eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb

General

Target

eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe
Size

37KB
MD5

03cd6b1b551f243fa92a816c1e6b3c87
SHA1

3bd4310b99d2114549b99809b2020848dc7ad43f
SHA256

eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb
SHA512

6e24b62ac77e3ac39b0f19c643223ffef46f59cdff93e6b774990648113217d28f86d336bffba416f05cf8ad2a3b40996c1ee0e1499a45ed8eea5c2c7c3941e0
SSDEEP

768:C42I2yadMFCI342H0QNzR8AvNL9U8C4jhB1IgyleJ7mSwlNLjvLOwvf/8WKNQdT:YgCIxUQtR8+NL9U8JjpyY1mfjjvLfMWz

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1096	BCSSync.exe
2020	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1640	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe
1640	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 832 set thread context of 1640	832	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	27
PID 1096 set thread context of 2020	1096	BCSSync.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\8k2o44.com	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2020	BCSSync.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1640	832	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	27
PID 832 wrote to memory of 1640	832	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	27
PID 832 wrote to memory of 1640	832	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	27
PID 832 wrote to memory of 1640	832	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	27
PID 832 wrote to memory of 1640	832	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	27
PID 832 wrote to memory of 1640	832	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	27
PID 832 wrote to memory of 1640	832	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	27
PID 832 wrote to memory of 1640	832	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	27
PID 832 wrote to memory of 1640	832	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	27
PID 1640 wrote to memory of 1096	1640	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	28
PID 1640 wrote to memory of 1096	1640	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	28
PID 1640 wrote to memory of 1096	1640	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	28
PID 1640 wrote to memory of 1096	1640	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	28
PID 1096 wrote to memory of 2020	1096	BCSSync.exe	29
PID 1096 wrote to memory of 2020	1096	BCSSync.exe	29
PID 1096 wrote to memory of 2020	1096	BCSSync.exe	29
PID 1096 wrote to memory of 2020	1096	BCSSync.exe	29
PID 1096 wrote to memory of 2020	1096	BCSSync.exe	29
PID 1096 wrote to memory of 2020	1096	BCSSync.exe	29
PID 1096 wrote to memory of 2020	1096	BCSSync.exe	29
PID 1096 wrote to memory of 2020	1096	BCSSync.exe	29
PID 1096 wrote to memory of 2020	1096	BCSSync.exe	29
PID 2020 wrote to memory of 1712	2020	BCSSync.exe	30
PID 2020 wrote to memory of 1712	2020	BCSSync.exe	30
PID 2020 wrote to memory of 1712	2020	BCSSync.exe	30
PID 2020 wrote to memory of 1712	2020	BCSSync.exe	30

C:\Users\Admin\AppData\Local\Temp\eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe
"C:\Users\Admin\AppData\Local\Temp\eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:832
- C:\Users\Admin\AppData\Local\Temp\eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe
  "C:\Users\Admin\AppData\Local\Temp\eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe
        5⤵
        
        PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
e6e16aadfd38cbf6d9fc029fb745d139

SHA1
1de3c54e137b1ddc0d81efc6229ca030d538d75a

SHA256
270b4bc5a72847d0c0c8c237cebb648befbf117d3886335b194bbc307df93859

SHA512
2d8b87f9651eaa63d81ec20448956c7c65fb3a43ca7da682b35c5047ee6fdd216552710182bb2f7aeb5db5fe2cff0ad5df55ae963d5c87e8d7e9f161fba0b019

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
e6e16aadfd38cbf6d9fc029fb745d139

SHA1
1de3c54e137b1ddc0d81efc6229ca030d538d75a

SHA256
270b4bc5a72847d0c0c8c237cebb648befbf117d3886335b194bbc307df93859

SHA512
2d8b87f9651eaa63d81ec20448956c7c65fb3a43ca7da682b35c5047ee6fdd216552710182bb2f7aeb5db5fe2cff0ad5df55ae963d5c87e8d7e9f161fba0b019

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
e6e16aadfd38cbf6d9fc029fb745d139

SHA1
1de3c54e137b1ddc0d81efc6229ca030d538d75a

SHA256
270b4bc5a72847d0c0c8c237cebb648befbf117d3886335b194bbc307df93859

SHA512
2d8b87f9651eaa63d81ec20448956c7c65fb3a43ca7da682b35c5047ee6fdd216552710182bb2f7aeb5db5fe2cff0ad5df55ae963d5c87e8d7e9f161fba0b019

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
e6e16aadfd38cbf6d9fc029fb745d139

SHA1
1de3c54e137b1ddc0d81efc6229ca030d538d75a

SHA256
270b4bc5a72847d0c0c8c237cebb648befbf117d3886335b194bbc307df93859

SHA512
2d8b87f9651eaa63d81ec20448956c7c65fb3a43ca7da682b35c5047ee6fdd216552710182bb2f7aeb5db5fe2cff0ad5df55ae963d5c87e8d7e9f161fba0b019

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
e6e16aadfd38cbf6d9fc029fb745d139

SHA1
1de3c54e137b1ddc0d81efc6229ca030d538d75a

SHA256
270b4bc5a72847d0c0c8c237cebb648befbf117d3886335b194bbc307df93859

SHA512
2d8b87f9651eaa63d81ec20448956c7c65fb3a43ca7da682b35c5047ee6fdd216552710182bb2f7aeb5db5fe2cff0ad5df55ae963d5c87e8d7e9f161fba0b019

Download Submit
memory/1640-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1640-64-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1640-65-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/1640-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1640-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1640-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1640-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1640-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1640-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1640-94-0x0000000073F71000-0x0000000073F73000-memory.dmp

Filesize
8KB

Download
memory/1640-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2020-91-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing