Overview

overview

8

Static

static

bbee32736d...30.exe

windows7-x64

8

bbee32736d...30.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    138s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 13:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bbee32736d4e92febb0219e452e3d351366bf72821b8766576a9e4a4882f0930.exe

  • Size

    98KB

  • MD5

    1b7e24e3e1c10083f90bc9948d11611d

  • SHA1

    438911aa61ebbc78e992ba5ddf1f96adea3ac3f8

  • SHA256

    bbee32736d4e92febb0219e452e3d351366bf72821b8766576a9e4a4882f0930

  • SHA512

    f212f16e578426f3ca9e8c528c5557bc88ef89d2eec820ae2aac91e6ba9cff0ac665b9b05c45e293a25d77d351ff1c64d4c6fb28eca0d8efd7fab000dfc14131

  • SSDEEP

    3072:46V87r/x8BZ/rWLfSo15FteivzoAkQpyTphpnf:46er/c6eo1HteMoS4fpnf

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Unexpected DNS network traffic destination 5 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbee32736d4e92febb0219e452e3d351366bf72821b8766576a9e4a4882f0930.exe
    "C:\Users\Admin\AppData\Local\Temp\bbee32736d4e92febb0219e452e3d351366bf72821b8766576a9e4a4882f0930.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Users\Admin\AppData\Local\Temp\bbee32736d4e92febb0219e452e3d351366bf72821b8766576a9e4a4882f0930.exe
      "C:\Users\Admin\AppData\Local\Temp\bbee32736d4e92febb0219e452e3d351366bf72821b8766576a9e4a4882f0930.exe"
      2⤵
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:896
      • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\bbee32736d4e92febb0219e452e3d351366bf72821b8766576a9e4a4882f0930.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
          "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\bbee32736d4e92febb0219e452e3d351366bf72821b8766576a9e4a4882f0930.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2008
          • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
            "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\bbee32736d4e92febb0219e452e3d351366bf72821b8766576a9e4a4882f0930.exe
            5⤵
              PID:756

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
            Filesize

            98KB

            MD5

            64d803f8362bbad1f97d0182df20f04e

            SHA1

            490bf3827395fab2c1dbc0beb3a19f641d09ed05

            SHA256

            e6f36f7d8fe32d8e1b904c202cdfffa12c35f7cd5cf6fe5909177fc81fac1003

            SHA512

            70d8ea5123f29d0619cc9914e9168bc8e0ead600129a0a45b1a68bf7a03cfdd92de1726334eca0e31058dcfb3ecdcc6aac515e8d7d2f096f249c67ca3da9d636

            Download Submit

          • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
            Filesize

            98KB

            MD5

            64d803f8362bbad1f97d0182df20f04e

            SHA1

            490bf3827395fab2c1dbc0beb3a19f641d09ed05

            SHA256

            e6f36f7d8fe32d8e1b904c202cdfffa12c35f7cd5cf6fe5909177fc81fac1003

            SHA512

            70d8ea5123f29d0619cc9914e9168bc8e0ead600129a0a45b1a68bf7a03cfdd92de1726334eca0e31058dcfb3ecdcc6aac515e8d7d2f096f249c67ca3da9d636

            Download Submit

          • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
            Filesize

            98KB

            MD5

            64d803f8362bbad1f97d0182df20f04e

            SHA1

            490bf3827395fab2c1dbc0beb3a19f641d09ed05

            SHA256

            e6f36f7d8fe32d8e1b904c202cdfffa12c35f7cd5cf6fe5909177fc81fac1003

            SHA512

            70d8ea5123f29d0619cc9914e9168bc8e0ead600129a0a45b1a68bf7a03cfdd92de1726334eca0e31058dcfb3ecdcc6aac515e8d7d2f096f249c67ca3da9d636

            Download Submit

          • \Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
            Filesize

            98KB

            MD5

            64d803f8362bbad1f97d0182df20f04e

            SHA1

            490bf3827395fab2c1dbc0beb3a19f641d09ed05

            SHA256

            e6f36f7d8fe32d8e1b904c202cdfffa12c35f7cd5cf6fe5909177fc81fac1003

            SHA512

            70d8ea5123f29d0619cc9914e9168bc8e0ead600129a0a45b1a68bf7a03cfdd92de1726334eca0e31058dcfb3ecdcc6aac515e8d7d2f096f249c67ca3da9d636

            Download Submit

          • \Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
            Filesize

            98KB

            MD5

            64d803f8362bbad1f97d0182df20f04e

            SHA1

            490bf3827395fab2c1dbc0beb3a19f641d09ed05

            SHA256

            e6f36f7d8fe32d8e1b904c202cdfffa12c35f7cd5cf6fe5909177fc81fac1003

            SHA512

            70d8ea5123f29d0619cc9914e9168bc8e0ead600129a0a45b1a68bf7a03cfdd92de1726334eca0e31058dcfb3ecdcc6aac515e8d7d2f096f249c67ca3da9d636

            Download Submit

          • \Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
            Filesize

            98KB

            MD5

            64d803f8362bbad1f97d0182df20f04e

            SHA1

            490bf3827395fab2c1dbc0beb3a19f641d09ed05

            SHA256

            e6f36f7d8fe32d8e1b904c202cdfffa12c35f7cd5cf6fe5909177fc81fac1003

            SHA512

            70d8ea5123f29d0619cc9914e9168bc8e0ead600129a0a45b1a68bf7a03cfdd92de1726334eca0e31058dcfb3ecdcc6aac515e8d7d2f096f249c67ca3da9d636

            Download Submit

          • memory/896-60-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/896-56-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/896-65-0x0000000010000000-0x000000001000A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/896-69-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/896-95-0x0000000074AF1000-0x0000000074AF3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/896-63-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/896-54-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/896-58-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/896-57-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/896-64-0x0000000075D01000-0x0000000075D03000-memory.dmp

            Filesize

            8KB

            Download

          • memory/896-55-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/2008-92-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download