Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 04:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Codes.exe
Resource
win7-20240508-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
Codes.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
Codes.exe
-
Size
6.4MB
-
MD5
e20a92ba803ccdce1a2508542816f047
-
SHA1
803131e516784cff0cb6ad6e6b5cb29bc39092b9
-
SHA256
db7619d7304cbb9c7ad4bf8c74836f241aecac1fda067f3ffadadf7ee6d44930
-
SHA512
72329831d13bf15f193af74ee558c5c391ff87dfc77132da533e67f8b16f0d43c16f6ecc6a2a24b3aff9d5b1263ecbfffa0057aadbefd1b2c28b8f8193494ccf
-
SSDEEP
196608:IqWzFJ74xQUlQDIpa86HyHp9tQ0Nirvk2qSxHyzd3kn:IqWzR6aPC9tHi/qS1yyn
Score
10/10
Malware Config
Extracted
Family
bitrat
Version
1.34
C2
185.157.161.104:65312
Attributes
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
tor_process
tor
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProPlayer = "C:\\Users\\Admin\\AppData\\Roaming\\ProPlayer\\Player.exe.exe" Codes.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4660 Codes.EXE 4660 Codes.EXE 4660 Codes.EXE 4660 Codes.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2412 set thread context of 4660 2412 Codes.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 4660 Codes.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2412 Codes.exe 4660 Codes.EXE 4660 Codes.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2412 wrote to memory of 4660 2412 Codes.exe 82 PID 2412 wrote to memory of 4660 2412 Codes.exe 82 PID 2412 wrote to memory of 4660 2412 Codes.exe 82 PID 2412 wrote to memory of 4660 2412 Codes.exe 82 PID 2412 wrote to memory of 4660 2412 Codes.exe 82 PID 2412 wrote to memory of 4660 2412 Codes.exe 82 PID 2412 wrote to memory of 4660 2412 Codes.exe 82 PID 2412 wrote to memory of 4660 2412 Codes.exe 82 PID 2412 wrote to memory of 4660 2412 Codes.exe 82 PID 2412 wrote to memory of 4660 2412 Codes.exe 82 PID 2412 wrote to memory of 4660 2412 Codes.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\Codes.exe"C:\Users\Admin\AppData\Local\Temp\Codes.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\Codes.EXE"C:\Users\Admin\AppData\Local\Temp\Codes.EXE"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4660
-