c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35

General

Target

c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe
Size

36KB
MD5

553e7c7638ec35206ac302afa0658b6a
SHA1

da99cbdc74aea7ebeb0066ab8052fc8e994906bf
SHA256

c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35
SHA512

1914104b24598bd7b5d58b866bb36d4dd24532ea086c27a5ddfc617646a9925e01678372f5cbb5560ee44c2ff7ad59e377da4faa311dd5a3ee2d2bcf102c7892
SSDEEP

768:11W040tQdCcUeWMZzOVT96APRAvV7dwgDQK:G0DcU4Z0BJPyV7ugUK

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2024	BCSSync.exe
2000	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1080	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe
1080	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 1080	2016	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe	26
PID 2024 set thread context of 2000	2024	BCSSync.exe	28

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\2nYrbdFef.com	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1080	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1080	2016	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe	26
PID 2016 wrote to memory of 1080	2016	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe	26
PID 2016 wrote to memory of 1080	2016	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe	26
PID 2016 wrote to memory of 1080	2016	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe	26
PID 2016 wrote to memory of 1080	2016	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe	26
PID 2016 wrote to memory of 1080	2016	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe	26
PID 2016 wrote to memory of 1080	2016	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe	26
PID 2016 wrote to memory of 1080	2016	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe	26
PID 2016 wrote to memory of 1080	2016	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe	26
PID 1080 wrote to memory of 2024	1080	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe	27
PID 1080 wrote to memory of 2024	1080	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe	27
PID 1080 wrote to memory of 2024	1080	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe	27
PID 1080 wrote to memory of 2024	1080	c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe	27
PID 2024 wrote to memory of 2000	2024	BCSSync.exe	28
PID 2024 wrote to memory of 2000	2024	BCSSync.exe	28
PID 2024 wrote to memory of 2000	2024	BCSSync.exe	28
PID 2024 wrote to memory of 2000	2024	BCSSync.exe	28
PID 2024 wrote to memory of 2000	2024	BCSSync.exe	28
PID 2024 wrote to memory of 2000	2024	BCSSync.exe	28
PID 2024 wrote to memory of 2000	2024	BCSSync.exe	28
PID 2024 wrote to memory of 2000	2024	BCSSync.exe	28
PID 2024 wrote to memory of 2000	2024	BCSSync.exe	28
PID 2000 wrote to memory of 848	2000	BCSSync.exe	29
PID 2000 wrote to memory of 848	2000	BCSSync.exe	29
PID 2000 wrote to memory of 848	2000	BCSSync.exe	29
PID 2000 wrote to memory of 848	2000	BCSSync.exe	29

C:\Users\Admin\AppData\Local\Temp\c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe
"C:\Users\Admin\AppData\Local\Temp\c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe
  "C:\Users\Admin\AppData\Local\Temp\c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\c615ae51f1926d2c6778fdff75f2658d2fe781d3d20bdc475c3dee2478ad9c35.exe
        5⤵
        
        PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
36KB

MD5
b949dd1293f605d37bff11d0a811a835

SHA1
c7df8d949aba369c5826c0c2f0e507c9992032bb

SHA256
e8f34116050b4672ee9a5b109449139cbf29a3fe12de3335cfcbdc318ec0f837

SHA512
a5a132b664c334b45e5142839058ddf7fc27959efcb1256455063f93ba7bfbf5a7b831963c2d3e82c294df1b17748556020bbfeb15af952896e832e3f87fa658

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
36KB

MD5
b949dd1293f605d37bff11d0a811a835

SHA1
c7df8d949aba369c5826c0c2f0e507c9992032bb

SHA256
e8f34116050b4672ee9a5b109449139cbf29a3fe12de3335cfcbdc318ec0f837

SHA512
a5a132b664c334b45e5142839058ddf7fc27959efcb1256455063f93ba7bfbf5a7b831963c2d3e82c294df1b17748556020bbfeb15af952896e832e3f87fa658

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
36KB

MD5
b949dd1293f605d37bff11d0a811a835

SHA1
c7df8d949aba369c5826c0c2f0e507c9992032bb

SHA256
e8f34116050b4672ee9a5b109449139cbf29a3fe12de3335cfcbdc318ec0f837

SHA512
a5a132b664c334b45e5142839058ddf7fc27959efcb1256455063f93ba7bfbf5a7b831963c2d3e82c294df1b17748556020bbfeb15af952896e832e3f87fa658

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
36KB

MD5
b949dd1293f605d37bff11d0a811a835

SHA1
c7df8d949aba369c5826c0c2f0e507c9992032bb

SHA256
e8f34116050b4672ee9a5b109449139cbf29a3fe12de3335cfcbdc318ec0f837

SHA512
a5a132b664c334b45e5142839058ddf7fc27959efcb1256455063f93ba7bfbf5a7b831963c2d3e82c294df1b17748556020bbfeb15af952896e832e3f87fa658

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
36KB

MD5
b949dd1293f605d37bff11d0a811a835

SHA1
c7df8d949aba369c5826c0c2f0e507c9992032bb

SHA256
e8f34116050b4672ee9a5b109449139cbf29a3fe12de3335cfcbdc318ec0f837

SHA512
a5a132b664c334b45e5142839058ddf7fc27959efcb1256455063f93ba7bfbf5a7b831963c2d3e82c294df1b17748556020bbfeb15af952896e832e3f87fa658

Download Submit
memory/848-93-0x0000000000000000-mapping.dmp

Download
memory/1080-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1080-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1080-64-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1080-65-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/1080-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1080-61-0x0000000000401A40-mapping.dmp

Download
memory/1080-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1080-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1080-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1080-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1080-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1080-92-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/2000-91-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2000-82-0x0000000000401A40-mapping.dmp

Download
memory/2024-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing