9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16

General

Target

9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe
Size

92KB
MD5

83c3c3fe26586dbd6953c8004e589a45
SHA1

9f89d488b56089c761f416ff6075109e9238df9a
SHA256

9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16
SHA512

ddfc9c89b12d87e1a0f6dbf2170e5f5292dd8fb58ce19802fb5d8fde7a38cdc5309506aea3f5a1a29741e6e4542f23e48e12b2c38a42b2be6d35326d4d093a28
SSDEEP

1536:nACq1TOVAwU2DMwJtYon4z9L1TTS4is5tw6IbCzsiJ8qhHGP2AHBJhx4oM:ACq1TTYJio4zTRnw6IbCzs29hHy2AHBW

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1116	BCSSync.exe
1804	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
824	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe
824	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1300 set thread context of 824	1300	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe	27
PID 1116 set thread context of 1804	1116	BCSSync.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\2nYrbdFef.com	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
824	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 824	1300	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe	27
PID 1300 wrote to memory of 824	1300	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe	27
PID 1300 wrote to memory of 824	1300	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe	27
PID 1300 wrote to memory of 824	1300	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe	27
PID 1300 wrote to memory of 824	1300	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe	27
PID 1300 wrote to memory of 824	1300	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe	27
PID 1300 wrote to memory of 824	1300	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe	27
PID 1300 wrote to memory of 824	1300	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe	27
PID 1300 wrote to memory of 824	1300	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe	27
PID 824 wrote to memory of 1116	824	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe	28
PID 824 wrote to memory of 1116	824	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe	28
PID 824 wrote to memory of 1116	824	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe	28
PID 824 wrote to memory of 1116	824	9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe	28
PID 1116 wrote to memory of 1804	1116	BCSSync.exe	29
PID 1116 wrote to memory of 1804	1116	BCSSync.exe	29
PID 1116 wrote to memory of 1804	1116	BCSSync.exe	29
PID 1116 wrote to memory of 1804	1116	BCSSync.exe	29
PID 1116 wrote to memory of 1804	1116	BCSSync.exe	29
PID 1116 wrote to memory of 1804	1116	BCSSync.exe	29
PID 1116 wrote to memory of 1804	1116	BCSSync.exe	29
PID 1116 wrote to memory of 1804	1116	BCSSync.exe	29
PID 1116 wrote to memory of 1804	1116	BCSSync.exe	29
PID 1804 wrote to memory of 1332	1804	BCSSync.exe	30
PID 1804 wrote to memory of 1332	1804	BCSSync.exe	30
PID 1804 wrote to memory of 1332	1804	BCSSync.exe	30
PID 1804 wrote to memory of 1332	1804	BCSSync.exe	30

C:\Users\Admin\AppData\Local\Temp\9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe
"C:\Users\Admin\AppData\Local\Temp\9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe
  "C:\Users\Admin\AppData\Local\Temp\9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1804
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\9d75b4f7dbfba853cc3fca2f5402826ba23c4d2b405a62cd2eda4e8ad70e2e16.exe
        5⤵
        
        PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
92KB

MD5
a09d6c223b00516cadfaf4b49461c34f

SHA1
32a9abc2ba66bce242c270497c2f2c2d90a8e786

SHA256
f00e64846dbe1a6a57e2d5ffe8a2121628ff9a56581e6672e71c8a7ebb4007d1

SHA512
00c094871a9b4ef8eeeaa053722b3393f39357cb54680782c3878038a1cf39e964ea650ae9e2203fa08b2e361f586b90a6347c22587a961206e0c009e94e6c72

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
92KB

MD5
a09d6c223b00516cadfaf4b49461c34f

SHA1
32a9abc2ba66bce242c270497c2f2c2d90a8e786

SHA256
f00e64846dbe1a6a57e2d5ffe8a2121628ff9a56581e6672e71c8a7ebb4007d1

SHA512
00c094871a9b4ef8eeeaa053722b3393f39357cb54680782c3878038a1cf39e964ea650ae9e2203fa08b2e361f586b90a6347c22587a961206e0c009e94e6c72

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
92KB

MD5
a09d6c223b00516cadfaf4b49461c34f

SHA1
32a9abc2ba66bce242c270497c2f2c2d90a8e786

SHA256
f00e64846dbe1a6a57e2d5ffe8a2121628ff9a56581e6672e71c8a7ebb4007d1

SHA512
00c094871a9b4ef8eeeaa053722b3393f39357cb54680782c3878038a1cf39e964ea650ae9e2203fa08b2e361f586b90a6347c22587a961206e0c009e94e6c72

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
92KB

MD5
a09d6c223b00516cadfaf4b49461c34f

SHA1
32a9abc2ba66bce242c270497c2f2c2d90a8e786

SHA256
f00e64846dbe1a6a57e2d5ffe8a2121628ff9a56581e6672e71c8a7ebb4007d1

SHA512
00c094871a9b4ef8eeeaa053722b3393f39357cb54680782c3878038a1cf39e964ea650ae9e2203fa08b2e361f586b90a6347c22587a961206e0c009e94e6c72

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
92KB

MD5
a09d6c223b00516cadfaf4b49461c34f

SHA1
32a9abc2ba66bce242c270497c2f2c2d90a8e786

SHA256
f00e64846dbe1a6a57e2d5ffe8a2121628ff9a56581e6672e71c8a7ebb4007d1

SHA512
00c094871a9b4ef8eeeaa053722b3393f39357cb54680782c3878038a1cf39e964ea650ae9e2203fa08b2e361f586b90a6347c22587a961206e0c009e94e6c72

Download Submit
memory/824-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/824-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/824-64-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/824-65-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/824-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/824-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/824-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/824-92-0x0000000074241000-0x0000000074243000-memory.dmp

Filesize
8KB

Download
memory/824-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/824-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/824-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1804-91-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing