9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc

Analysis

max time kernel
144s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe
Size

71KB
MD5

102d682a39cf25cbeb715524b90df960
SHA1

15f0bc341f613e6223ba2483c56f89700bd3a442
SHA256

9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc
SHA512

e73e1240b598b84b2f18e0cd51152dab183c419d274ed35f3ed624d98adf93e41ef935667f96ecb7455db8ee65489fb25fc8fc8e85ff33af5967feb57a6cbbaa
SSDEEP

1536:KKMonowh4ostPr2/kBmkWbpab+CtuMFxdWOo6CLvjs8wBjnp:Knonoros9Pkbpe+zOo6EwBjnp

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2012	BCSSync.exe
2016	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
328	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe
328	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 328	1096	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe	27
PID 2012 set thread context of 2016	2012	BCSSync.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
328	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe
2016	BCSSync.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 328	1096	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe	27
PID 1096 wrote to memory of 328	1096	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe	27
PID 1096 wrote to memory of 328	1096	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe	27
PID 1096 wrote to memory of 328	1096	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe	27
PID 1096 wrote to memory of 328	1096	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe	27
PID 1096 wrote to memory of 328	1096	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe	27
PID 1096 wrote to memory of 328	1096	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe	27
PID 1096 wrote to memory of 328	1096	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe	27
PID 1096 wrote to memory of 328	1096	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe	27
PID 1096 wrote to memory of 328	1096	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe	27
PID 328 wrote to memory of 2012	328	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe	28
PID 328 wrote to memory of 2012	328	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe	28
PID 328 wrote to memory of 2012	328	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe	28
PID 328 wrote to memory of 2012	328	9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe	28
PID 2012 wrote to memory of 2016	2012	BCSSync.exe	29
PID 2012 wrote to memory of 2016	2012	BCSSync.exe	29
PID 2012 wrote to memory of 2016	2012	BCSSync.exe	29
PID 2012 wrote to memory of 2016	2012	BCSSync.exe	29
PID 2012 wrote to memory of 2016	2012	BCSSync.exe	29
PID 2012 wrote to memory of 2016	2012	BCSSync.exe	29
PID 2012 wrote to memory of 2016	2012	BCSSync.exe	29
PID 2012 wrote to memory of 2016	2012	BCSSync.exe	29
PID 2012 wrote to memory of 2016	2012	BCSSync.exe	29
PID 2012 wrote to memory of 2016	2012	BCSSync.exe	29
PID 2016 wrote to memory of 1696	2016	BCSSync.exe	30
PID 2016 wrote to memory of 1696	2016	BCSSync.exe	30
PID 2016 wrote to memory of 1696	2016	BCSSync.exe	30
PID 2016 wrote to memory of 1696	2016	BCSSync.exe	30

C:\Users\Admin\AppData\Local\Temp\9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe
"C:\Users\Admin\AppData\Local\Temp\9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe
  "C:\Users\Admin\AppData\Local\Temp\9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\9f66c66294e99eaaec5a5f879356b78d7a104d30a47b33dfc33ae7d5999c35fc.exe
        5⤵
        
        PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
71KB

MD5
b6ed02de96d9f140ea46043eca116835

SHA1
8749e00cd8720fc60ac72d1a5746494d2d40ef25

SHA256
96ca8e359975903f8c64db517f09e2fdc838f4abe1c0225fa34f46c7ce875ec0

SHA512
5e6bed517d660c6e766f58a706fedef95d6fd9341bb9834c8b002b0a0b21a7e8c456e8fffbb1851ad4d5b8a9f348c4777379dd450d2027720eb490ebe56189e8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
71KB

MD5
b6ed02de96d9f140ea46043eca116835

SHA1
8749e00cd8720fc60ac72d1a5746494d2d40ef25

SHA256
96ca8e359975903f8c64db517f09e2fdc838f4abe1c0225fa34f46c7ce875ec0

SHA512
5e6bed517d660c6e766f58a706fedef95d6fd9341bb9834c8b002b0a0b21a7e8c456e8fffbb1851ad4d5b8a9f348c4777379dd450d2027720eb490ebe56189e8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
71KB

MD5
b6ed02de96d9f140ea46043eca116835

SHA1
8749e00cd8720fc60ac72d1a5746494d2d40ef25

SHA256
96ca8e359975903f8c64db517f09e2fdc838f4abe1c0225fa34f46c7ce875ec0

SHA512
5e6bed517d660c6e766f58a706fedef95d6fd9341bb9834c8b002b0a0b21a7e8c456e8fffbb1851ad4d5b8a9f348c4777379dd450d2027720eb490ebe56189e8

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
71KB

MD5
b6ed02de96d9f140ea46043eca116835

SHA1
8749e00cd8720fc60ac72d1a5746494d2d40ef25

SHA256
96ca8e359975903f8c64db517f09e2fdc838f4abe1c0225fa34f46c7ce875ec0

SHA512
5e6bed517d660c6e766f58a706fedef95d6fd9341bb9834c8b002b0a0b21a7e8c456e8fffbb1851ad4d5b8a9f348c4777379dd450d2027720eb490ebe56189e8

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
71KB

MD5
b6ed02de96d9f140ea46043eca116835

SHA1
8749e00cd8720fc60ac72d1a5746494d2d40ef25

SHA256
96ca8e359975903f8c64db517f09e2fdc838f4abe1c0225fa34f46c7ce875ec0

SHA512
5e6bed517d660c6e766f58a706fedef95d6fd9341bb9834c8b002b0a0b21a7e8c456e8fffbb1851ad4d5b8a9f348c4777379dd450d2027720eb490ebe56189e8

Download Submit
memory/328-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/328-63-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/328-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/328-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/328-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/328-81-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/328-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/328-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/328-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2016-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2016-86-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download