c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe
Size

39KB
MD5

9095f97c2b572c69ae7222986f536bcf
SHA1

993ff33d3f3cad8e8304b018af07e646f0b90cc3
SHA256

c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8
SHA512

bf8f4eb9e8a9a28295ae9f03169763e5e7f80988d0f3e1f6bafd0a60f415bea36cbf026acbd9008450a8b8ad06427a4c3e47115de37f35ad1f4cbed11d147d4d
SSDEEP

768:FdvbdxXQLIt4RwpQsxM81RJ7taJ0au0eOmN3q:FVXY14r1taSaPeJRq

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
320	BCSSync.exe
1760	BCSSync.exe
2028	2nYrbdFef.com
2020	2nYrbdFef.com

Loads dropped DLL 2 IoCs

pid	Process
1356	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe
1356	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe

Unexpected DNS network traffic destination 13 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2nYrbdFef.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1256 set thread context of 1356	1256	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe	26
PID 320 set thread context of 1760	320	BCSSync.exe	28
PID 2028 set thread context of 2020	2028	2nYrbdFef.com	32

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\2nYrbdFef.com	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	2nYrbdFef.com
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2nYrbdFef.com
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	2nYrbdFef.com
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	2nYrbdFef.com
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2nYrbdFef.com
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	2nYrbdFef.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1356	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe
1760	BCSSync.exe
2020	2nYrbdFef.com

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 1356	1256	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe	26
PID 1256 wrote to memory of 1356	1256	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe	26
PID 1256 wrote to memory of 1356	1256	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe	26
PID 1256 wrote to memory of 1356	1256	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe	26
PID 1256 wrote to memory of 1356	1256	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe	26
PID 1256 wrote to memory of 1356	1256	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe	26
PID 1256 wrote to memory of 1356	1256	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe	26
PID 1256 wrote to memory of 1356	1256	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe	26
PID 1256 wrote to memory of 1356	1256	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe	26
PID 1356 wrote to memory of 320	1356	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe	27
PID 1356 wrote to memory of 320	1356	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe	27
PID 1356 wrote to memory of 320	1356	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe	27
PID 1356 wrote to memory of 320	1356	c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe	27
PID 320 wrote to memory of 1760	320	BCSSync.exe	28
PID 320 wrote to memory of 1760	320	BCSSync.exe	28
PID 320 wrote to memory of 1760	320	BCSSync.exe	28
PID 320 wrote to memory of 1760	320	BCSSync.exe	28
PID 320 wrote to memory of 1760	320	BCSSync.exe	28
PID 320 wrote to memory of 1760	320	BCSSync.exe	28
PID 320 wrote to memory of 1760	320	BCSSync.exe	28
PID 320 wrote to memory of 1760	320	BCSSync.exe	28
PID 320 wrote to memory of 1760	320	BCSSync.exe	28
PID 1760 wrote to memory of 684	1760	BCSSync.exe	29
PID 1760 wrote to memory of 684	1760	BCSSync.exe	29
PID 1760 wrote to memory of 684	1760	BCSSync.exe	29
PID 1760 wrote to memory of 684	1760	BCSSync.exe	29
PID 1520 wrote to memory of 2028	1520	taskeng.exe	31
PID 1520 wrote to memory of 2028	1520	taskeng.exe	31
PID 1520 wrote to memory of 2028	1520	taskeng.exe	31
PID 1520 wrote to memory of 2028	1520	taskeng.exe	31
PID 2028 wrote to memory of 2020	2028	2nYrbdFef.com	32
PID 2028 wrote to memory of 2020	2028	2nYrbdFef.com	32
PID 2028 wrote to memory of 2020	2028	2nYrbdFef.com	32
PID 2028 wrote to memory of 2020	2028	2nYrbdFef.com	32
PID 2028 wrote to memory of 2020	2028	2nYrbdFef.com	32
PID 2028 wrote to memory of 2020	2028	2nYrbdFef.com	32
PID 2028 wrote to memory of 2020	2028	2nYrbdFef.com	32
PID 2028 wrote to memory of 2020	2028	2nYrbdFef.com	32
PID 2028 wrote to memory of 2020	2028	2nYrbdFef.com	32

C:\Users\Admin\AppData\Local\Temp\c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe
"C:\Users\Admin\AppData\Local\Temp\c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe
  C:\Users\Admin\AppData\Local\Temp\c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
        5⤵
        
        PID:684

C:\Windows\system32\taskeng.exe
taskeng.exe {A9D32888-17CF-4802-B98F-37FC88DCFE88} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\Fonts\2nYrbdFef.com
  C:\Windows\Fonts\2nYrbdFef.com
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\Fonts\2nYrbdFef.com
    C:\Windows\Fonts\2nYrbdFef.com
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
39KB

