834079a3da183e8e73edfdf09dc49f32afa02078eee7f261b0c3695291417d10

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GetColor/GetColor.exe
Size

375KB
MD5

4891cd25883a960412809d68a9e08aa8
SHA1

d9d6e57fe125fbc58047fd7c7d509fb7c0948392
SHA256

4e5a3c8557f9eeaa883ee52dab3251047a0a28aef68b2fbbd8278e29e63f67f4
SHA512

0b6930f81e1b0543b355c0cb83c4a25306406400af6fb83b9b88e4e7434294e65d2ce554e199541811900fa6b5cee56618e382c3110c283cdb9497d5b7002f1f
SSDEEP

6144:R3eWxZR+Qad3JHXoZMRepmH8sOpk6InMglEOaGDQoyazscUdEschy4a:R3eWTwP3oZ1pbT5gj3DQoyazsf4y4a

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	GetColor.exe

Loads dropped DLL 1 IoCs

pid	Process
2632	GetColor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetColor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetColor.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	2632	GetColor.exe
Token: SeIncBasePriorityPrivilege	2632	GetColor.exe
Token: 33	2632	GetColor.exe
Token: SeIncBasePriorityPrivilege	2632	GetColor.exe
Token: 33	2740	GetColor.exe
Token: SeIncBasePriorityPrivilege	2740	GetColor.exe
Token: 33	2740	GetColor.exe
Token: SeIncBasePriorityPrivilege	2740	GetColor.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2740	2632	GetColor.exe	30
PID 2632 wrote to memory of 2740	2632	GetColor.exe	30
PID 2632 wrote to memory of 2740	2632	GetColor.exe	30
PID 2632 wrote to memory of 2740	2632	GetColor.exe	30

C:\Users\Admin\AppData\Local\Temp\GetColor\GetColor.exe
"C:\Users\Admin\AppData\Local\Temp\GetColor\GetColor.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632
- \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\小色迷作者_colon_夜.1\1.0.0.0\2010.09.24T16.16\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\GetColor\GetColor.exe
  "C:\Users\Admin\AppData\Local\Temp\GetColor\GetColor.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Xenocode\Sandbox\小色迷作者_colon_夜.1\1.0.0.0\2010.09.24T16.16\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\GetColor\GetColor.exe

Filesize
17KB

MD5
b2d7b0481280db86e4b7fba94d88fd8c

SHA1
d7e497e29cda1e75cfab28c5812a3582f2a51f72

SHA256
6ca4a8c11342bcc208f2337c284370ac11cd3adf2d29632c31456c463386f460

SHA512
656f5c7af998f222d04b93b83343d112fc8f29f39b01c55f3b2ef1ac93159fd4c5de51a206e36e2f284f5554d17fde23b49635855d19a975fbdfbff9609e6dcc

Download Submit
memory/2632-0-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2632-9-0x0000000000360000-0x00000000003D2000-memory.dmp

Filesize
456KB

Download
memory/2632-5-0x0000000000360000-0x00000000003D2000-memory.dmp

Filesize
456KB

Download
memory/2632-4-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2632-3-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2632-2-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2632-8-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2632-7-0x0000000077650000-0x0000000077651000-memory.dmp

Filesize
4KB

Download
memory/2632-1-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2632-6-0x0000000000360000-0x00000000003D2000-memory.dmp

Filesize
456KB

Download
memory/2632-13-0x0000000000360000-0x00000000003D2000-memory.dmp

Filesize
456KB

Download
memory/2740-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2740-14-0x0000000000420000-0x0000000000492000-memory.dmp

Filesize
456KB

Download
memory/2740-16-0x0000000000420000-0x0000000000492000-memory.dmp

Filesize
456KB

Download
memory/2740-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download