Malware Analysis Report

2024-12-07 22:48

Sample ID 240511-g79jzaae4t
Target CodeBlock-wallet_v1.3.1.zip
SHA256 2705dcc079e3d14aeb87a04b48b495cdd3c0fcfb435f10f04396c78a36ad88a3
Tags
remcos 22077 rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2705dcc079e3d14aeb87a04b48b495cdd3c0fcfb435f10f04396c78a36ad88a3

Threat Level: Known bad

The file CodeBlock-wallet_v1.3.1.zip was found to be: Known bad.

Malicious Activity Summary

remcos 22077 rat

Remcos

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 06:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 06:27

Reported

2024-05-11 06:32

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

154s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1-0.bin

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1-0.bin

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-11 06:27

Reported

2024-05-11 06:32

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1-1.bin

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\bin_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\bin_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\bin_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.bin C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\bin_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.bin\ = "bin_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\bin_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1-1.bin

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1-1.bin

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1-1.bin"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 5da3598125f2fdda0917e15d20f053cf
SHA1 18524dc4f5cc9018170f4b0de518bbb6bbee5429
SHA256 781f3bc2baf82f605a1b7111495fdf392a2e0cc281f61f23017eae928566659d
SHA512 75b549b4da54f06aab06455ee751904d12775a5e32353eed7dd98387370ea17e2afdc896ee1607a19eaa80ba1d77df6043609c8ddb282714e52d7484a2cb4bd0

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-11 06:27

Reported

2024-05-11 06:32

Platform

win7-20240221-en

Max time kernel

148s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2652 set thread context of 2564 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2016 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2016 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2016 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2016 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2016 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2016 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 2636 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2636 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2636 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2636 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2636 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2636 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2636 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 2744 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2744 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2744 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2744 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2744 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2744 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2744 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 2652 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2564 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2564 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2564 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2564 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2564 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"

C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe

"C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe"

C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe

C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
NO 195.54.170.36:22077 tcp

Files

memory/2016-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2016-3-0x0000000000400000-0x0000000000712000-memory.dmp

\Users\Admin\AppData\Roaming\UniversalInstaller.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

C:\Users\Admin\AppData\Roaming\relay.dll

MD5 26f5bc7e93d04836018674ea346fcfc7
SHA1 3b7d74663bfc45388c403d2b4e242df5ee18e8f0
SHA256 2da4a73ab27ca87449151f119852b16280c64c8f7f4a1f3170a27875ae577163
SHA512 7e59b552b3c4b1b5278ad65f2da91bae9e1e429863b8f629ee8522ef330fe0973bb5c52bc69c4cb0b2af92274c2630246403debc9596f211921ed91ba736d7b9

memory/2636-20-0x0000000000400000-0x0000000000712000-memory.dmp

C:\Users\Admin\AppData\Roaming\nighttime.xlsx

MD5 6c6f6a14e9d0a4a4cccf42c556fbd674
SHA1 171078d45ebc27f5a8e448dc451d4f94947d82e5
SHA256 3b5e6c71c2ffbfb6e2db0338d44df9c403aca7778f487543cc6a1cb07a9a21e3
SHA512 8757f66f912ffb888229dbf9d21243dc14888bf21c401818e467d5d12865c7430c48fa0a9c5e6b96db3305f8413f2fe1200dcd9e9325839758a8c6ecac09477e

C:\Users\Admin\AppData\Roaming\bigmouth.ai

MD5 2006f33bd138198426dd0029bfb59d78
SHA1 b6331330a0ac4eec341c1c9eeb6f2f8cd202d1e4
SHA256 33a2f64783b7ccd9f66145d9d7288bff62a4a89b5ee3c82f7f5fe8d1bf68581f
SHA512 9fd5b2280c80b953fa74a5e5a8278b85b229daca0dfce988d8dafa14bc6db8906811da3b4628f27336886de8495822a173c36a72cfd9b8a90fbd8327fed5b649

memory/2744-26-0x00000000747D0000-0x0000000074944000-memory.dmp

memory/2744-27-0x0000000077530000-0x00000000776D9000-memory.dmp

C:\Users\Admin\AppData\Roaming\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/2652-43-0x00000000746D0000-0x0000000074844000-memory.dmp

memory/2652-44-0x0000000077530000-0x00000000776D9000-memory.dmp

memory/2652-45-0x00000000746D0000-0x0000000074844000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a3321c95

MD5 e27d2d5e101dc41172fa9f1148d33eca
SHA1 3cd266da138b29777a6609919ee407fe09254120
SHA256 c8e378639e206b377f06bbb381afce8ea505ea796240be8a0a640dc5c3bc56ac
SHA512 f024cc894910e74dc0a2ce982b926054577bf927b6914b35e1353593d33a47def9c3b2d6f63af6757b07ebaf23863b4ccc9be34f1c45b740b94c2161cfde4406

memory/2564-48-0x0000000077530000-0x00000000776D9000-memory.dmp

memory/2564-94-0x00000000746D0000-0x0000000074844000-memory.dmp

memory/1564-96-0x0000000077530000-0x00000000776D9000-memory.dmp

memory/1564-97-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1564-100-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1564-101-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1564-102-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1564-103-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1564-104-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1564-105-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1564-106-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1564-107-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1564-108-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1564-109-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1564-110-0x0000000000400000-0x0000000000483000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-11 06:27

