549728d1432343fd21b37ebf35b28f43e09329328c8a2d108701bac38dbdec9a

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ColorfulFolders.exe
Size

1.5MB
MD5

9b6be2d69a2c3d7e18bf2055b5d2f8bc
SHA1

eb6aa4c2c4b5c8cfac9f4b42c5f274e3253d4fa3
SHA256

f66f3ccce9e2b6e1031c2971f948baa7049212f691e65752bc45fbe98b5236b5
SHA512

178a7cebb1456451e3b9e137e17f799f35acff737416de86f0f29cb54c3a9c3bca4c615ce91832ad32e11f582f7df09df721d45ef10113b52fdcf06dc8383375
SSDEEP

24576:60ebPAKZ+AYctgiWnNkiF3hKWOHgi8mLxK30PU8Kz6GnOk5M6Y4mUOE1w/ObI2hJ:6zbYKcRFiWNk8QAT4xK30PBKFnOk5M6Z

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1900-0-0x0000000000400000-0x0000000000540000-memory.dmp	upx
behavioral1/memory/1900-23-0x0000000000400000-0x0000000000540000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\FolICO.dll	ColorfulFolders.exe
File opened for modification	C:\Windows\FolICO.dll	ColorfulFolders.exe
File created	C:\Windows\ColorfulFolders.exe	ColorfulFolders.exe
File opened for modification	C:\Windows\ColorfulFolders.exe	ColorfulFolders.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder	ColorfulFolders.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell	ColorfulFolders.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\ÉèÖÃÍ¼±ê	ColorfulFolders.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\ÉèÖÃÍ¼±ê\command\ = "C:\\Windows\\ColorfulFolders.exe \"%1\""	ColorfulFolders.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\ÉèÖÃÍ¼±ê\command	ColorfulFolders.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe
1900	ColorfulFolders.exe

C:\Users\Admin\AppData\Local\Temp\ColorfulFolders.exe
"C:\Users\Admin\AppData\Local\Temp\ColorfulFolders.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\FolICO.dll

Filesize
651KB

MD5
2a7a8202c3743e7a03ca1cd8dcb6919e

SHA1
eb13c625e3f4aa593fe0ef968707f03a1c5d31f4

SHA256
7dae2eb0e039bd97ed8e35735ab3c2ddde13c3a63cb4943c4fdbc294e98449a0

SHA512
694347d80e553bc88b10b6f62420d26380a4c7c529c0821f9ddf972a37ac281082a2e015074c96100e9425ce5b1277f7b7fa5bb893d04ff2fa34034593390698

Download Submit
\Users\Admin\AppData\Local\Temp\vlss\iext.fnr

Filesize
216KB

MD5
cba933625bfa502fc4a1d9f34e1e4473

SHA1
5319194388c0e53321f99f1541b97af191999a09

SHA256
25549c7781b3f1b92e73b0ea721d177207cce914a66f3229a71291f2eb160013

SHA512
f5fb4b97c4f68a20e0847e6528740ce659c4501726f3b2dff1ac83e88a3b7198099da03edb0f069cd4af7ed568a2373597b235cd239895addfa5226d3a444142

Download Submit
\Users\Admin\AppData\Local\Temp\vlss\iext2.fne

Filesize
460KB

MD5
6eb20bb6cafd6d31e871ed3abd65a59c

SHA1
ae6495ea4241bcde20e415f2940313785a4a10d2

SHA256
2b3fe250f07229eaa58d1bc0c4ac103ba69ad622c27410151ce1d6d46a174bae

SHA512
562edc1f058bc280333a6659fceb5a51b3a40bea7aca87db09b0cc1ca1966f26f2a7e4760b944e2502e20257544f85cf9c32f583f1dec06271a35dcfb8fa90f4

Download Submit
\Users\Admin\AppData\Local\Temp\vlss\krnln.fnr

Filesize
1.1MB

MD5
638e737b2293cf7b1f14c0b4fb1f3289

SHA1
f8e2223348433b992a8c42c4a7a9fb4b5c1158bc

SHA256
baad4798c3ab24dec8f0ac3cde48e2fee2e2dffa60d2b2497cd295cd6319fd5b

SHA512
4d714a0980238c49af10376ff26ec9e6415e7057925b32ec1c24780c3671047ac5b5670e46c1c6cf9f160519be8f37e1e57f05c30c6c4bda3b275b143aa0bf12

Download Submit
memory/1900-0-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/1900-8-0x0000000000740000-0x0000000000784000-memory.dmp

Filesize
272KB

Download
memory/1900-12-0x0000000001F00000-0x0000000001F83000-memory.dmp

Filesize
524KB

Download
memory/1900-23-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download