ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32

Analysis

max time kernel
131s
max time network
183s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe
Size

112KB
MD5

0a136a4eb6281d7acdf4a5720dbd5420
SHA1

32017fafde92b2d21572b54c1eff731dfae7b72b
SHA256

ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32
SHA512

dcbd2a13ef4ab106bc3d0af026d73d016b2488522202a5ca70f21245964735f07309120529029aaf0c4cf29ab72408cd56652ba223e747cf47caa130cac68d31
SSDEEP

1536:LPqKgbwDeVyAUHwGvVJrYJeyxWxVhkITI5ywWFfB8lBTxe5P1PS:9gbwDKyLwGvTrYkg6BJR6ns5PFS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1424	BCSSync.exe
516	BCSSync.exe
584	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1404	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe
1404	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 1532	1800	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	27
PID 1532 set thread context of 1404	1532	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	28
PID 1424 set thread context of 516	1424	BCSSync.exe	30
PID 516 set thread context of 584	516	BCSSync.exe	31

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\6mSHBnGJY.com	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
584	BCSSync.exe
1404	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1800	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe
1424	BCSSync.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1532	1800	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	27
PID 1800 wrote to memory of 1532	1800	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	27
PID 1800 wrote to memory of 1532	1800	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	27
PID 1800 wrote to memory of 1532	1800	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	27
PID 1800 wrote to memory of 1532	1800	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	27
PID 1800 wrote to memory of 1532	1800	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	27
PID 1800 wrote to memory of 1532	1800	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	27
PID 1800 wrote to memory of 1532	1800	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	27
PID 1800 wrote to memory of 1532	1800	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	27
PID 1532 wrote to memory of 1404	1532	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	28
PID 1532 wrote to memory of 1404	1532	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	28
PID 1532 wrote to memory of 1404	1532	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	28
PID 1532 wrote to memory of 1404	1532	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	28
PID 1532 wrote to memory of 1404	1532	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	28
PID 1532 wrote to memory of 1404	1532	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	28
PID 1532 wrote to memory of 1404	1532	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	28
PID 1532 wrote to memory of 1404	1532	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	28
PID 1532 wrote to memory of 1404	1532	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	28
PID 1404 wrote to memory of 1424	1404	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	29
PID 1404 wrote to memory of 1424	1404	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	29
PID 1404 wrote to memory of 1424	1404	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	29
PID 1404 wrote to memory of 1424	1404	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	29
PID 1424 wrote to memory of 516	1424	BCSSync.exe	30
PID 1424 wrote to memory of 516	1424	BCSSync.exe	30
PID 1424 wrote to memory of 516	1424	BCSSync.exe	30
PID 1424 wrote to memory of 516	1424	BCSSync.exe	30
PID 1424 wrote to memory of 516	1424	BCSSync.exe	30
PID 1424 wrote to memory of 516	1424	BCSSync.exe	30
PID 1424 wrote to memory of 516	1424	BCSSync.exe	30
PID 1424 wrote to memory of 516	1424	BCSSync.exe	30
PID 1424 wrote to memory of 516	1424	BCSSync.exe	30
PID 516 wrote to memory of 584	516	BCSSync.exe	31
PID 516 wrote to memory of 584	516	BCSSync.exe	31
PID 516 wrote to memory of 584	516	BCSSync.exe	31
PID 516 wrote to memory of 584	516	BCSSync.exe	31
PID 516 wrote to memory of 584	516	BCSSync.exe	31
PID 516 wrote to memory of 584	516	BCSSync.exe	31
PID 516 wrote to memory of 584	516	BCSSync.exe	31
PID 516 wrote to memory of 584	516	BCSSync.exe	31
PID 516 wrote to memory of 584	516	BCSSync.exe	31
PID 584 wrote to memory of 780	584	BCSSync.exe	32
PID 584 wrote to memory of 780	584	BCSSync.exe	32
PID 584 wrote to memory of 780	584	BCSSync.exe	32
PID 584 wrote to memory of 780	584	BCSSync.exe	32

C:\Users\Admin\AppData\Local\Temp\ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe
"C:\Users\Admin\AppData\Local\Temp\ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe
  "C:\Users\Admin\AppData\Local\Temp\ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe
    C:\Users\Admin\AppData\Local\Temp\ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:516
      - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
        7⤵
        
        PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
112KB

MD5
e560dd1cae95b1b22e68d89da7dea553

SHA1
1d153c8b20c8040f8a1230d6b75c670324b29157

SHA256
bdbd519b50b6b7e6f62c4382bad793c8a95c1358691ac0057f3048aef0856f07

SHA512
08172c1e47a7da0dbcd9229a211190cef262132ae39d6ca1c15619ea47605e541d83f0c6f3325beaae51293eea4a7efe25f32faa0bcfbacaf96b92aa48b36051

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
112KB

MD5
e560dd1cae95b1b22e68d89da7dea553

SHA1
1d153c8b20c8040f8a1230d6b75c670324b29157

SHA256
bdbd519b50b6b7e6f62c4382bad793c8a95c1358691ac0057f3048aef0856f07

SHA512
08172c1e47a7da0dbcd9229a211190cef262132ae39d6ca1c15619ea47605e541d83f0c6f3325beaae51293eea4a7efe25f32faa0bcfbacaf96b92aa48b36051

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
112KB

MD5
e560dd1cae95b1b22e68d89da7dea553

SHA1
1d153c8b20c8040f8a1230d6b75c670324b29157

SHA256
bdbd519b50b6b7e6f62c4382bad793c8a95c1358691ac0057f3048aef0856f07

SHA512
08172c1e47a7da0dbcd9229a211190cef262132ae39d6ca1c15619ea47605e541d83f0c6f3325beaae51293eea4a7efe25f32faa0bcfbacaf96b92aa48b36051

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
112KB

MD5
e560dd1cae95b1b22e68d89da7dea553

SHA1
1d153c8b20c8040f8a1230d6b75c670324b29157

SHA256
bdbd519b50b6b7e6f62c4382bad793c8a95c1358691ac0057f3048aef0856f07

SHA512
08172c1e47a7da0dbcd9229a211190cef262132ae39d6ca1c15619ea47605e541d83f0c6f3325beaae51293eea4a7efe25f32faa0bcfbacaf96b92aa48b36051

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
112KB

MD5
e560dd1cae95b1b22e68d89da7dea553

SHA1
1d153c8b20c8040f8a1230d6b75c670324b29157

SHA256
bdbd519b50b6b7e6f62c4382bad793c8a95c1358691ac0057f3048aef0856f07

SHA512
08172c1e47a7da0dbcd9229a211190cef262132ae39d6ca1c15619ea47605e541d83f0c6f3325beaae51293eea4a7efe25f32faa0bcfbacaf96b92aa48b36051

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
112KB

MD5
e560dd1cae95b1b22e68d89da7dea553

SHA1
1d153c8b20c8040f8a1230d6b75c670324b29157

SHA256
bdbd519b50b6b7e6f62c4382bad793c8a95c1358691ac0057f3048aef0856f07

SHA512
08172c1e47a7da0dbcd9229a211190cef262132ae39d6ca1c15619ea47605e541d83f0c6f3325beaae51293eea4a7efe25f32faa0bcfbacaf96b92aa48b36051

Download Submit
memory/516-96-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/584-103-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/584-100-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1404-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1404-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1404-73-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1404-74-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1404-71-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1404-104-0x0000000073E91000-0x0000000073E93000-memory.dmp

Filesize
8KB

Download
memory/1404-72-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1404-67-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1404-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1404-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1404-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1532-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1532-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1532-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1532-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download