Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 13:21
Static task
static1
Behavioral task
behavioral1
Sample
d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe
Resource
win10v2004-20221111-en
General
-
Target
d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe
-
Size
64KB
-
MD5
656c54728398b591a5cfac76d206e097
-
SHA1
13fb21e405360dba19a264b482276676bc51f49f
-
SHA256
d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80
-
SHA512
255c5417327c7e05ac7638323556bfa8763a660adad8120f6d43944154d100d1b7bd81e34c8fdc26c25b4ab8188023298f88238539acb6096406178cabcb0587
-
SSDEEP
768:bBwa3wLSqZkETG/j53wbU4oF4/EOi97emHGqn5DLDdQOn2skZI:r3wLSeK/FqU4/PHmHGq5DndQ0272
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1320 BCSSync.exe 1808 BCSSync.exe -
Loads dropped DLL 2 IoCs
pid Process 1204 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe 1204 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe -
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1348 set thread context of 1204 1348 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe 27 PID 1320 set thread context of 1808 1320 BCSSync.exe 29 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Fonts\2nYrbdFef.com d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1204 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1348 wrote to memory of 1204 1348 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe 27 PID 1348 wrote to memory of 1204 1348 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe 27 PID 1348 wrote to memory of 1204 1348 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe 27 PID 1348 wrote to memory of 1204 1348 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe 27 PID 1348 wrote to memory of 1204 1348 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe 27 PID 1348 wrote to memory of 1204 1348 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe 27 PID 1348 wrote to memory of 1204 1348 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe 27 PID 1348 wrote to memory of 1204 1348 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe 27 PID 1348 wrote to memory of 1204 1348 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe 27 PID 1204 wrote to memory of 1320 1204 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe 28 PID 1204 wrote to memory of 1320 1204 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe 28 PID 1204 wrote to memory of 1320 1204 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe 28 PID 1204 wrote to memory of 1320 1204 d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe 28 PID 1320 wrote to memory of 1808 1320 BCSSync.exe 29 PID 1320 wrote to memory of 1808 1320 BCSSync.exe 29 PID 1320 wrote to memory of 1808 1320 BCSSync.exe 29 PID 1320 wrote to memory of 1808 1320 BCSSync.exe 29 PID 1320 wrote to memory of 1808 1320 BCSSync.exe 29 PID 1320 wrote to memory of 1808 1320 BCSSync.exe 29 PID 1320 wrote to memory of 1808 1320 BCSSync.exe 29 PID 1320 wrote to memory of 1808 1320 BCSSync.exe 29 PID 1320 wrote to memory of 1808 1320 BCSSync.exe 29 PID 1808 wrote to memory of 1552 1808 BCSSync.exe 30 PID 1808 wrote to memory of 1552 1808 BCSSync.exe 30 PID 1808 wrote to memory of 1552 1808 BCSSync.exe 30 PID 1808 wrote to memory of 1552 1808 BCSSync.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe"C:\Users\Admin\AppData\Local\Temp\d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe"C:\Users\Admin\AppData\Local\Temp\d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe5⤵PID:1552
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD54d30ce0b5ab2896bee95e029ab5971ab
SHA1247766d61b72e346a53c0662f29e61c77373a490
SHA25639f4695be3a26590e0304aad92b20249604a851d3d58e04491a17b4c702889ed
SHA51228acdb06ad80da2a4524e72cdacb2b954fd7dda86eb9259f71e78eaadcd942372255af0bcab1ba0ba4382d6e0647b790d3dea20e28bba0bab9e4cb7f8e3f529b
-
Filesize
64KB
MD54d30ce0b5ab2896bee95e029ab5971ab
SHA1247766d61b72e346a53c0662f29e61c77373a490
SHA25639f4695be3a26590e0304aad92b20249604a851d3d58e04491a17b4c702889ed
SHA51228acdb06ad80da2a4524e72cdacb2b954fd7dda86eb9259f71e78eaadcd942372255af0bcab1ba0ba4382d6e0647b790d3dea20e28bba0bab9e4cb7f8e3f529b
-
Filesize
64KB
MD54d30ce0b5ab2896bee95e029ab5971ab
SHA1247766d61b72e346a53c0662f29e61c77373a490
SHA25639f4695be3a26590e0304aad92b20249604a851d3d58e04491a17b4c702889ed
SHA51228acdb06ad80da2a4524e72cdacb2b954fd7dda86eb9259f71e78eaadcd942372255af0bcab1ba0ba4382d6e0647b790d3dea20e28bba0bab9e4cb7f8e3f529b
-
Filesize
64KB
MD54d30ce0b5ab2896bee95e029ab5971ab
SHA1247766d61b72e346a53c0662f29e61c77373a490
SHA25639f4695be3a26590e0304aad92b20249604a851d3d58e04491a17b4c702889ed
SHA51228acdb06ad80da2a4524e72cdacb2b954fd7dda86eb9259f71e78eaadcd942372255af0bcab1ba0ba4382d6e0647b790d3dea20e28bba0bab9e4cb7f8e3f529b
-
Filesize
64KB
MD54d30ce0b5ab2896bee95e029ab5971ab
SHA1247766d61b72e346a53c0662f29e61c77373a490
SHA25639f4695be3a26590e0304aad92b20249604a851d3d58e04491a17b4c702889ed
SHA51228acdb06ad80da2a4524e72cdacb2b954fd7dda86eb9259f71e78eaadcd942372255af0bcab1ba0ba4382d6e0647b790d3dea20e28bba0bab9e4cb7f8e3f529b