Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
189s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29/11/2022, 05:48
Static task
static1
Behavioral task
behavioral1
Sample
8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe
Resource
win10v2004-20220812-en
General
-
Target
8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe
-
Size
45KB
-
MD5
f31b02dd58c8b1b90d1d201e554f78dc
-
SHA1
a77f3c8d90497c4d430070615802434580dc1fdc
-
SHA256
8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465
-
SHA512
101ce037eaf395dbcbd3590a3b06540e485ed19da8909744e3d791e0bd21b28269d11c8c8d26857c23d31d63dfeb701ba22958d0be19636f7635d81cc1c39444
-
SSDEEP
768:X323i/5MqKWo+CBe0dyvumWGpgIZ/jjPFjwUMaJiApGHNb6mB4:Ii/5MtWo+C80UcGpR/jjPpaSiApGtWs4
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1504 BCSSync.exe 556 BCSSync.exe -
Loads dropped DLL 2 IoCs
pid Process 1736 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe 1736 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2020 set thread context of 1736 2020 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe 28 PID 1504 set thread context of 556 1504 BCSSync.exe 30 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Fonts\pavUCoMb.com 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 556 BCSSync.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1736 2020 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe 28 PID 2020 wrote to memory of 1736 2020 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe 28 PID 2020 wrote to memory of 1736 2020 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe 28 PID 2020 wrote to memory of 1736 2020 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe 28 PID 2020 wrote to memory of 1736 2020 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe 28 PID 2020 wrote to memory of 1736 2020 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe 28 PID 2020 wrote to memory of 1736 2020 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe 28 PID 2020 wrote to memory of 1736 2020 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe 28 PID 2020 wrote to memory of 1736 2020 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe 28 PID 1736 wrote to memory of 1504 1736 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe 29 PID 1736 wrote to memory of 1504 1736 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe 29 PID 1736 wrote to memory of 1504 1736 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe 29 PID 1736 wrote to memory of 1504 1736 8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe 29 PID 1504 wrote to memory of 556 1504 BCSSync.exe 30 PID 1504 wrote to memory of 556 1504 BCSSync.exe 30 PID 1504 wrote to memory of 556 1504 BCSSync.exe 30 PID 1504 wrote to memory of 556 1504 BCSSync.exe 30 PID 1504 wrote to memory of 556 1504 BCSSync.exe 30 PID 1504 wrote to memory of 556 1504 BCSSync.exe 30 PID 1504 wrote to memory of 556 1504 BCSSync.exe 30 PID 1504 wrote to memory of 556 1504 BCSSync.exe 30 PID 1504 wrote to memory of 556 1504 BCSSync.exe 30 PID 556 wrote to memory of 1544 556 BCSSync.exe 31 PID 556 wrote to memory of 1544 556 BCSSync.exe 31 PID 556 wrote to memory of 1544 556 BCSSync.exe 31 PID 556 wrote to memory of 1544 556 BCSSync.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe"C:\Users\Admin\AppData\Local\Temp\8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe"C:\Users\Admin\AppData\Local\Temp\8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe5⤵PID:1544
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD55ecd1147d7406589c93abde49d1c6c0f
SHA13fb50153151bbae4869432a575a13a6ab0c4b53e
SHA2562761dcc448392cd6065f283e29334254d399fde1cc72d06455c176342a67262d
SHA5122072c439a0d05ffa185202d6a5742971f7a91d2820dee63227e52050457a418deb50d9888f8e8715ce05c3f9fc6c049454257f8d4080a740b4a1d85e873138e8
-
Filesize
45KB
MD55ecd1147d7406589c93abde49d1c6c0f
SHA13fb50153151bbae4869432a575a13a6ab0c4b53e
SHA2562761dcc448392cd6065f283e29334254d399fde1cc72d06455c176342a67262d
SHA5122072c439a0d05ffa185202d6a5742971f7a91d2820dee63227e52050457a418deb50d9888f8e8715ce05c3f9fc6c049454257f8d4080a740b4a1d85e873138e8
-
Filesize
45KB
MD55ecd1147d7406589c93abde49d1c6c0f
SHA13fb50153151bbae4869432a575a13a6ab0c4b53e
SHA2562761dcc448392cd6065f283e29334254d399fde1cc72d06455c176342a67262d
SHA5122072c439a0d05ffa185202d6a5742971f7a91d2820dee63227e52050457a418deb50d9888f8e8715ce05c3f9fc6c049454257f8d4080a740b4a1d85e873138e8
-
Filesize
45KB
MD55ecd1147d7406589c93abde49d1c6c0f
SHA13fb50153151bbae4869432a575a13a6ab0c4b53e
SHA2562761dcc448392cd6065f283e29334254d399fde1cc72d06455c176342a67262d
SHA5122072c439a0d05ffa185202d6a5742971f7a91d2820dee63227e52050457a418deb50d9888f8e8715ce05c3f9fc6c049454257f8d4080a740b4a1d85e873138e8
-
Filesize
45KB
MD55ecd1147d7406589c93abde49d1c6c0f
SHA13fb50153151bbae4869432a575a13a6ab0c4b53e
SHA2562761dcc448392cd6065f283e29334254d399fde1cc72d06455c176342a67262d
SHA5122072c439a0d05ffa185202d6a5742971f7a91d2820dee63227e52050457a418deb50d9888f8e8715ce05c3f9fc6c049454257f8d4080a740b4a1d85e873138e8