b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a

Analysis

max time kernel
143s
max time network
143s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 06:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe
Size

110KB
MD5

244b3671feda4df16b95573616ab394d
SHA1

8239fde8096de45ff79a9d9bda6c1e9245886801
SHA256

b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a
SHA512

8b657acf43adc34013a72f12f95a80dc5cffae31e4d25b4ed9e5f9d508fa65c8035b40fbeb254de9db9e17f9cef644d727d849375b0ad3eaf6a84c447582b8a7
SSDEEP

1536:dTKdhmMFi+lokn0CcuQpuv0Ix0vkHWR8ceQDxeOO:dT8cUi20DuQpKnsMkrBO

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1316	BCSSync.exe
528	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
620	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe
620	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1464 set thread context of 620	1464	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe	27
PID 1316 set thread context of 528	1316	BCSSync.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 620	1464	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe	27
PID 1464 wrote to memory of 620	1464	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe	27
PID 1464 wrote to memory of 620	1464	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe	27
PID 1464 wrote to memory of 620	1464	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe	27
PID 1464 wrote to memory of 620	1464	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe	27
PID 1464 wrote to memory of 620	1464	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe	27
PID 1464 wrote to memory of 620	1464	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe	27
PID 1464 wrote to memory of 620	1464	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe	27
PID 1464 wrote to memory of 620	1464	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe	27
PID 1464 wrote to memory of 620	1464	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe	27
PID 620 wrote to memory of 1316	620	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe	28
PID 620 wrote to memory of 1316	620	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe	28
PID 620 wrote to memory of 1316	620	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe	28
PID 620 wrote to memory of 1316	620	b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe	28
PID 1316 wrote to memory of 528	1316	BCSSync.exe	29
PID 1316 wrote to memory of 528	1316	BCSSync.exe	29
PID 1316 wrote to memory of 528	1316	BCSSync.exe	29
PID 1316 wrote to memory of 528	1316	BCSSync.exe	29
PID 1316 wrote to memory of 528	1316	BCSSync.exe	29
PID 1316 wrote to memory of 528	1316	BCSSync.exe	29
PID 1316 wrote to memory of 528	1316	BCSSync.exe	29
PID 1316 wrote to memory of 528	1316	BCSSync.exe	29
PID 1316 wrote to memory of 528	1316	BCSSync.exe	29
PID 1316 wrote to memory of 528	1316	BCSSync.exe	29
PID 528 wrote to memory of 1800	528	BCSSync.exe	30
PID 528 wrote to memory of 1800	528	BCSSync.exe	30
PID 528 wrote to memory of 1800	528	BCSSync.exe	30
PID 528 wrote to memory of 1800	528	BCSSync.exe	30

C:\Users\Admin\AppData\Local\Temp\b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe
"C:\Users\Admin\AppData\Local\Temp\b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe
  "C:\Users\Admin\AppData\Local\Temp\b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:528
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\b247a64f0cd5221e02b6d49cb17b6811f480e51b8a16ee20bff934cbe039077a.exe
        5⤵
        
        PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
110KB

MD5
903ca0811fdeeffb1689792382f6a2a3

SHA1
fed38e325ea0ccf26850267970041a061100421d

SHA256
1d4a6fe148cc60afadd12db986cae89f9c401c3ce0e5d08d7ff3f05464a65f22

SHA512
7f44c8ab5c3f7ce605db09c99a097f6bd0a9e6a501e689c854d296c0dfeab40fdedff0e96f0fa6e82b4e1f329a9238fa12ed8857d4b0c21620bc8398561bfa42

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
110KB

MD5
903ca0811fdeeffb1689792382f6a2a3

SHA1
fed38e325ea0ccf26850267970041a061100421d

SHA256
1d4a6fe148cc60afadd12db986cae89f9c401c3ce0e5d08d7ff3f05464a65f22

SHA512
7f44c8ab5c3f7ce605db09c99a097f6bd0a9e6a501e689c854d296c0dfeab40fdedff0e96f0fa6e82b4e1f329a9238fa12ed8857d4b0c21620bc8398561bfa42

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
110KB

MD5
903ca0811fdeeffb1689792382f6a2a3

SHA1
fed38e325ea0ccf26850267970041a061100421d

SHA256
1d4a6fe148cc60afadd12db986cae89f9c401c3ce0e5d08d7ff3f05464a65f22

SHA512
7f44c8ab5c3f7ce605db09c99a097f6bd0a9e6a501e689c854d296c0dfeab40fdedff0e96f0fa6e82b4e1f329a9238fa12ed8857d4b0c21620bc8398561bfa42

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
110KB

MD5
903ca0811fdeeffb1689792382f6a2a3

SHA1
fed38e325ea0ccf26850267970041a061100421d

SHA256
1d4a6fe148cc60afadd12db986cae89f9c401c3ce0e5d08d7ff3f05464a65f22

SHA512
7f44c8ab5c3f7ce605db09c99a097f6bd0a9e6a501e689c854d296c0dfeab40fdedff0e96f0fa6e82b4e1f329a9238fa12ed8857d4b0c21620bc8398561bfa42

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
110KB

MD5
903ca0811fdeeffb1689792382f6a2a3

SHA1
fed38e325ea0ccf26850267970041a061100421d

SHA256
1d4a6fe148cc60afadd12db986cae89f9c401c3ce0e5d08d7ff3f05464a65f22

SHA512
7f44c8ab5c3f7ce605db09c99a097f6bd0a9e6a501e689c854d296c0dfeab40fdedff0e96f0fa6e82b4e1f329a9238fa12ed8857d4b0c21620bc8398561bfa42

Download Submit
memory/528-87-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/528-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/620-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/620-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/620-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/620-63-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/620-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/620-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/620-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/620-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/620-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/620-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download