Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 04:02
Static task
static1
Behavioral task
behavioral1
Sample
Codes.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Codes.exe
Resource
win10v2004-20240611-en
General
-
Target
Codes.exe
-
Size
6.4MB
-
MD5
e20a92ba803ccdce1a2508542816f047
-
SHA1
803131e516784cff0cb6ad6e6b5cb29bc39092b9
-
SHA256
db7619d7304cbb9c7ad4bf8c74836f241aecac1fda067f3ffadadf7ee6d44930
-
SHA512
72329831d13bf15f193af74ee558c5c391ff87dfc77132da533e67f8b16f0d43c16f6ecc6a2a24b3aff9d5b1263ecbfffa0057aadbefd1b2c28b8f8193494ccf
-
SSDEEP
196608:IqWzFJ74xQUlQDIpa86HyHp9tQ0Nirvk2qSxHyzd3kn:IqWzR6aPC9tHi/qS1yyn
Malware Config
Extracted
bitrat
1.34
185.157.161.104:65312
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
tor_process
tor
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ProPlayer = "C:\\Users\\Admin\\AppData\\Roaming\\ProPlayer\\Player.exe.exe" Codes.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2664 Codes.EXE 2664 Codes.EXE 2664 Codes.EXE 2664 Codes.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3056 set thread context of 2664 3056 Codes.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2664 Codes.EXE Token: SeShutdownPrivilege 2664 Codes.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2340 DllHost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3056 Codes.exe 2664 Codes.EXE 2664 Codes.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2664 3056 Codes.exe 29 PID 3056 wrote to memory of 2664 3056 Codes.exe 29 PID 3056 wrote to memory of 2664 3056 Codes.exe 29 PID 3056 wrote to memory of 2664 3056 Codes.exe 29 PID 3056 wrote to memory of 2664 3056 Codes.exe 29 PID 3056 wrote to memory of 2664 3056 Codes.exe 29 PID 3056 wrote to memory of 2664 3056 Codes.exe 29 PID 3056 wrote to memory of 2664 3056 Codes.exe 29 PID 3056 wrote to memory of 2664 3056 Codes.exe 29 PID 3056 wrote to memory of 2664 3056 Codes.exe 29 PID 3056 wrote to memory of 2664 3056 Codes.exe 29 PID 3056 wrote to memory of 2664 3056 Codes.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Codes.exe"C:\Users\Admin\AppData\Local\Temp\Codes.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\Codes.EXE"C:\Users\Admin\AppData\Local\Temp\Codes.EXE"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2664
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD58c7657ee946b1d37c54218e99e3b53b3
SHA149a53c307306f27ab97be7efcd5e5be5d374931e
SHA2568eabd8e972ca3ec54c062f00741b1a016c8355aebc8f9a38e82c8aac75e59a31
SHA5125a0a7a5d7d9b5992e327396c267952880ddecd57a74143d5608157d7262df4875439d1464f22b1e7d5afeb85f59838c2e5ee29521971ed91ad7859635f7e1071