Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 17:31
Static task
static1
Behavioral task
behavioral1
Sample
ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe
Resource
win10v2004-20220812-en
General
-
Target
ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe
-
Size
124KB
-
MD5
a7247982cd47e17c64d43fc4d32ab7ad
-
SHA1
f5df20fb78e6c3201737e3c747cac16cfe221413
-
SHA256
ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d
-
SHA512
8eac1871cbba79b9aa0b356a2eb1f658eb63e87fa83628f12d1455b14aaf721f8e04cec7e90e4b82bbfba186f65a368cf033b610dfa5e501d4b4e0eb85c667e4
-
SSDEEP
1536:/tPr2/kPKMonowh4ooFoNyhUICkT2rLtp4fNGtJ2d9DUMymuGFYp4Py+i6m6j+:/9PPnonoroomISrLtpgNXdyp6m6j+
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2012 BCSSync.exe 956 BCSSync.exe -
Loads dropped DLL 2 IoCs
pid Process 688 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe 688 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe -
Unexpected DNS network traffic destination 10 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1384 set thread context of 688 1384 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe 28 PID 2012 set thread context of 956 2012 BCSSync.exe 30 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe File created C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1384 wrote to memory of 688 1384 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe 28 PID 1384 wrote to memory of 688 1384 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe 28 PID 1384 wrote to memory of 688 1384 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe 28 PID 1384 wrote to memory of 688 1384 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe 28 PID 1384 wrote to memory of 688 1384 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe 28 PID 1384 wrote to memory of 688 1384 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe 28 PID 1384 wrote to memory of 688 1384 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe 28 PID 1384 wrote to memory of 688 1384 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe 28 PID 1384 wrote to memory of 688 1384 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe 28 PID 1384 wrote to memory of 688 1384 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe 28 PID 688 wrote to memory of 2012 688 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe 29 PID 688 wrote to memory of 2012 688 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe 29 PID 688 wrote to memory of 2012 688 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe 29 PID 688 wrote to memory of 2012 688 ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe 29 PID 2012 wrote to memory of 956 2012 BCSSync.exe 30 PID 2012 wrote to memory of 956 2012 BCSSync.exe 30 PID 2012 wrote to memory of 956 2012 BCSSync.exe 30 PID 2012 wrote to memory of 956 2012 BCSSync.exe 30 PID 2012 wrote to memory of 956 2012 BCSSync.exe 30 PID 2012 wrote to memory of 956 2012 BCSSync.exe 30 PID 2012 wrote to memory of 956 2012 BCSSync.exe 30 PID 2012 wrote to memory of 956 2012 BCSSync.exe 30 PID 2012 wrote to memory of 956 2012 BCSSync.exe 30 PID 2012 wrote to memory of 956 2012 BCSSync.exe 30 PID 956 wrote to memory of 1324 956 BCSSync.exe 31 PID 956 wrote to memory of 1324 956 BCSSync.exe 31 PID 956 wrote to memory of 1324 956 BCSSync.exe 31 PID 956 wrote to memory of 1324 956 BCSSync.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe"C:\Users\Admin\AppData\Local\Temp\ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe"C:\Users\Admin\AppData\Local\Temp\ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe5⤵PID:1324
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD5c1d564c2378169937ae39040ed101b8b
SHA13c180c0626bded5a990d050dfd96bec74a435292
SHA256fbeaec8a584c00019736871489c681e24b666add525a14ecbab34317a79f25d9
SHA5127a112eb0f528cd9186a1c37fa7f693f9c323bc104326bb49fc00c0a021f8907c002a101bab7cbd13833b123020eb225f6a673db787fa595d333611eae71e9393
-
Filesize
124KB
MD5c1d564c2378169937ae39040ed101b8b
SHA13c180c0626bded5a990d050dfd96bec74a435292
SHA256fbeaec8a584c00019736871489c681e24b666add525a14ecbab34317a79f25d9
SHA5127a112eb0f528cd9186a1c37fa7f693f9c323bc104326bb49fc00c0a021f8907c002a101bab7cbd13833b123020eb225f6a673db787fa595d333611eae71e9393
-
Filesize
124KB
MD5c1d564c2378169937ae39040ed101b8b
SHA13c180c0626bded5a990d050dfd96bec74a435292
SHA256fbeaec8a584c00019736871489c681e24b666add525a14ecbab34317a79f25d9
SHA5127a112eb0f528cd9186a1c37fa7f693f9c323bc104326bb49fc00c0a021f8907c002a101bab7cbd13833b123020eb225f6a673db787fa595d333611eae71e9393
-
Filesize
124KB
MD5c1d564c2378169937ae39040ed101b8b
SHA13c180c0626bded5a990d050dfd96bec74a435292
SHA256fbeaec8a584c00019736871489c681e24b666add525a14ecbab34317a79f25d9
SHA5127a112eb0f528cd9186a1c37fa7f693f9c323bc104326bb49fc00c0a021f8907c002a101bab7cbd13833b123020eb225f6a673db787fa595d333611eae71e9393
-
Filesize
124KB
MD5c1d564c2378169937ae39040ed101b8b
SHA13c180c0626bded5a990d050dfd96bec74a435292
SHA256fbeaec8a584c00019736871489c681e24b666add525a14ecbab34317a79f25d9
SHA5127a112eb0f528cd9186a1c37fa7f693f9c323bc104326bb49fc00c0a021f8907c002a101bab7cbd13833b123020eb225f6a673db787fa595d333611eae71e9393