Reported

2024-05-11 06:32

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lmhsvc.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\lmhsvc.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-11 06:27

Reported

2024-05-11 06:32

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\devobj.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\devobj.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-11 06:27

Reported

2024-05-11 06:32

Platform

win10v2004-20240426-en

Max time kernel

133s

Max time network

105s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tzsyncres.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tzsyncres.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 06:27

Reported

2024-05-11 06:32

Platform

win7-20240508-en

Max time kernel

119s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1-0.bin

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.bin C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\bin_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\bin_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.bin\ = "bin_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\bin_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\bin_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\bin_auto_file C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1-0.bin

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1-0.bin

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1-0.bin"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 aeca4d53ecb39e3e17ab73fee8f69f94
SHA1 6ce28e8626a3f20fef683babca97598c04c9fd69
SHA256 d5b267181e84a920d00158dd854b355eb628f61ee445e35cebd1befc69a4a1c9
SHA512 c80eb72feafb800a5048646fcf2208a485cd45065c4371e1a95384ea991b327dc7d32bd988451f6a3d475371a58cb66502672d2cee32ea9878a4ea85de330c9f

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-11 06:27

Reported

2024-05-11 06:32

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

103s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1-1.bin

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1-1.bin

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-11 06:27

Reported

2024-05-11 06:32

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3956 set thread context of 4604 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 1600 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 1600 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
PID 4468 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 4468 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 4468 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
PID 5088 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 5088 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 5088 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
PID 3956 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 4604 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 4604 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 4604 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 4604 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"

C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe

"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe

"C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe"

C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe

C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NO 195.54.170.36:22077 tcp
US 8.8.8.8:53 36.170.54.195.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1600-0-0x0000000000930000-0x0000000000931000-memory.dmp

memory/4468-3-0x00000000026E0000-0x00000000026E1000-memory.dmp

memory/1600-4-0x0000000000400000-0x0000000000712000-memory.dmp

C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

memory/4468-19-0x0000000000400000-0x0000000000712000-memory.dmp

C:\Users\Admin\AppData\Roaming\relay.dll

MD5 26f5bc7e93d04836018674ea346fcfc7
SHA1 3b7d74663bfc45388c403d2b4e242df5ee18e8f0
SHA256 2da4a73ab27ca87449151f119852b16280c64c8f7f4a1f3170a27875ae577163
SHA512 7e59b552b3c4b1b5278ad65f2da91bae9e1e429863b8f629ee8522ef330fe0973bb5c52bc69c4cb0b2af92274c2630246403debc9596f211921ed91ba736d7b9

C:\Users\Admin\AppData\Roaming\nighttime.xlsx

MD5 6c6f6a14e9d0a4a4cccf42c556fbd674
SHA1 171078d45ebc27f5a8e448dc451d4f94947d82e5
SHA256 3b5e6c71c2ffbfb6e2db0338d44df9c403aca7778f487543cc6a1cb07a9a21e3
SHA512 8757f66f912ffb888229dbf9d21243dc14888bf21c401818e467d5d12865c7430c48fa0a9c5e6b96db3305f8413f2fe1200dcd9e9325839758a8c6ecac09477e

C:\Users\Admin\AppData\Roaming\bigmouth.ai

MD5 2006f33bd138198426dd0029bfb59d78
SHA1 b6331330a0ac4eec341c1c9eeb6f2f8cd202d1e4
SHA256 33a2f64783b7ccd9f66145d9d7288bff62a4a89b5ee3c82f7f5fe8d1bf68581f
SHA512 9fd5b2280c80b953fa74a5e5a8278b85b229daca0dfce988d8dafa14bc6db8906811da3b4628f27336886de8495822a173c36a72cfd9b8a90fbd8327fed5b649

memory/5088-25-0x0000000074870000-0x00000000749EB000-memory.dmp

memory/5088-26-0x00007FFD8C6B0000-0x00007FFD8C8A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/3956-40-0x0000000074870000-0x00000000749EB000-memory.dmp

memory/3956-41-0x00007FFD8C6B0000-0x00007FFD8C8A5000-memory.dmp

memory/3956-42-0x0000000074870000-0x00000000749EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aeea746e

MD5 cfda3fb635877b2ff114cfc438854791
SHA1 dae58afc455f7f3e7f7d05f9f865a9b4ea6ed2e4
SHA256 d25342ac7956a9fe28c51091a065a842c4f98f86e7c3e68800b1059267774c8b
SHA512 1e5d7ed327d2034fe7af00a0c993cbcca4b26adc9c958025e94c4d44196268795d103c84c12038de4e2815646b07dfbdb7dd4743bb1ab4ed19caf14510cd0d93

memory/4604-45-0x00007FFD8C6B0000-0x00007FFD8C8A5000-memory.dmp

memory/4604-47-0x0000000074870000-0x00000000749EB000-memory.dmp

memory/972-49-0x00007FFD8C6B0000-0x00007FFD8C8A5000-memory.dmp

memory/972-50-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/972-53-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/972-54-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/972-55-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/972-56-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/972-57-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/972-58-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/972-59-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/972-60-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/972-63-0x00000000008E0000-0x0000000000963000-memory.dmp