Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 01:10
Static task
static1
Behavioral task
behavioral1
Sample
CodeBlock-wallet_v1.3.1.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
CodeBlock-wallet_v1.3.1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
devobj.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
lmhsvc.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
tzsyncres.dll
Resource
win10v2004-20240508-en
General
-
Target
CodeBlock-wallet_v1.3.1.exe
-
Size
99.4MB
-
MD5
51214f407f63fa8b44b168e7fb1af2a4
-
SHA1
5d253f197114361a2f80ca0d0e2fed6834c97b2b
-
SHA256
0afab6861707ce6ad25f50fdf52af8dc3e637ba4c0fac93443fe073274cdc742
-
SHA512
e891b1eeb33b0f8a80af771bb0caea27f8e1e586277ed030e5091380a3933cb81a34b8fde1eade0db993f9dd661bee7f72fd6c2f7fe5fa2590c4530250513ca7
-
SSDEEP
49152:4WGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbG3335:MtLutqgwh4NYxtJpkxhGx333
Malware Config
Extracted
remcos
22077
195.54.170.36:22077
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
VB786YNr-ICKPAO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2564-97-0x00000000000D0000-0x0000000000153000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2564-101-0x00000000000D0000-0x0000000000153000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Executes dropped EXE 2 IoCs
Processes:
UniversalInstaller.exeUniversalInstaller.exepid process 2632 UniversalInstaller.exe 1888 UniversalInstaller.exe -
Loads dropped DLL 5 IoCs
Processes:
CodeBlock-wallet_v1.3.1.exeUniversalInstaller.exeUniversalInstaller.execmd.exepid process 2356 CodeBlock-wallet_v1.3.1.exe 2632 UniversalInstaller.exe 2632 UniversalInstaller.exe 1888 UniversalInstaller.exe 2924 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
UniversalInstaller.exedescription pid process target process PID 1888 set thread context of 2924 1888 UniversalInstaller.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
CodeBlock-wallet_v1.3.1.exeUniversalInstaller.exeUniversalInstaller.execmd.exepid process 2356 CodeBlock-wallet_v1.3.1.exe 2356 CodeBlock-wallet_v1.3.1.exe 2632 UniversalInstaller.exe 1888 UniversalInstaller.exe 1888 UniversalInstaller.exe 2924 cmd.exe 2924 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
UniversalInstaller.execmd.exepid process 1888 UniversalInstaller.exe 2924 cmd.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
CodeBlock-wallet_v1.3.1.exepid process 2356 CodeBlock-wallet_v1.3.1.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
UniversalInstaller.exeUniversalInstaller.exepid process 2632 UniversalInstaller.exe 2632 UniversalInstaller.exe 1888 UniversalInstaller.exe 1888 UniversalInstaller.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
CodeBlock-wallet_v1.3.1.exeCodeBlock-wallet_v1.3.1.exeUniversalInstaller.exeUniversalInstaller.execmd.exedescription pid process target process PID 2604 wrote to memory of 2356 2604 CodeBlock-wallet_v1.3.1.exe CodeBlock-wallet_v1.3.1.exe PID 2604 wrote to memory of 2356 2604 CodeBlock-wallet_v1.3.1.exe CodeBlock-wallet_v1.3.1.exe PID 2604 wrote to memory of 2356 2604 CodeBlock-wallet_v1.3.1.exe CodeBlock-wallet_v1.3.1.exe PID 2604 wrote to memory of 2356 2604 CodeBlock-wallet_v1.3.1.exe CodeBlock-wallet_v1.3.1.exe PID 2604 wrote to memory of 2356 2604 CodeBlock-wallet_v1.3.1.exe CodeBlock-wallet_v1.3.1.exe PID 2604 wrote to memory of 2356 2604 CodeBlock-wallet_v1.3.1.exe CodeBlock-wallet_v1.3.1.exe PID 2604 wrote to memory of 2356 2604 CodeBlock-wallet_v1.3.1.exe CodeBlock-wallet_v1.3.1.exe PID 2356 wrote to memory of 2632 2356 