MD5
d8e8913de1f4c975e75990cd826de27b

SHA1
4bc4d9ce8ebd456e715daf028641e520a1f35391

SHA256
7738cc1f7604afc8fed37ff1eed9a1e4f55a9bf91f81270ab1dad31ac9fc152a

SHA512
b943f97bc4ab8a43e7823e846781da54cb0120710e5984aa8d78c593a1e8331cc79273ed2bebe4b3ef05527e219aea108516608ce36f003a7d2f5c39c836e174

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
39KB

MD5
d8e8913de1f4c975e75990cd826de27b

SHA1
4bc4d9ce8ebd456e715daf028641e520a1f35391

SHA256
7738cc1f7604afc8fed37ff1eed9a1e4f55a9bf91f81270ab1dad31ac9fc152a

SHA512
b943f97bc4ab8a43e7823e846781da54cb0120710e5984aa8d78c593a1e8331cc79273ed2bebe4b3ef05527e219aea108516608ce36f003a7d2f5c39c836e174

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
39KB

MD5
d8e8913de1f4c975e75990cd826de27b

SHA1
4bc4d9ce8ebd456e715daf028641e520a1f35391

SHA256
7738cc1f7604afc8fed37ff1eed9a1e4f55a9bf91f81270ab1dad31ac9fc152a

SHA512
b943f97bc4ab8a43e7823e846781da54cb0120710e5984aa8d78c593a1e8331cc79273ed2bebe4b3ef05527e219aea108516608ce36f003a7d2f5c39c836e174

Download Submit
C:\Windows\Fonts\2nYrbdFef.com

Filesize
39KB

MD5
9095f97c2b572c69ae7222986f536bcf

SHA1
993ff33d3f3cad8e8304b018af07e646f0b90cc3

SHA256
c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8

SHA512
bf8f4eb9e8a9a28295ae9f03169763e5e7f80988d0f3e1f6bafd0a60f415bea36cbf026acbd9008450a8b8ad06427a4c3e47115de37f35ad1f4cbed11d147d4d

Download Submit
C:\Windows\Fonts\2nYrbdFef.com

Filesize
39KB

MD5
9095f97c2b572c69ae7222986f536bcf

SHA1
993ff33d3f3cad8e8304b018af07e646f0b90cc3

SHA256
c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8

SHA512
bf8f4eb9e8a9a28295ae9f03169763e5e7f80988d0f3e1f6bafd0a60f415bea36cbf026acbd9008450a8b8ad06427a4c3e47115de37f35ad1f4cbed11d147d4d

Download Submit
C:\Windows\Fonts\2nYrbdFef.com

Filesize
39KB

MD5
9095f97c2b572c69ae7222986f536bcf

SHA1
993ff33d3f3cad8e8304b018af07e646f0b90cc3

SHA256
c01a15c10fee0f14af6f82ee171eff09f8941dcdf5cc60866454a928f1eddee8

SHA512
bf8f4eb9e8a9a28295ae9f03169763e5e7f80988d0f3e1f6bafd0a60f415bea36cbf026acbd9008450a8b8ad06427a4c3e47115de37f35ad1f4cbed11d147d4d

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
39KB

MD5
d8e8913de1f4c975e75990cd826de27b

SHA1
4bc4d9ce8ebd456e715daf028641e520a1f35391

SHA256
7738cc1f7604afc8fed37ff1eed9a1e4f55a9bf91f81270ab1dad31ac9fc152a

SHA512
b943f97bc4ab8a43e7823e846781da54cb0120710e5984aa8d78c593a1e8331cc79273ed2bebe4b3ef05527e219aea108516608ce36f003a7d2f5c39c836e174

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
39KB

MD5
d8e8913de1f4c975e75990cd826de27b

SHA1
4bc4d9ce8ebd456e715daf028641e520a1f35391

SHA256
7738cc1f7604afc8fed37ff1eed9a1e4f55a9bf91f81270ab1dad31ac9fc152a

SHA512
b943f97bc4ab8a43e7823e846781da54cb0120710e5984aa8d78c593a1e8331cc79273ed2bebe4b3ef05527e219aea108516608ce36f003a7d2f5c39c836e174

Download Submit
memory/1356-63-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1356-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1356-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1356-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1356-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1356-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1356-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1356-84-0x0000000074561000-0x0000000074563000-memory.dmp

Filesize
8KB

Download
memory/1356-85-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1356-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1356-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1760-88-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1760-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2020-104-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2020-105-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download