Overview

overview

8

Static

static

8b69d4fedd...65.exe

windows7-x64

8

8b69d4fedd...65.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    137s
  • max time network
    189s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2022, 05:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe

  • Size

    45KB

  • MD5

    f31b02dd58c8b1b90d1d201e554f78dc

  • SHA1

    a77f3c8d90497c4d430070615802434580dc1fdc

  • SHA256

    8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465

  • SHA512

    101ce037eaf395dbcbd3590a3b06540e485ed19da8909744e3d791e0bd21b28269d11c8c8d26857c23d31d63dfeb701ba22958d0be19636f7635d81cc1c39444

  • SSDEEP

    768:X323i/5MqKWo+CBe0dyvumWGpgIZ/jjPFjwUMaJiApGHNb6mB4:Ii/5MtWo+C80UcGpR/jjPpaSiApGtWs4

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe
    "C:\Users\Admin\AppData\Local\Temp\8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Local\Temp\8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe
      "C:\Users\Admin\AppData\Local\Temp\8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe"
      2⤵
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
          "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:556
          • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
            "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\8b69d4feddf89f1647344f21327026dc0bc116102850b8d715acb6e0c7d08465.exe
            5⤵
              PID:1544

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      Filesize

      45KB

      MD5

      5ecd1147d7406589c93abde49d1c6c0f

      SHA1

      3fb50153151bbae4869432a575a13a6ab0c4b53e

      SHA256

      2761dcc448392cd6065f283e29334254d399fde1cc72d06455c176342a67262d

      SHA512

      2072c439a0d05ffa185202d6a5742971f7a91d2820dee63227e52050457a418deb50d9888f8e8715ce05c3f9fc6c049454257f8d4080a740b4a1d85e873138e8

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      Filesize

      45KB

      MD5

      5ecd1147d7406589c93abde49d1c6c0f

      SHA1

      3fb50153151bbae4869432a575a13a6ab0c4b53e

      SHA256

      2761dcc448392cd6065f283e29334254d399fde1cc72d06455c176342a67262d

      SHA512

      2072c439a0d05ffa185202d6a5742971f7a91d2820dee63227e52050457a418deb50d9888f8e8715ce05c3f9fc6c049454257f8d4080a740b4a1d85e873138e8

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      Filesize

      45KB

      MD5

      5ecd1147d7406589c93abde49d1c6c0f

      SHA1

      3fb50153151bbae4869432a575a13a6ab0c4b53e

      SHA256

      2761dcc448392cd6065f283e29334254d399fde1cc72d06455c176342a67262d

      SHA512

      2072c439a0d05ffa185202d6a5742971f7a91d2820dee63227e52050457a418deb50d9888f8e8715ce05c3f9fc6c049454257f8d4080a740b4a1d85e873138e8

      Download Submit

    • \Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      Filesize

      45KB

      MD5

      5ecd1147d7406589c93abde49d1c6c0f

      SHA1

      3fb50153151bbae4869432a575a13a6ab0c4b53e

      SHA256

      2761dcc448392cd6065f283e29334254d399fde1cc72d06455c176342a67262d

      SHA512

      2072c439a0d05ffa185202d6a5742971f7a91d2820dee63227e52050457a418deb50d9888f8e8715ce05c3f9fc6c049454257f8d4080a740b4a1d85e873138e8

      Download Submit

    • \Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      Filesize

      45KB

      MD5

      5ecd1147d7406589c93abde49d1c6c0f

      SHA1

      3fb50153151bbae4869432a575a13a6ab0c4b53e

      SHA256

      2761dcc448392cd6065f283e29334254d399fde1cc72d06455c176342a67262d

      SHA512

      2072c439a0d05ffa185202d6a5742971f7a91d2820dee63227e52050457a418deb50d9888f8e8715ce05c3f9fc6c049454257f8d4080a740b4a1d85e873138e8

      Download Submit

    • memory/556-91-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1736-60-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1736-66-0x0000000010000000-0x000000001000A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1736-65-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1736-64-0x00000000760B1000-0x00000000760B3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1736-63-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1736-54-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1736-58-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1736-57-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1736-56-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1736-55-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download