Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 01:10
Static task
static1
Behavioral task
behavioral1
Sample
CodeBlock-wallet_v1.3.1.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
CodeBlock-wallet_v1.3.1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
devobj.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
lmhsvc.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
tzsyncres.dll
Resource
win10v2004-20240508-en
General
-
Target
CodeBlock-wallet_v1.3.1.exe
-
Size
99.4MB
-
MD5
51214f407f63fa8b44b168e7fb1af2a4
-
SHA1
5d253f197114361a2f80ca0d0e2fed6834c97b2b
-
SHA256
0afab6861707ce6ad25f50fdf52af8dc3e637ba4c0fac93443fe073274cdc742
-
SHA512
e891b1eeb33b0f8a80af771bb0caea27f8e1e586277ed030e5091380a3933cb81a34b8fde1eade0db993f9dd661bee7f72fd6c2f7fe5fa2590c4530250513ca7
-
SSDEEP
49152:4WGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbG3335:MtLutqgwh4NYxtJpkxhGx333
Malware Config
Extracted
remcos
22077
195.54.170.36:22077
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
VB786YNr-ICKPAO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1048-50-0x0000000000400000-0x0000000000483000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/1048-52-0x0000000000400000-0x0000000000483000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CodeBlock-wallet_v1.3.1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation CodeBlock-wallet_v1.3.1.exe -
Executes dropped EXE 2 IoCs
Processes:
UniversalInstaller.exeUniversalInstaller.exepid process 464 UniversalInstaller.exe 2528 UniversalInstaller.exe -
Loads dropped DLL 2 IoCs
Processes:
UniversalInstaller.exeUniversalInstaller.exepid process 464 UniversalInstaller.exe 2528 UniversalInstaller.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
UniversalInstaller.exedescription pid process target process PID 2528 set thread context of 2068 2528 UniversalInstaller.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
CodeBlock-wallet_v1.3.1.exeUniversalInstaller.exeUniversalInstaller.execmd.exepid process 3292 CodeBlock-wallet_v1.3.1.exe 3292 CodeBlock-wallet_v1.3.1.exe 464 UniversalInstaller.exe 2528 UniversalInstaller.exe 2528 UniversalInstaller.exe 2068 cmd.exe 2068 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
UniversalInstaller.execmd.exepid process 2528 UniversalInstaller.exe 2068 cmd.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
CodeBlock-wallet_v1.3.1.exepid process 3292 CodeBlock-wallet_v1.3.1.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
UniversalInstaller.exeUniversalInstaller.exepid process 464 UniversalInstaller.exe 464 UniversalInstaller.exe 2528 UniversalInstaller.exe 2528 UniversalInstaller.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
CodeBlock-wallet_v1.3.1.exeCodeBlock-wallet_v1.3.1.exeUniversalInstaller.exeUniversalInstaller.execmd.exedescription pid process target process PID 2072 wrote to memory of 3292 2072 CodeBlock-wallet_v1.3.1.exe CodeBlock-wallet_v1.3.1.exe PID 2072 wrote to memory of 3292 2072 CodeBlock-wallet_v1.3.1.exe CodeBlock-wallet_v1.3.1.exe PID 2072 wrote to memory of 3292 2072 CodeBlock-wallet_v1.3.1.exe CodeBlock-wallet_v1.3.1.exe PID 3292 wrote to memory of 464 3292 CodeBlock-wallet_v1.3.1.exe UniversalInstaller.exe PID 3292 wrote to memory of 464 3292 CodeBlock-wallet_v1.3.1.exe UniversalInstaller.exe PID 3292 wrote to memory of 464 3292 CodeBlock-wallet_v1.3.1.exe UniversalInstaller.exe PID 464 wrote to memory of 2528 464 UniversalInstaller.exe UniversalInstaller.exe PID 464 wrote to memory of 2528 464 UniversalInstaller.exe UniversalInstaller.exe PID 464 wrote to memory of 2528 464 UniversalInstaller.exe UniversalInstaller.exe PID 2528 wrote to memory of 2068 2528 UniversalInstaller.exe cmd.exe PID 2528 wrote to memory of 2068 2528 UniversalInstaller.exe cmd.exe PID 2528 wrote to memory of 2068 2528 UniversalInstaller.exe cmd.exe PID 2528 wrote to memory of 2068 2528 UniversalInstaller.exe cmd.exe PID 2068 wrote to memory of 1048 2068 cmd.exe explorer.exe PID 2068 wrote to memory of 1048 2068 cmd.exe explorer.exe PID 2068 wrote to memory of 1048 2068 cmd.exe explorer.exe PID 2068 wrote to memory of 1048 2068 cmd.exe explorer.exe PID 2068 wrote to memory of 1048 2068 cmd.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe" /VERYSILENT2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe"C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exeC:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵PID:1048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD590397ef652e54fb4722afac5098e95f1
SHA1fa4a94b5a469b473781c440a76e9713e270f51a5
SHA2563be32cbb167c6c860f8a6e910d4d4b02e152c139e02a74bd026369c74ff2f516
SHA512020566e00bc760943e4fa5f2c8c3d62eff7cdd941fa2a6b1c5c8096a1062ad5fbb0e849e16675049efebdf2355e7c3013bbdb8d8b8dacc3a0408493726a71bac
-
Filesize
1.6MB
MD5d1ba9412e78bfc98074c5d724a1a87d6
SHA10572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA5128765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f
-
Filesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
Filesize
947KB
MD52006f33bd138198426dd0029bfb59d78
SHA1b6331330a0ac4eec341c1c9eeb6f2f8cd202d1e4
SHA25633a2f64783b7ccd9f66145d9d7288bff62a4a89b5ee3c82f7f5fe8d1bf68581f
SHA5129fd5b2280c80b953fa74a5e5a8278b85b229daca0dfce988d8dafa14bc6db8906811da3b4628f27336886de8495822a173c36a72cfd9b8a90fbd8327fed5b649
-
Filesize
59KB
MD56c6f6a14e9d0a4a4cccf42c556fbd674
SHA1171078d45ebc27f5a8e448dc451d4f94947d82e5
SHA2563b5e6c71c2ffbfb6e2db0338d44df9c403aca7778f487543cc6a1cb07a9a21e3
SHA5128757f66f912ffb888229dbf9d21243dc14888bf21c401818e467d5d12865c7430c48fa0a9c5e6b96db3305f8413f2fe1200dcd9e9325839758a8c6ecac09477e
-
Filesize
1.5MB
MD526f5bc7e93d04836018674ea346fcfc7
SHA13b7d74663bfc45388c403d2b4e242df5ee18e8f0
SHA2562da4a73ab27ca87449151f119852b16280c64c8f7f4a1f3170a27875ae577163
SHA5127e59b552b3c4b1b5278ad65f2da91bae9e1e429863b8f629ee8522ef330fe0973bb5c52bc69c4cb0b2af92274c2630246403debc9596f211921ed91ba736d7b9