de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe
Size

69KB
MD5

904fd85464ff4dc7566e2296416cbd0a
SHA1

3bc0e20e90c3e2f5f40e83ee427e5d7c4c2dbfc6
SHA256

de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11
SHA512

d1c76159dbeb00f1a78558b2689aba72cf01d5755929455aeb3bb6fc1bb6f49cc396d7830447e995d7a00c25c5292794b1efd5d0082833fac07714c3bc920b25
SSDEEP

768:4WgOI+15tK7ramNSiYCFZA2H6KI2ek3Ub86Q1lYTQWa6tDgVoZ:kOlG75SAFZzaKI7M1lCdhDgW

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1532	BCSSync.exe
832	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
2000	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe
2000	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 2000	1992	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe	26
PID 1532 set thread context of 832	1532	BCSSync.exe	28

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2000	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe
832	BCSSync.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2000	1992	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe	26
PID 1992 wrote to memory of 2000	1992	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe	26
PID 1992 wrote to memory of 2000	1992	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe	26
PID 1992 wrote to memory of 2000	1992	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe	26
PID 1992 wrote to memory of 2000	1992	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe	26
PID 1992 wrote to memory of 2000	1992	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe	26
PID 1992 wrote to memory of 2000	1992	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe	26
PID 1992 wrote to memory of 2000	1992	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe	26
PID 1992 wrote to memory of 2000	1992	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe	26
PID 1992 wrote to memory of 2000	1992	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe	26
PID 2000 wrote to memory of 1532	2000	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe	27
PID 2000 wrote to memory of 1532	2000	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe	27
PID 2000 wrote to memory of 1532	2000	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe	27
PID 2000 wrote to memory of 1532	2000	de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe	27
PID 1532 wrote to memory of 832	1532	BCSSync.exe	28
PID 1532 wrote to memory of 832	1532	BCSSync.exe	28
PID 1532 wrote to memory of 832	1532	BCSSync.exe	28
PID 1532 wrote to memory of 832	1532	BCSSync.exe	28
PID 1532 wrote to memory of 832	1532	BCSSync.exe	28
PID 1532 wrote to memory of 832	1532	BCSSync.exe	28
PID 1532 wrote to memory of 832	1532	BCSSync.exe	28
PID 1532 wrote to memory of 832	1532	BCSSync.exe	28
PID 1532 wrote to memory of 832	1532	BCSSync.exe	28
PID 1532 wrote to memory of 832	1532	BCSSync.exe	28
PID 832 wrote to memory of 1768	832	BCSSync.exe	29
PID 832 wrote to memory of 1768	832	BCSSync.exe	29
PID 832 wrote to memory of 1768	832	BCSSync.exe	29
PID 832 wrote to memory of 1768	832	BCSSync.exe	29

C:\Users\Admin\AppData\Local\Temp\de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe
"C:\Users\Admin\AppData\Local\Temp\de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe
  "C:\Users\Admin\AppData\Local\Temp\de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:832
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\de504cc6edf05ff73336cc752a723e269a18fb6c3148f835c5c7d70c26bebe11.exe
        5⤵
        
        PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
69KB

MD5
5746dd90d5b7466793f9844c01a0c201

SHA1
e8fc12f560f9983bb8da7a12c6403d991e4bd16c

SHA256
1262934dfff79377a67bea697808869fcf3236344ffdc0d262b25dd48c6d7b9b

SHA512
3e9db6f64bce8753510c8d73f8dc703247e3a3066e426823c5fef03ea3ab21075a60ee5ed18dc4743d6c792e90cf370804f819bb34e7b0d03a76acfdb2b05228

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
69KB

MD5
5746dd90d5b7466793f9844c01a0c201

SHA1
e8fc12f560f9983bb8da7a12c6403d991e4bd16c

SHA256
1262934dfff79377a67bea697808869fcf3236344ffdc0d262b25dd48c6d7b9b

SHA512
3e9db6f64bce8753510c8d73f8dc703247e3a3066e426823c5fef03ea3ab21075a60ee5ed18dc4743d6c792e90cf370804f819bb34e7b0d03a76acfdb2b05228

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
69KB

MD5
5746dd90d5b7466793f9844c01a0c201

SHA1
e8fc12f560f9983bb8da7a12c6403d991e4bd16c

SHA256
1262934dfff79377a67bea697808869fcf3236344ffdc0d262b25dd48c6d7b9b

SHA512
3e9db6f64bce8753510c8d73f8dc703247e3a3066e426823c5fef03ea3ab21075a60ee5ed18dc4743d6c792e90cf370804f819bb34e7b0d03a76acfdb2b05228

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
69KB

MD5
5746dd90d5b7466793f9844c01a0c201

SHA1
e8fc12f560f9983bb8da7a12c6403d991e4bd16c

SHA256
1262934dfff79377a67bea697808869fcf3236344ffdc0d262b25dd48c6d7b9b

SHA512
3e9db6f64bce8753510c8d73f8dc703247e3a3066e426823c5fef03ea3ab21075a60ee5ed18dc4743d6c792e90cf370804f819bb34e7b0d03a76acfdb2b05228

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
69KB

MD5
5746dd90d5b7466793f9844c01a0c201

SHA1
e8fc12f560f9983bb8da7a12c6403d991e4bd16c

SHA256
1262934dfff79377a67bea697808869fcf3236344ffdc0d262b25dd48c6d7b9b

SHA512
3e9db6f64bce8753510c8d73f8dc703247e3a3066e426823c5fef03ea3ab21075a60ee5ed18dc4743d6c792e90cf370804f819bb34e7b0d03a76acfdb2b05228

Download Submit
memory/832-87-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/832-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2000-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2000-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2000-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2000-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2000-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2000-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2000-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2000-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2000-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2000-63-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download