ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e

Analysis

max time kernel
271s
max time network
365s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe
Size

110KB
MD5

3b583c9f616ebe0bf1bdb31c45cce2d3
SHA1

2060532701285b62ed897afa7558ec4575e8f01f
SHA256

ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e
SHA512

c7a59949bad248f815ec3919f3aae44e9b0920fae24e617164124b564aecd78aba672b2de5d5256a8af78612aa2cae02172ebfc5af875a72db3509aa7e6a850d
SSDEEP

1536:dTKdhmMFi+lokn0CcuQpuv0Ix0vkHWR8ceQDxeOk:dT8cUi20DuQpKnsMkrBk

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1528	BCSSync.exe
364	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1872	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe
1872	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 792 set thread context of 1872	792	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe	28
PID 1528 set thread context of 364	1528	BCSSync.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 1872	792	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe	28
PID 792 wrote to memory of 1872	792	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe	28
PID 792 wrote to memory of 1872	792	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe	28
PID 792 wrote to memory of 1872	792	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe	28
PID 792 wrote to memory of 1872	792	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe	28
PID 792 wrote to memory of 1872	792	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe	28
PID 792 wrote to memory of 1872	792	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe	28
PID 792 wrote to memory of 1872	792	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe	28
PID 792 wrote to memory of 1872	792	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe	28
PID 792 wrote to memory of 1872	792	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe	28
PID 1872 wrote to memory of 1528	1872	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe	29
PID 1872 wrote to memory of 1528	1872	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe	29
PID 1872 wrote to memory of 1528	1872	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe	29
PID 1872 wrote to memory of 1528	1872	ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe	29
PID 1528 wrote to memory of 364	1528	BCSSync.exe	30
PID 1528 wrote to memory of 364	1528	BCSSync.exe	30
PID 1528 wrote to memory of 364	1528	BCSSync.exe	30
PID 1528 wrote to memory of 364	1528	BCSSync.exe	30
PID 1528 wrote to memory of 364	1528	BCSSync.exe	30
PID 1528 wrote to memory of 364	1528	BCSSync.exe	30
PID 1528 wrote to memory of 364	1528	BCSSync.exe	30
PID 1528 wrote to memory of 364	1528	BCSSync.exe	30
PID 1528 wrote to memory of 364	1528	BCSSync.exe	30
PID 1528 wrote to memory of 364	1528	BCSSync.exe	30
PID 364 wrote to memory of 1160	364	BCSSync.exe	31
PID 364 wrote to memory of 1160	364	BCSSync.exe	31
PID 364 wrote to memory of 1160	364	BCSSync.exe	31
PID 364 wrote to memory of 1160	364	BCSSync.exe	31

C:\Users\Admin\AppData\Local\Temp\ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe
"C:\Users\Admin\AppData\Local\Temp\ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Local\Temp\ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe
  "C:\Users\Admin\AppData\Local\Temp\ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:364
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\ad3a51a9582304c3fa5c342ed215c9bf45c252145cc069f43c454c5a200a044e.exe
        5⤵
        
        PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
110KB

MD5
73d1f5c6c299639a03ec8f08bc1d3a17

SHA1
f327154a16d8d280d8b1fe64865c4403610a0d56

SHA256
e255c7bf30f43ae705ec2aae34eb5721ee4a7293e4845c5c0cae07b0a47daaea

SHA512
7a89d1726274aac389da1153c4fad2bd4865c79da05f03c1536746d4f229076f8f52ae4a529af1e2d420a0a7070c863a883eb4ea56f124c0fd18db1e733e19af

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
110KB

MD5
73d1f5c6c299639a03ec8f08bc1d3a17

SHA1
f327154a16d8d280d8b1fe64865c4403610a0d56

SHA256
e255c7bf30f43ae705ec2aae34eb5721ee4a7293e4845c5c0cae07b0a47daaea

SHA512
7a89d1726274aac389da1153c4fad2bd4865c79da05f03c1536746d4f229076f8f52ae4a529af1e2d420a0a7070c863a883eb4ea56f124c0fd18db1e733e19af

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
110KB

MD5
73d1f5c6c299639a03ec8f08bc1d3a17

SHA1
f327154a16d8d280d8b1fe64865c4403610a0d56

SHA256
e255c7bf30f43ae705ec2aae34eb5721ee4a7293e4845c5c0cae07b0a47daaea

SHA512
7a89d1726274aac389da1153c4fad2bd4865c79da05f03c1536746d4f229076f8f52ae4a529af1e2d420a0a7070c863a883eb4ea56f124c0fd18db1e733e19af

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
110KB

MD5
73d1f5c6c299639a03ec8f08bc1d3a17

SHA1
f327154a16d8d280d8b1fe64865c4403610a0d56

SHA256
e255c7bf30f43ae705ec2aae34eb5721ee4a7293e4845c5c0cae07b0a47daaea

SHA512
7a89d1726274aac389da1153c4fad2bd4865c79da05f03c1536746d4f229076f8f52ae4a529af1e2d420a0a7070c863a883eb4ea56f124c0fd18db1e733e19af

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
110KB

MD5
73d1f5c6c299639a03ec8f08bc1d3a17

SHA1
f327154a16d8d280d8b1fe64865c4403610a0d56

SHA256
e255c7bf30f43ae705ec2aae34eb5721ee4a7293e4845c5c0cae07b0a47daaea

SHA512
7a89d1726274aac389da1153c4fad2bd4865c79da05f03c1536746d4f229076f8f52ae4a529af1e2d420a0a7070c863a883eb4ea56f124c0fd18db1e733e19af

Download Submit
memory/364-87-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/364-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-63-0x0000000076581000-0x0000000076583000-memory.dmp

Filesize
8KB

Download
memory/1872-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download