CodeBlock-wallet_v1.3.1.exe UniversalInstaller.exe PID 2356 wrote to memory of 2632 2356 CodeBlock-wallet_v1.3.1.exe UniversalInstaller.exe PID 2356 wrote to memory of 2632 2356 CodeBlock-wallet_v1.3.1.exe UniversalInstaller.exe PID 2356 wrote to memory of 2632 2356 CodeBlock-wallet_v1.3.1.exe UniversalInstaller.exe PID 2356 wrote to memory of 2632 2356 CodeBlock-wallet_v1.3.1.exe UniversalInstaller.exe PID 2356 wrote to memory of 2632 2356 CodeBlock-wallet_v1.3.1.exe UniversalInstaller.exe PID 2356 wrote to memory of 2632 2356 CodeBlock-wallet_v1.3.1.exe UniversalInstaller.exe PID 2632 wrote to memory of 1888 2632 UniversalInstaller.exe UniversalInstaller.exe PID 2632 wrote to memory of 1888 2632 UniversalInstaller.exe UniversalInstaller.exe PID 2632 wrote to memory of 1888 2632 UniversalInstaller.exe UniversalInstaller.exe PID 2632 wrote to memory of 1888 2632 UniversalInstaller.exe UniversalInstaller.exe PID 2632 wrote to memory of 1888 2632 UniversalInstaller.exe UniversalInstaller.exe PID 2632 wrote to memory of 1888 2632 UniversalInstaller.exe UniversalInstaller.exe PID 2632 wrote to memory of 1888 2632 UniversalInstaller.exe UniversalInstaller.exe PID 1888 wrote to memory of 2924 1888 UniversalInstaller.exe cmd.exe PID 1888 wrote to memory of 2924 1888 UniversalInstaller.exe cmd.exe PID 1888 wrote to memory of 2924 1888 UniversalInstaller.exe cmd.exe PID 1888 wrote to memory of 2924 1888 UniversalInstaller.exe cmd.exe PID 1888 wrote to memory of 2924 1888 UniversalInstaller.exe cmd.exe PID 2924 wrote to memory of 2564 2924 cmd.exe explorer.exe PID 2924 wrote to memory of 2564 2924 cmd.exe explorer.exe PID 2924 wrote to memory of 2564 2924 cmd.exe explorer.exe PID 2924 wrote to memory of 2564 2924 cmd.exe explorer.exe PID 2924 wrote to memory of 2564 2924 cmd.exe explorer.exe PID 2924 wrote to memory of 2564 2924 cmd.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe" /VERYSILENT2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe"C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exeC:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD51437436fe8fbcaa1622b084a09e02034
SHA1e313eb25c537421fcf8fbe34f3570bf827adb3b5
SHA25633cd6347c80ddb24edbd9c16d7740ba7284a94230f7401997006da6516333cdc
SHA512ebcc9b999e3d11940da7354dffcbcf0e89e75063f9114969691985adb2fd0cf204d9b1e88b2e0e940ac92e2702a04e651ae13d7578abd435b4b9ddbfa1f21f5a
-
Filesize
1.6MB
MD5d1ba9412e78bfc98074c5d724a1a87d6
SHA10572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA5128765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f
-
Filesize
947KB
MD52006f33bd138198426dd0029bfb59d78
SHA1b6331330a0ac4eec341c1c9eeb6f2f8cd202d1e4
SHA25633a2f64783b7ccd9f66145d9d7288bff62a4a89b5ee3c82f7f5fe8d1bf68581f
SHA5129fd5b2280c80b953fa74a5e5a8278b85b229daca0dfce988d8dafa14bc6db8906811da3b4628f27336886de8495822a173c36a72cfd9b8a90fbd8327fed5b649
-
Filesize
59KB
MD56c6f6a14e9d0a4a4cccf42c556fbd674
SHA1171078d45ebc27f5a8e448dc451d4f94947d82e5
SHA2563b5e6c71c2ffbfb6e2db0338d44df9c403aca7778f487543cc6a1cb07a9a21e3
SHA5128757f66f912ffb888229dbf9d21243dc14888bf21c401818e467d5d12865c7430c48fa0a9c5e6b96db3305f8413f2fe1200dcd9e9325839758a8c6ecac09477e
-
Filesize
1.5MB
MD526f5bc7e93d04836018674ea346fcfc7
SHA13b7d74663bfc45388c403d2b4e242df5ee18e8f0
SHA2562da4a73ab27ca87449151f119852b16280c64c8f7f4a1f3170a27875ae577163
SHA5127e59b552b3c4b1b5278ad65f2da91bae9e1e429863b8f629ee8522ef330fe0973bb5c52bc69c4cb0b2af92274c2630246403debc9596f211921ed91ba736d7b9
-
Filesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256