Overview

overview

7

Static

static

3

004c577988...3e.exe

windows7-x64

7

004c577988...3e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    165s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 02:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    004c577988aa60a83cf44bc796dea53e.exe

  • Size

    34KB

  • MD5

    004c577988aa60a83cf44bc796dea53e

  • SHA1

    c66d80416dbe145f138cd54a9e2d167bd44e06ca

  • SHA256

    d47317356bb7d44069e7c38cbb8deb3e1bc472ec90fe270b0ef85f1a6bde67b5

  • SHA512

    da23a3ca1d01e278b168353114339e3d46fca8d6ae5a28d566450b04f4fc8ec3f5c68d3a53f385417475f3275107a0fc264f4e5da57a1bbe49818a81481183bb

  • SSDEEP

    768:TdaYVyu0KnshGZxpv/ncZfgp/6PVo1I/C1setyWvyenC2leD1U:5aeyfheJnG496Pzq1VQWmDU

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Unexpected DNS network traffic destination 5 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\004c577988aa60a83cf44bc796dea53e.exe
    "C:\Users\Admin\AppData\Local\Temp\004c577988aa60a83cf44bc796dea53e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Users\Admin\AppData\Local\Temp\004c577988aa60a83cf44bc796dea53e.exe
      "C:\Users\Admin\AppData\Local\Temp\004c577988aa60a83cf44bc796dea53e.exe"
      2⤵
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\004c577988aa60a83cf44bc796dea53e.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
          "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\004c577988aa60a83cf44bc796dea53e.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
            "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\004c577988aa60a83cf44bc796dea53e.exe
            5⤵
              PID:3004

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      Filesize

      34KB

      MD5

      3d47b5ddba696d4d0e12c9963aca4b8f

      SHA1

      2538173663ffca43d2c259a78a030336d0f97a78

      SHA256

      60ac60f3b5175149f9412fad076d22ba923dc876e1c3626a0c0811196fda79e9

      SHA512

      6e78aa6dddc9b4a3ad605175606a8f768af2924b81637e997fc3da0040a6df7de97cd0e06ad7dc5cee3bdf9f04487db5d55c640ae3a94ab5891a2526033dff68

      Download Submit

    • memory/2544-48-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2764-0-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2764-2-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2764-4-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2764-6-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2764-8-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2764-10-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2764-12-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2764-13-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2764-14-0x0000000010000000-0x000000001000A000-memory.dmp

      Filesize

      40KB

      Download