7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713

General

Target

7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe
Size

208KB
MD5

5673111a1583acdb8e0c3c5d17c05b95
SHA1

69929b1fd9b78e0fbb953bd14aa4eb5685cdee33
SHA256

7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713
SHA512

20efdf7dbd1ea1250f5fef66e220906ecf249728b68f244056623f96a87412b762ac8013539ef6a7d777b0728a33c5b60bf1e3854eeee2864ab0c552abe9cda5
SSDEEP

6144:kr6hRlL9gwxweLSPlTvamqLC6/CQ0w0QEj:kOOw6dbqLC66o0Q

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2860	COLISP.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	cmd.exe
2760	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\COLISP.exe	7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe
File opened for modification	C:\windows\SysWOW64\COLISP.exe	7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe
File created	C:\windows\SysWOW64\COLISP.exe.bat	7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COLISP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1732	7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe
2860	COLISP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1732	7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe
1732	7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe
2860	COLISP.exe
2860	COLISP.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2760	1732	7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe	29
PID 1732 wrote to memory of 2760	1732	7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe	29
PID 1732 wrote to memory of 2760	1732	7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe	29
PID 1732 wrote to memory of 2760	1732	7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe	29
PID 2760 wrote to memory of 2860	2760	cmd.exe	31
PID 2760 wrote to memory of 2860	2760	cmd.exe	31
PID 2760 wrote to memory of 2860	2760	cmd.exe	31
PID 2760 wrote to memory of 2860	2760	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe
"C:\Users\Admin\AppData\Local\Temp\7dcedf1a590c4266dc624c23188f18be722410243722ce32f3358a161b42e713.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\COLISP.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\windows\SysWOW64\COLISP.exe
    C:\windows\system32\COLISP.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\COLISP.exe.bat

Filesize
76B

MD5
6bfe1750f023b82e46c95488273683bc

SHA1
2e3d67094960a07545ecc1f506dea1f378889e81

SHA256
ed23b117ac175c32faa562b98087da68496a1805a15731108b22b95aaa51e8fc

SHA512
1fbf4cbafa32e6fc4e6856292060e991d55db59dafba022619a7722d828e851c9dd5081adffc341465814e8d7dbd86365d3e1b5ea1e8892567e295e1e3725912

Download Submit
\Windows\SysWOW64\COLISP.exe

Filesize
208KB

MD5
17ea1141a097b8dd27072950af57408d

SHA1
cca88064e02160f697560e81d2a57a7c0faead04

SHA256
9e5f8dd6a3642840510a7362637ef7215c7265204137b28a6a18315607aea8d5

SHA512
8846a0c9ec0c33eb5fbb3375b75e3b16ee93f9defe250c33a07646e5f567bb548309c2c164f24ae2b792cd71bdcaf1c61a224ba4c79a37ed64dfa16bca622838

Download Submit
memory/1732-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1732-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2760-15-0x0000000000860000-0x0000000000898000-memory.dmp

Filesize
224KB

Download
memory/2760-19-0x0000000000860000-0x0000000000898000-memory.dmp

Filesize
224KB

Download
memory/2860-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing