c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161

Analysis

max time kernel
143s
max time network
167s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe
Size

107KB
MD5

82bf16d00bf8e3e2e8630d45131a7c30
SHA1

299530d9435884f58b12836da7c8d4b4cde414cf
SHA256

c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161
SHA512

bdc94097ee697c8f88b4ca73dabd4c8de30d23cf25c04fda3d7e55dda82cff6ceb7781c23dcf127050ec08397cd6f62f01ff6cd0b91ffeef486ade7b24e27077
SSDEEP

3072:8zecKgDUUYEYY49rQ5knbV2stF11+vzx4:8zeIkmcbttF1d

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1976	BCSSync.exe
984	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1996	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe
1996	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 1996	1448	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe	27
PID 1976 set thread context of 984	1976	BCSSync.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1996	1448	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe	27
PID 1448 wrote to memory of 1996	1448	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe	27
PID 1448 wrote to memory of 1996	1448	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe	27
PID 1448 wrote to memory of 1996	1448	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe	27
PID 1448 wrote to memory of 1996	1448	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe	27
PID 1448 wrote to memory of 1996	1448	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe	27
PID 1448 wrote to memory of 1996	1448	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe	27
PID 1448 wrote to memory of 1996	1448	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe	27
PID 1448 wrote to memory of 1996	1448	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe	27
PID 1448 wrote to memory of 1996	1448	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe	27
PID 1996 wrote to memory of 1976	1996	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe	28
PID 1996 wrote to memory of 1976	1996	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe	28
PID 1996 wrote to memory of 1976	1996	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe	28
PID 1996 wrote to memory of 1976	1996	c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe	28
PID 1976 wrote to memory of 984	1976	BCSSync.exe	29
PID 1976 wrote to memory of 984	1976	BCSSync.exe	29
PID 1976 wrote to memory of 984	1976	BCSSync.exe	29
PID 1976 wrote to memory of 984	1976	BCSSync.exe	29
PID 1976 wrote to memory of 984	1976	BCSSync.exe	29
PID 1976 wrote to memory of 984	1976	BCSSync.exe	29
PID 1976 wrote to memory of 984	1976	BCSSync.exe	29
PID 1976 wrote to memory of 984	1976	BCSSync.exe	29
PID 1976 wrote to memory of 984	1976	BCSSync.exe	29
PID 1976 wrote to memory of 984	1976	BCSSync.exe	29
PID 984 wrote to memory of 1740	984	BCSSync.exe	30
PID 984 wrote to memory of 1740	984	BCSSync.exe	30
PID 984 wrote to memory of 1740	984	BCSSync.exe	30
PID 984 wrote to memory of 1740	984	BCSSync.exe	30

C:\Users\Admin\AppData\Local\Temp\c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe
"C:\Users\Admin\AppData\Local\Temp\c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe
  "C:\Users\Admin\AppData\Local\Temp\c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\c23ce16d883e51f851dbbcb25f202736829e022943471d93133010a56fb63161.exe
        5⤵
        
        PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
107KB

MD5
685bb649a7b07caddda7021e560dda6d

SHA1
89460714902bc872d409b891c1c376cd7cf04102

SHA256
edaef91d8cae3d82defd501a868def24a9cbea297e98cf76e67b49e172418f83

SHA512
019bee3499e708f7b41e8628dd90df903272cf01cb2b308008d8851692055ae2d6d0c6ad64201b3ed6c7bb85795b9a0f0d02c931fc0fc09389901e6b8a347d01

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
107KB

MD5
685bb649a7b07caddda7021e560dda6d

SHA1
89460714902bc872d409b891c1c376cd7cf04102

SHA256
edaef91d8cae3d82defd501a868def24a9cbea297e98cf76e67b49e172418f83

SHA512
019bee3499e708f7b41e8628dd90df903272cf01cb2b308008d8851692055ae2d6d0c6ad64201b3ed6c7bb85795b9a0f0d02c931fc0fc09389901e6b8a347d01

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
107KB

MD5
685bb649a7b07caddda7021e560dda6d

SHA1
89460714902bc872d409b891c1c376cd7cf04102

SHA256
edaef91d8cae3d82defd501a868def24a9cbea297e98cf76e67b49e172418f83

SHA512
019bee3499e708f7b41e8628dd90df903272cf01cb2b308008d8851692055ae2d6d0c6ad64201b3ed6c7bb85795b9a0f0d02c931fc0fc09389901e6b8a347d01

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
107KB

MD5
685bb649a7b07caddda7021e560dda6d

SHA1
89460714902bc872d409b891c1c376cd7cf04102

SHA256
edaef91d8cae3d82defd501a868def24a9cbea297e98cf76e67b49e172418f83

SHA512
019bee3499e708f7b41e8628dd90df903272cf01cb2b308008d8851692055ae2d6d0c6ad64201b3ed6c7bb85795b9a0f0d02c931fc0fc09389901e6b8a347d01

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
107KB

MD5
685bb649a7b07caddda7021e560dda6d

SHA1
89460714902bc872d409b891c1c376cd7cf04102

SHA256
edaef91d8cae3d82defd501a868def24a9cbea297e98cf76e67b49e172418f83

SHA512
019bee3499e708f7b41e8628dd90df903272cf01cb2b308008d8851692055ae2d6d0c6ad64201b3ed6c7bb85795b9a0f0d02c931fc0fc09389901e6b8a347d01

Download Submit
memory/984-87-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/984-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1996-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1996-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1996-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1996-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1996-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1996-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1996-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1996-82-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1996-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1996-63-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download