8a0cd0d9e7eb2ff12107ac3e78acc36e7065a82650b32557ceabb67c86c760ec

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

colorbot.rar
Size

54.3MB
MD5

321f4ef1c593c76502ad73da3628776c
SHA1

f4b502edaa1a1167237eb878f536dbcd392ae11b
SHA256

8a0cd0d9e7eb2ff12107ac3e78acc36e7065a82650b32557ceabb67c86c760ec
SHA512

22d370b82749529650e31f8bf9ab81a1bcc776022b574be17b58dd408f3b0404c1f8a54a6fa1fe5c59d13167abc20356f7e89d4deb47755a04ea62a2d5e441d1
SSDEEP

1572864:7OHCTKkfv2a1dEsMDN7kJX3Rj702cePqXBt/jN:aOKkfeaT07kJxFW3Z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2696	aimsource.exe
2692	aimsource.exe
2736	aimsource.exe
2148	aimsource.exe

Loads dropped DLL 8 IoCs

pid	Process
2632	7zFM.exe
1896	Process not Found
2696	aimsource.exe
2692	aimsource.exe
2632	7zFM.exe
1212	Process not Found
2736	aimsource.exe
2148	aimsource.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings	rundll32.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2032	NOTEPAD.EXE
1660	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2064	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2632	7zFM.exe
2632	7zFM.exe
2632	7zFM.exe
2632	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2632	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2632	7zFM.exe
Token: 35	2632	7zFM.exe
Token: SeSecurityPrivilege	2632	7zFM.exe
Token: SeSecurityPrivilege	2632	7zFM.exe
Token: SeSecurityPrivilege	2632	7zFM.exe
Token: SeSecurityPrivilege	2632	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2632	7zFM.exe
2632	7zFM.exe
2632	7zFM.exe
2632	7zFM.exe
2632	7zFM.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2064	POWERPNT.EXE
1608	AcroRd32.exe
1608	AcroRd32.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2632	2264	cmd.exe	29
PID 2264 wrote to memory of 2632	2264	cmd.exe	29
PID 2264 wrote to memory of 2632	2264	cmd.exe	29
PID 2632 wrote to memory of 2696	2632	7zFM.exe	30
PID 2632 wrote to memory of 2696	2632	7zFM.exe	30
PID 2632 wrote to memory of 2696	2632	7zFM.exe	30
PID 2696 wrote to memory of 2692	2696	aimsource.exe	32
PID 2696 wrote to memory of 2692	2696	aimsource.exe	32
PID 2696 wrote to memory of 2692	2696	aimsource.exe	32
PID 2632 wrote to memory of 2032	2632	7zFM.exe	33
PID 2632 wrote to memory of 2032	2632	7zFM.exe	33
PID 2632 wrote to memory of 2032	2632	7zFM.exe	33
PID 2632 wrote to memory of 1660	2632	7zFM.exe	34
PID 2632 wrote to memory of 1660	2632	7zFM.exe	34
PID 2632 wrote to memory of 1660	2632	7zFM.exe	34
PID 2632 wrote to memory of 2736	2632	7zFM.exe	35
PID 2632 wrote to memory of 2736	2632	7zFM.exe	35
PID 2632 wrote to memory of 2736	2632	7zFM.exe	35
PID 2736 wrote to memory of 2148	2736	aimsource.exe	37
PID 2736 wrote to memory of 2148	2736	aimsource.exe	37
PID 2736 wrote to memory of 2148	2736	aimsource.exe	37
PID 2064 wrote to memory of 2432	2064	POWERPNT.EXE	44
PID 2064 wrote to memory of 2432	2064	POWERPNT.EXE	44
PID 2064 wrote to memory of 2432	2064	POWERPNT.EXE	44
PID 2064 wrote to memory of 2432	2064	POWERPNT.EXE	44
PID 2852 wrote to memory of 1608	2852	rundll32.exe	47
PID 2852 wrote to memory of 1608	2852	rundll32.exe	47
PID 2852 wrote to memory of 1608	2852	rundll32.exe	47
PID 2852 wrote to memory of 1608	2852	rundll32.exe	47

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\colorbot.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\colorbot.rar"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\7zO84AB8A06\aimsource.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO84AB8A06\aimsource.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\7zO84AB8A06\aimsource.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO84AB8A06\aimsource.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2692
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO84AE2D66\lastlaunch.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2032
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO84A4DB76\log.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1660
- - C:\Users\Admin\AppData\Local\Temp\7zO84AA8946\aimsource.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO84AA8946\aimsource.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\7zO84AA8946\aimsource.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO84AA8946\aimsource.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2148

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:848

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\Desktop\WatchRename.ppt"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2432

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\LockSkip.asp
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\LockSkip.asp"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO84AE2D66\lastlaunch.txt

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26962\python39.dll

Filesize
4.3MB

MD5
5871ae2a45d675ed9dd077c400018c30

SHA1
ddc03af9d433c3dfad8a193c50695139c59b4b58

SHA256
5d0ff879174faec03eb173eb2088f2e7519f4663dd6bfe5b817ec602c389ae20

SHA512
d87a90dbf42c528bc3fa038eb83d4318d2e8577a590bf9c84641c573b5b2fea83aac91bb108968252e07497424ed85f519a864e955f94a7f8e87bfc38e0f4b7b

Download Submit
memory/2064-279-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2064-281-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download