ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d

Analysis

max time kernel
144s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe
Size

124KB
MD5

a7247982cd47e17c64d43fc4d32ab7ad
SHA1

f5df20fb78e6c3201737e3c747cac16cfe221413
SHA256

ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d
SHA512

8eac1871cbba79b9aa0b356a2eb1f658eb63e87fa83628f12d1455b14aaf721f8e04cec7e90e4b82bbfba186f65a368cf033b610dfa5e501d4b4e0eb85c667e4
SSDEEP

1536:/tPr2/kPKMonowh4ooFoNyhUICkT2rLtp4fNGtJ2d9DUMymuGFYp4Py+i6m6j+:/9PPnonoroomISrLtpgNXdyp6m6j+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2012	BCSSync.exe
956	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
688	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe
688	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1384 set thread context of 688	1384	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe	28
PID 2012 set thread context of 956	2012	BCSSync.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 688	1384	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe	28
PID 1384 wrote to memory of 688	1384	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe	28
PID 1384 wrote to memory of 688	1384	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe	28
PID 1384 wrote to memory of 688	1384	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe	28
PID 1384 wrote to memory of 688	1384	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe	28
PID 1384 wrote to memory of 688	1384	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe	28
PID 1384 wrote to memory of 688	1384	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe	28
PID 1384 wrote to memory of 688	1384	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe	28
PID 1384 wrote to memory of 688	1384	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe	28
PID 1384 wrote to memory of 688	1384	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe	28
PID 688 wrote to memory of 2012	688	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe	29
PID 688 wrote to memory of 2012	688	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe	29
PID 688 wrote to memory of 2012	688	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe	29
PID 688 wrote to memory of 2012	688	ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe	29
PID 2012 wrote to memory of 956	2012	BCSSync.exe	30
PID 2012 wrote to memory of 956	2012	BCSSync.exe	30
PID 2012 wrote to memory of 956	2012	BCSSync.exe	30
PID 2012 wrote to memory of 956	2012	BCSSync.exe	30
PID 2012 wrote to memory of 956	2012	BCSSync.exe	30
PID 2012 wrote to memory of 956	2012	BCSSync.exe	30
PID 2012 wrote to memory of 956	2012	BCSSync.exe	30
PID 2012 wrote to memory of 956	2012	BCSSync.exe	30
PID 2012 wrote to memory of 956	2012	BCSSync.exe	30
PID 2012 wrote to memory of 956	2012	BCSSync.exe	30
PID 956 wrote to memory of 1324	956	BCSSync.exe	31
PID 956 wrote to memory of 1324	956	BCSSync.exe	31
PID 956 wrote to memory of 1324	956	BCSSync.exe	31
PID 956 wrote to memory of 1324	956	BCSSync.exe	31

C:\Users\Admin\AppData\Local\Temp\ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe
"C:\Users\Admin\AppData\Local\Temp\ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe
  "C:\Users\Admin\AppData\Local\Temp\ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:956
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\ccf6ec1c89b83e79822244787498282c7183211b0d545ec47d333c34e4dc916d.exe
        5⤵
        
        PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
124KB

MD5
c1d564c2378169937ae39040ed101b8b

SHA1
3c180c0626bded5a990d050dfd96bec74a435292

SHA256
fbeaec8a584c00019736871489c681e24b666add525a14ecbab34317a79f25d9

SHA512
7a112eb0f528cd9186a1c37fa7f693f9c323bc104326bb49fc00c0a021f8907c002a101bab7cbd13833b123020eb225f6a673db787fa595d333611eae71e9393

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
124KB

MD5
c1d564c2378169937ae39040ed101b8b

SHA1
3c180c0626bded5a990d050dfd96bec74a435292

SHA256
fbeaec8a584c00019736871489c681e24b666add525a14ecbab34317a79f25d9

SHA512
7a112eb0f528cd9186a1c37fa7f693f9c323bc104326bb49fc00c0a021f8907c002a101bab7cbd13833b123020eb225f6a673db787fa595d333611eae71e9393

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
124KB

MD5
c1d564c2378169937ae39040ed101b8b

SHA1
3c180c0626bded5a990d050dfd96bec74a435292

SHA256
fbeaec8a584c00019736871489c681e24b666add525a14ecbab34317a79f25d9

SHA512
7a112eb0f528cd9186a1c37fa7f693f9c323bc104326bb49fc00c0a021f8907c002a101bab7cbd13833b123020eb225f6a673db787fa595d333611eae71e9393

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
124KB

MD5
c1d564c2378169937ae39040ed101b8b

SHA1
3c180c0626bded5a990d050dfd96bec74a435292

SHA256
fbeaec8a584c00019736871489c681e24b666add525a14ecbab34317a79f25d9

SHA512
7a112eb0f528cd9186a1c37fa7f693f9c323bc104326bb49fc00c0a021f8907c002a101bab7cbd13833b123020eb225f6a673db787fa595d333611eae71e9393

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
124KB

MD5
c1d564c2378169937ae39040ed101b8b

SHA1
3c180c0626bded5a990d050dfd96bec74a435292

SHA256
fbeaec8a584c00019736871489c681e24b666add525a14ecbab34317a79f25d9

SHA512
7a112eb0f528cd9186a1c37fa7f693f9c323bc104326bb49fc00c0a021f8907c002a101bab7cbd13833b123020eb225f6a673db787fa595d333611eae71e9393

Download Submit
memory/688-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/688-63-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/688-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/688-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/688-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/688-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/688-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/688-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/688-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/688-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/956-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/956-85-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download