Analysis
-
max time kernel
147s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/10/2022, 22:07
Static task
static1
Behavioral task
behavioral1
Sample
e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe
Resource
win10v2004-20220812-en
General
-
Target
e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe
-
Size
38KB
-
MD5
74ee9840be1aa7b1a5c0b3546b3745f9
-
SHA1
7e71c39f23b55cefbb4048eec7136981a4d2b00f
-
SHA256
e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee
-
SHA512
f20588c273c373b60700ed65ef6399a2243ead038c2c0ed253c5c9faaac96dabb01faf88e5dc841c7bf1d68cb3ab475f575228c5207d4a5a13fc0f96561e856a
-
SSDEEP
768:objqEFd8yMaZaqj+DQxHedPYy16QVWAGYqr55uuWF:Q/xauaE+2wxWJYMPuus
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1960 BCSSync.exe 1076 BCSSync.exe -
Loads dropped DLL 2 IoCs
pid Process 1920 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe 1920 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe -
Unexpected DNS network traffic destination 10 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 50.7.247.251 Destination IP 50.7.247.251 Destination IP 50.7.247.251 Destination IP 50.7.247.251 Destination IP 50.7.247.251 Destination IP 50.7.247.251 Destination IP 50.7.247.251 Destination IP 50.7.247.251 Destination IP 50.7.247.251 Destination IP 50.7.247.251 -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2012 set thread context of 1920 2012 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe 26 PID 1960 set thread context of 1076 1960 BCSSync.exe 28 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Fonts\T540i71.com e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1076 BCSSync.exe 1920 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1920 2012 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe 26 PID 2012 wrote to memory of 1920 2012 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe 26 PID 2012 wrote to memory of 1920 2012 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe 26 PID 2012 wrote to memory of 1920 2012 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe 26 PID 2012 wrote to memory of 1920 2012 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe 26 PID 2012 wrote to memory of 1920 2012 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe 26 PID 2012 wrote to memory of 1920 2012 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe 26 PID 2012 wrote to memory of 1920 2012 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe 26 PID 2012 wrote to memory of 1920 2012 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe 26 PID 1920 wrote to memory of 1960 1920 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe 27 PID 1920 wrote to memory of 1960 1920 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe 27 PID 1920 wrote to memory of 1960 1920 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe 27 PID 1920 wrote to memory of 1960 1920 e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe 27 PID 1960 wrote to memory of 1076 1960 BCSSync.exe 28 PID 1960 wrote to memory of 1076 1960 BCSSync.exe 28 PID 1960 wrote to memory of 1076 1960 BCSSync.exe 28 PID 1960 wrote to memory of 1076 1960 BCSSync.exe 28 PID 1960 wrote to memory of 1076 1960 BCSSync.exe 28 PID 1960 wrote to memory of 1076 1960 BCSSync.exe 28 PID 1960 wrote to memory of 1076 1960 BCSSync.exe 28 PID 1960 wrote to memory of 1076 1960 BCSSync.exe 28 PID 1960 wrote to memory of 1076 1960 BCSSync.exe 28 PID 1076 wrote to memory of 1472 1076 BCSSync.exe 29 PID 1076 wrote to memory of 1472 1076 BCSSync.exe 29 PID 1076 wrote to memory of 1472 1076 BCSSync.exe 29 PID 1076 wrote to memory of 1472 1076 BCSSync.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe"C:\Users\Admin\AppData\Local\Temp\e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exeC:\Users\Admin\AppData\Local\Temp\e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"5⤵PID:1472
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5e831880021a919aac30d7319914c3076
SHA19dc200fd66b459303e6a9e8902eca20fa5ab72f2
SHA25685ddfa5cdab90408f0f514dae04a3699996ca6df315dccb14c9b7a93a3fb8825
SHA512f7bca5eb50138988596da2931bbc43eba0ddcef0f8690718613a74861e6ad97637db3ef1e53879f3ff67c8f95f7c6445a50bfcb1972f637b40f01673ecff03c3
-
Filesize
38KB
MD5e831880021a919aac30d7319914c3076
SHA19dc200fd66b459303e6a9e8902eca20fa5ab72f2
SHA25685ddfa5cdab90408f0f514dae04a3699996ca6df315dccb14c9b7a93a3fb8825
SHA512f7bca5eb50138988596da2931bbc43eba0ddcef0f8690718613a74861e6ad97637db3ef1e53879f3ff67c8f95f7c6445a50bfcb1972f637b40f01673ecff03c3
-
Filesize
38KB
MD5e831880021a919aac30d7319914c3076
SHA19dc200fd66b459303e6a9e8902eca20fa5ab72f2
SHA25685ddfa5cdab90408f0f514dae04a3699996ca6df315dccb14c9b7a93a3fb8825
SHA512f7bca5eb50138988596da2931bbc43eba0ddcef0f8690718613a74861e6ad97637db3ef1e53879f3ff67c8f95f7c6445a50bfcb1972f637b40f01673ecff03c3
-
Filesize
38KB
MD5e831880021a919aac30d7319914c3076
SHA19dc200fd66b459303e6a9e8902eca20fa5ab72f2
SHA25685ddfa5cdab90408f0f514dae04a3699996ca6df315dccb14c9b7a93a3fb8825
SHA512f7bca5eb50138988596da2931bbc43eba0ddcef0f8690718613a74861e6ad97637db3ef1e53879f3ff67c8f95f7c6445a50bfcb1972f637b40f01673ecff03c3
-
Filesize
38KB
MD5e831880021a919aac30d7319914c3076
SHA19dc200fd66b459303e6a9e8902eca20fa5ab72f2
SHA25685ddfa5cdab90408f0f514dae04a3699996ca6df315dccb14c9b7a93a3fb8825
SHA512f7bca5eb50138988596da2931bbc43eba0ddcef0f8690718613a74861e6ad97637db3ef1e53879f3ff67c8f95f7c6445a50bfcb1972f637b40f01673ecff03c3