Analysis
-
max time kernel
148s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
03/12/2022, 17:26
General
-
Target
d1ee81b2c1fb983cd30b642a206c92596967751e735d28e2f7142ae7fc1ff2b3.exe
-
Size
112KB
-
MD5
f16b953264dde5c15d7b79e419bf8859
-
SHA1
416c510b6c2e1c7e9d7c5d242ccb10efb4b5e6c0
-
SHA256
d1ee81b2c1fb983cd30b642a206c92596967751e735d28e2f7142ae7fc1ff2b3
-
SHA512
26fa6f7b39fb5b462f75e8ad06732e2dbb5540d2d8ac922901a22652d08c43133d54ade49ed3f9ebaa94993ecee92a1d49eb0f14fcb2c0cf27323590a2bc1e88
-
SSDEEP
1536:LPqKgbwDeVyAUHwGvVJrYJeyxWxVhkITI5ywWFfB8lBTxe5P1P1:9gbwDKyLwGvTrYkg6BJR6ns5PF1
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Unexpected DNS network traffic destination 11 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 11 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1ee81b2c1fb983cd30b642a206c92596967751e735d28e2f7142ae7fc1ff2b3.exe"C:\Users\Admin\AppData\Local\Temp\d1ee81b2c1fb983cd30b642a206c92596967751e735d28e2f7142ae7fc1ff2b3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d1ee81b2c1fb983cd30b642a206c92596967751e735d28e2f7142ae7fc1ff2b3.exe"C:\Users\Admin\AppData\Local\Temp\d1ee81b2c1fb983cd30b642a206c92596967751e735d28e2f7142ae7fc1ff2b3.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d1ee81b2c1fb983cd30b642a206c92596967751e735d28e2f7142ae7fc1ff2b3.exeC:\Users\Admin\AppData\Local\Temp\d1ee81b2c1fb983cd30b642a206c92596967751e735d28e2f7142ae7fc1ff2b3.exe3⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\d1ee81b2c1fb983cd30b642a206c92596967751e735d28e2f7142ae7fc1ff2b3.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"7⤵
-
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C8A2732E-2608-457C-B4D5-557163BE33E1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Fonts\8k2o44.comC:\Windows\Fonts\8k2o44.com2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Fonts\8k2o44.com"C:\Windows\Fonts\8k2o44.com"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Fonts\8k2o44.comC:\Windows\Fonts\8k2o44.com4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD530409d77a14d3b2b4c5937c8042e5c35
SHA194d864fb2647fdf72837d0aa92c442eead575caf
SHA2565806191d7a9af216f16bcc00e27649cfc4ca5195dc61ad6ec3e8b2de693a9e9e
SHA5122f83fbbd995b7a2cc32a9864ddf08ddde297402e688389982198f97fa1e469fb1ec9ab1891272cf1f0690d76fc5156bd6ae8af07b15f122d88dbc77edaeb741d
-
Filesize
112KB
MD530409d77a14d3b2b4c5937c8042e5c35
SHA194d864fb2647fdf72837d0aa92c442eead575caf
SHA2565806191d7a9af216f16bcc00e27649cfc4ca5195dc61ad6ec3e8b2de693a9e9e
SHA5122f83fbbd995b7a2cc32a9864ddf08ddde297402e688389982198f97fa1e469fb1ec9ab1891272cf1f0690d76fc5156bd6ae8af07b15f122d88dbc77edaeb741d
-
Filesize
112KB
MD530409d77a14d3b2b4c5937c8042e5c35
SHA194d864fb2647fdf72837d0aa92c442eead575caf
SHA2565806191d7a9af216f16bcc00e27649cfc4ca5195dc61ad6ec3e8b2de693a9e9e
SHA5122f83fbbd995b7a2cc32a9864ddf08ddde297402e688389982198f97fa1e469fb1ec9ab1891272cf1f0690d76fc5156bd6ae8af07b15f122d88dbc77edaeb741d
-
Filesize
112KB
MD530409d77a14d3b2b4c5937c8042e5c35
SHA194d864fb2647fdf72837d0aa92c442eead575caf
SHA2565806191d7a9af216f16bcc00e27649cfc4ca5195dc61ad6ec3e8b2de693a9e9e
SHA5122f83fbbd995b7a2cc32a9864ddf08ddde297402e688389982198f97fa1e469fb1ec9ab1891272cf1f0690d76fc5156bd6ae8af07b15f122d88dbc77edaeb741d
-
Filesize
112KB
MD5f16b953264dde5c15d7b79e419bf8859
SHA1416c510b6c2e1c7e9d7c5d242ccb10efb4b5e6c0
SHA256d1ee81b2c1fb983cd30b642a206c92596967751e735d28e2f7142ae7fc1ff2b3
SHA51226fa6f7b39fb5b462f75e8ad06732e2dbb5540d2d8ac922901a22652d08c43133d54ade49ed3f9ebaa94993ecee92a1d49eb0f14fcb2c0cf27323590a2bc1e88
-
Filesize
112KB
MD5f16b953264dde5c15d7b79e419bf8859
SHA1416c510b6c2e1c7e9d7c5d242ccb10efb4b5e6c0
SHA256d1ee81b2c1fb983cd30b642a206c92596967751e735d28e2f7142ae7fc1ff2b3
SHA51226fa6f7b39fb5b462f75e8ad06732e2dbb5540d2d8ac922901a22652d08c43133d54ade49ed3f9ebaa94993ecee92a1d49eb0f14fcb2c0cf27323590a2bc1e88
-
Filesize
112KB
MD5f16b953264dde5c15d7b79e419bf8859
SHA1416c510b6c2e1c7e9d7c5d242ccb10efb4b5e6c0
SHA256d1ee81b2c1fb983cd30b642a206c92596967751e735d28e2f7142ae7fc1ff2b3
SHA51226fa6f7b39fb5b462f75e8ad06732e2dbb5540d2d8ac922901a22652d08c43133d54ade49ed3f9ebaa94993ecee92a1d49eb0f14fcb2c0cf27323590a2bc1e88
-
Filesize
112KB
MD5f16b953264dde5c15d7b79e419bf8859
SHA1416c510b6c2e1c7e9d7c5d242ccb10efb4b5e6c0
SHA256d1ee81b2c1fb983cd30b642a206c92596967751e735d28e2f7142ae7fc1ff2b3
SHA51226fa6f7b39fb5b462f75e8ad06732e2dbb5540d2d8ac922901a22652d08c43133d54ade49ed3f9ebaa94993ecee92a1d49eb0f14fcb2c0cf27323590a2bc1e88
-
Filesize
112KB
MD530409d77a14d3b2b4c5937c8042e5c35
SHA194d864fb2647fdf72837d0aa92c442eead575caf
SHA2565806191d7a9af216f16bcc00e27649cfc4ca5195dc61ad6ec3e8b2de693a9e9e
SHA5122f83fbbd995b7a2cc32a9864ddf08ddde297402e688389982198f97fa1e469fb1ec9ab1891272cf1f0690d76fc5156bd6ae8af07b15f122d88dbc77edaeb741d
-
Filesize
112KB
MD530409d77a14d3b2b4c5937c8042e5c35
SHA194d864fb2647fdf72837d0aa92c442eead575caf
SHA2565806191d7a9af216f16bcc00e27649cfc4ca5195dc61ad6ec3e8b2de693a9e9e
SHA5122f83fbbd995b7a2cc32a9864ddf08ddde297402e688389982198f97fa1e469fb1ec9ab1891272cf1f0690d76fc5156bd6ae8af07b15f122d88dbc77edaeb741d
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
8KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
8KB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
36KB