e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee

General

Target

e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe
Size

38KB
MD5

74ee9840be1aa7b1a5c0b3546b3745f9
SHA1

7e71c39f23b55cefbb4048eec7136981a4d2b00f
SHA256

e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee
SHA512

f20588c273c373b60700ed65ef6399a2243ead038c2c0ed253c5c9faaac96dabb01faf88e5dc841c7bf1d68cb3ab475f575228c5207d4a5a13fc0f96561e856a
SSDEEP

768:objqEFd8yMaZaqj+DQxHedPYy16QVWAGYqr55uuWF:Q/xauaE+2wxWJYMPuus

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1960	BCSSync.exe
1076	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1920	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe
1920	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 1920	2012	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe	26
PID 1960 set thread context of 1076	1960	BCSSync.exe	28

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\T540i71.com	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1076	BCSSync.exe
1920	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1920	2012	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe	26
PID 2012 wrote to memory of 1920	2012	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe	26
PID 2012 wrote to memory of 1920	2012	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe	26
PID 2012 wrote to memory of 1920	2012	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe	26
PID 2012 wrote to memory of 1920	2012	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe	26
PID 2012 wrote to memory of 1920	2012	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe	26
PID 2012 wrote to memory of 1920	2012	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe	26
PID 2012 wrote to memory of 1920	2012	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe	26
PID 2012 wrote to memory of 1920	2012	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe	26
PID 1920 wrote to memory of 1960	1920	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe	27
PID 1920 wrote to memory of 1960	1920	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe	27
PID 1920 wrote to memory of 1960	1920	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe	27
PID 1920 wrote to memory of 1960	1920	e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe	27
PID 1960 wrote to memory of 1076	1960	BCSSync.exe	28
PID 1960 wrote to memory of 1076	1960	BCSSync.exe	28
PID 1960 wrote to memory of 1076	1960	BCSSync.exe	28
PID 1960 wrote to memory of 1076	1960	BCSSync.exe	28
PID 1960 wrote to memory of 1076	1960	BCSSync.exe	28
PID 1960 wrote to memory of 1076	1960	BCSSync.exe	28
PID 1960 wrote to memory of 1076	1960	BCSSync.exe	28
PID 1960 wrote to memory of 1076	1960	BCSSync.exe	28
PID 1960 wrote to memory of 1076	1960	BCSSync.exe	28
PID 1076 wrote to memory of 1472	1076	BCSSync.exe	29
PID 1076 wrote to memory of 1472	1076	BCSSync.exe	29
PID 1076 wrote to memory of 1472	1076	BCSSync.exe	29
PID 1076 wrote to memory of 1472	1076	BCSSync.exe	29

C:\Users\Admin\AppData\Local\Temp\e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe
"C:\Users\Admin\AppData\Local\Temp\e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe
  C:\Users\Admin\AppData\Local\Temp\e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\e017ccbc40e8b3b7692182e59ca10072253616f234eb9020b4ee860871563fee.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
        5⤵
        
        PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
38KB

MD5
e831880021a919aac30d7319914c3076

SHA1
9dc200fd66b459303e6a9e8902eca20fa5ab72f2

SHA256
85ddfa5cdab90408f0f514dae04a3699996ca6df315dccb14c9b7a93a3fb8825

SHA512
f7bca5eb50138988596da2931bbc43eba0ddcef0f8690718613a74861e6ad97637db3ef1e53879f3ff67c8f95f7c6445a50bfcb1972f637b40f01673ecff03c3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
38KB

MD5
e831880021a919aac30d7319914c3076

SHA1
9dc200fd66b459303e6a9e8902eca20fa5ab72f2

SHA256
85ddfa5cdab90408f0f514dae04a3699996ca6df315dccb14c9b7a93a3fb8825

SHA512
f7bca5eb50138988596da2931bbc43eba0ddcef0f8690718613a74861e6ad97637db3ef1e53879f3ff67c8f95f7c6445a50bfcb1972f637b40f01673ecff03c3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
38KB

MD5
e831880021a919aac30d7319914c3076

SHA1
9dc200fd66b459303e6a9e8902eca20fa5ab72f2

SHA256
85ddfa5cdab90408f0f514dae04a3699996ca6df315dccb14c9b7a93a3fb8825

SHA512
f7bca5eb50138988596da2931bbc43eba0ddcef0f8690718613a74861e6ad97637db3ef1e53879f3ff67c8f95f7c6445a50bfcb1972f637b40f01673ecff03c3

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
38KB

MD5
e831880021a919aac30d7319914c3076

SHA1
9dc200fd66b459303e6a9e8902eca20fa5ab72f2

SHA256
85ddfa5cdab90408f0f514dae04a3699996ca6df315dccb14c9b7a93a3fb8825

SHA512
f7bca5eb50138988596da2931bbc43eba0ddcef0f8690718613a74861e6ad97637db3ef1e53879f3ff67c8f95f7c6445a50bfcb1972f637b40f01673ecff03c3

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
38KB

MD5
e831880021a919aac30d7319914c3076

SHA1
9dc200fd66b459303e6a9e8902eca20fa5ab72f2

SHA256
85ddfa5cdab90408f0f514dae04a3699996ca6df315dccb14c9b7a93a3fb8825

SHA512
f7bca5eb50138988596da2931bbc43eba0ddcef0f8690718613a74861e6ad97637db3ef1e53879f3ff67c8f95f7c6445a50bfcb1972f637b40f01673ecff03c3

Download Submit
memory/1076-86-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1920-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1920-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1920-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1920-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1920-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1920-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1920-82-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1920-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1920-85-0x0000000074351000-0x0000000074353000-memory.dmp

Filesize
8KB

Download
memory/1920-63-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing