a1cdfb8f3f00a81db4fded506533d4e20f56b637edbf57b581e31ad28f42d7739b1ba9f392091b2979c25c2d98d8eed7d755b4de5ed1f633c8520dbf65c61bd
-
Filesize
597KB
MD5d9efc163b90630251fb7ff7c822e8f0f
SHA19e09cce65d2371bc95e213a9007337933b11c3f9
SHA2566e68bcd52321a8d0443d5c5d6131410c07ef44a8cb3388550f78a3dea303e840
SHA51233bef8014ce017591e79e7642ab3d0c48306cb1b98b254c9a0aa4aa07f1ddce696ddfb4e89e0d230d7f2ae535db58a133797280bfd26d41c69588e396a3a5031
-
Filesize
597KB
MD5d9efc163b90630251fb7ff7c822e8f0f
SHA19e09cce65d2371bc95e213a9007337933b11c3f9
SHA2566e68bcd52321a8d0443d5c5d6131410c07ef44a8cb3388550f78a3dea303e840
SHA51233bef8014ce017591e79e7642ab3d0c48306cb1b98b254c9a0aa4aa07f1ddce696ddfb4e89e0d230d7f2ae535db58a133797280bfd26d41c69588e396a3a5031
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
700KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
496KB