Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 19:40
Static task
static1
Behavioral task
behavioral1
Sample
0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe
Resource
win10v2004-20231215-en
General
-
Target
0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe
-
Size
37KB
-
MD5
0e3719ddb5e80a1d7a0a8a39dfa73c4f
-
SHA1
166c018037b7df6437bee180add5342ebf487489
-
SHA256
9d64529e7bcffc3fe405cc0d15cb8d1a2d6ccfbc76c592e1643d1ba84997579e
-
SHA512
d7fdcbf2a17a9276b4c81ac0d9fd110056f61b48a36aa9747daf86276c2540ccf4f9394ae060bca443d6d96c5ca4fd2311db48d087e992da2ceac54aef78be7f
-
SSDEEP
768:XgQkYItDn0dXfeGXHizJq4sZN18pXvnemTrIavNrLg87sBJK:w/RVnSX2GCJqtDeeOIah98K
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2480 BCSSync.exe 3004 BCSSync.exe -
Loads dropped DLL 2 IoCs
pid Process 2552 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe 2552 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe -
Unexpected DNS network traffic destination 10 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 50.7.247.251 Destination IP 50.7.247.251 Destination IP 50.7.247.251 Destination IP 50.7.247.251 Destination IP 50.7.247.251 Destination IP 50.7.247.251 Destination IP 50.7.247.251 Destination IP 50.7.247.251 Destination IP 50.7.247.251 Destination IP 50.7.247.251 -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1156 set thread context of 2552 1156 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe 24 PID 2480 set thread context of 3004 2480 BCSSync.exe 30 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Fonts\2i12hR.com 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2552 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe 3004 BCSSync.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1156 wrote to memory of 2552 1156 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe 24 PID 1156 wrote to memory of 2552 1156 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe 24 PID 1156 wrote to memory of 2552 1156 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe 24 PID 1156 wrote to memory of 2552 1156 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe 24 PID 1156 wrote to memory of 2552 1156 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe 24 PID 1156 wrote to memory of 2552 1156 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe 24 PID 1156 wrote to memory of 2552 1156 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe 24 PID 1156 wrote to memory of 2552 1156 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe 24 PID 1156 wrote to memory of 2552 1156 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe 24 PID 2552 wrote to memory of 2480 2552 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe 29 PID 2552 wrote to memory of 2480 2552 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe 29 PID 2552 wrote to memory of 2480 2552 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe 29 PID 2552 wrote to memory of 2480 2552 0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe 29 PID 2480 wrote to memory of 3004 2480 BCSSync.exe 30 PID 2480 wrote to memory of 3004 2480 BCSSync.exe 30 PID 2480 wrote to memory of 3004 2480 BCSSync.exe 30 PID 2480 wrote to memory of 3004 2480 BCSSync.exe 30 PID 2480 wrote to memory of 3004 2480 BCSSync.exe 30 PID 2480 wrote to memory of 3004 2480 BCSSync.exe 30 PID 2480 wrote to memory of 3004 2480 BCSSync.exe 30 PID 2480 wrote to memory of 3004 2480 BCSSync.exe 30 PID 2480 wrote to memory of 3004 2480 BCSSync.exe 30 PID 3004 wrote to memory of 2616 3004 BCSSync.exe 31 PID 3004 wrote to memory of 2616 3004 BCSSync.exe 31 PID 3004 wrote to memory of 2616 3004 BCSSync.exe 31 PID 3004 wrote to memory of 2616 3004 BCSSync.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe"C:\Users\Admin\AppData\Local\Temp\0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\0e3719ddb5e80a1d7a0a8a39dfa73c4f.exeC:\Users\Admin\AppData\Local\Temp\0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\0e3719ddb5e80a1d7a0a8a39dfa73c4f.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"5⤵PID:2616
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD58878358e1fabeb4e57dd5fca976bf541
SHA18e4d1a943672142b449ee2c1341bc806a8b01632
SHA256e3e731ff17bec91397898df8d6f0541c8613b70ed9bb593714082d08a09da5ab
SHA51211126cd2171d553d0c1b1b1033b65603da33b1afecde83b01a0e99a0595806ad1620c24cdab04352dd85fe197d1e89aea86abddece79e5e586cd3f85ff8311e4