b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db

Analysis

max time kernel
144s
max time network
142s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe
Size

68KB
MD5

87db811579d3d587f45881f06ca63385
SHA1

f9b3b9ec7bc846ab7ff5d0c0fa013248178bc3a5
SHA256

b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db
SHA512

53ee4c792dda5cf94112d7d0565c4ace5fe83051f704d3a5980972d3ffea3c111f18c4a56b2fd7602db9e6fb7691dd4efdaa9dac5f458c27251eac092c0af39a
SSDEEP

1536:r1BvK2hM46fGBCzSfNNI6yx8Hoh3eypmrYbwWoL:r1BvK7pmCzSlNILr7mrlL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1092	BCSSync.exe
1108	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
968	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe
968	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1516 set thread context of 968	1516	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe	27
PID 1092 set thread context of 1108	1092	BCSSync.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 968	1516	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe	27
PID 1516 wrote to memory of 968	1516	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe	27
PID 1516 wrote to memory of 968	1516	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe	27
PID 1516 wrote to memory of 968	1516	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe	27
PID 1516 wrote to memory of 968	1516	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe	27
PID 1516 wrote to memory of 968	1516	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe	27
PID 1516 wrote to memory of 968	1516	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe	27
PID 1516 wrote to memory of 968	1516	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe	27
PID 1516 wrote to memory of 968	1516	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe	27
PID 1516 wrote to memory of 968	1516	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe	27
PID 968 wrote to memory of 1092	968	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe	28
PID 968 wrote to memory of 1092	968	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe	28
PID 968 wrote to memory of 1092	968	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe	28
PID 968 wrote to memory of 1092	968	b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe	28
PID 1092 wrote to memory of 1108	1092	BCSSync.exe	29
PID 1092 wrote to memory of 1108	1092	BCSSync.exe	29
PID 1092 wrote to memory of 1108	1092	BCSSync.exe	29
PID 1092 wrote to memory of 1108	1092	BCSSync.exe	29
PID 1092 wrote to memory of 1108	1092	BCSSync.exe	29
PID 1092 wrote to memory of 1108	1092	BCSSync.exe	29
PID 1092 wrote to memory of 1108	1092	BCSSync.exe	29
PID 1092 wrote to memory of 1108	1092	BCSSync.exe	29
PID 1092 wrote to memory of 1108	1092	BCSSync.exe	29
PID 1092 wrote to memory of 1108	1092	BCSSync.exe	29
PID 1108 wrote to memory of 756	1108	BCSSync.exe	30
PID 1108 wrote to memory of 756	1108	BCSSync.exe	30
PID 1108 wrote to memory of 756	1108	BCSSync.exe	30
PID 1108 wrote to memory of 756	1108	BCSSync.exe	30

C:\Users\Admin\AppData\Local\Temp\b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe
"C:\Users\Admin\AppData\Local\Temp\b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe
  "C:\Users\Admin\AppData\Local\Temp\b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\b8d2af6f3abbbd46bccc501eeb2e9e05965adce6fee24fccb850f1d24498b1db.exe
        5⤵
        
        PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
68KB

MD5
836702d20a0b00077e9c84bd6c244f2a

SHA1
7d056b236749e5d35c87753f3af7ab495f87767d

SHA256
c3a16b7b053aad243c1098e519863b7f21d0b57296a584f27d71ae83b42233f8

SHA512
2dfd83cf8e2f9dc2803a3d65ddecbdc1699006cbc8b71dc0636cc5fc17679d7ad269b622dc811469e3de7dacd7ea446be979c285ec5960b97d10ae88608d754f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
68KB

MD5
836702d20a0b00077e9c84bd6c244f2a

SHA1
7d056b236749e5d35c87753f3af7ab495f87767d

SHA256
c3a16b7b053aad243c1098e519863b7f21d0b57296a584f27d71ae83b42233f8

SHA512
2dfd83cf8e2f9dc2803a3d65ddecbdc1699006cbc8b71dc0636cc5fc17679d7ad269b622dc811469e3de7dacd7ea446be979c285ec5960b97d10ae88608d754f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
68KB

MD5
836702d20a0b00077e9c84bd6c244f2a

SHA1
7d056b236749e5d35c87753f3af7ab495f87767d

SHA256
c3a16b7b053aad243c1098e519863b7f21d0b57296a584f27d71ae83b42233f8

SHA512
2dfd83cf8e2f9dc2803a3d65ddecbdc1699006cbc8b71dc0636cc5fc17679d7ad269b622dc811469e3de7dacd7ea446be979c285ec5960b97d10ae88608d754f

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
68KB

MD5
836702d20a0b00077e9c84bd6c244f2a

SHA1
7d056b236749e5d35c87753f3af7ab495f87767d

SHA256
c3a16b7b053aad243c1098e519863b7f21d0b57296a584f27d71ae83b42233f8

SHA512
2dfd83cf8e2f9dc2803a3d65ddecbdc1699006cbc8b71dc0636cc5fc17679d7ad269b622dc811469e3de7dacd7ea446be979c285ec5960b97d10ae88608d754f

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
68KB

MD5
836702d20a0b00077e9c84bd6c244f2a

SHA1
7d056b236749e5d35c87753f3af7ab495f87767d

SHA256
c3a16b7b053aad243c1098e519863b7f21d0b57296a584f27d71ae83b42233f8

SHA512
2dfd83cf8e2f9dc2803a3d65ddecbdc1699006cbc8b71dc0636cc5fc17679d7ad269b622dc811469e3de7dacd7ea446be979c285ec5960b97d10ae88608d754f

Download Submit
memory/756-84-0x0000000000000000-mapping.dmp

Download
memory/968-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/968-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/968-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/968-61-0x0000000000403902-mapping.dmp

Download
memory/968-63-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/968-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/968-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/968-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/968-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/968-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1092-67-0x0000000000000000-mapping.dmp

Download
memory/1108-82-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1108-77-0x0000000000403902-mapping.dmp

Download
memory/1108-86-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download