49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408

General

Target

49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe
Size

37KB
MD5

655b6d547342a221ad72dbc2f37a5f67
SHA1

047542028e5babbd74005d356ab1730502f1cb55
SHA256

49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408
SHA512

ee58eead75a80fd1655cf40f6b8ed55ca3fd98f9e08f2bb706c5914a6b1a61ba3673e3c4ac77c2bf06e18297515f2c1819ce20fbfbbabfbe34cd6cb462df9207
SSDEEP

768:jpuxbbb93pfzxWt7QYQ8IgDidhHPjAJYvHF0lwY437avXKrnrV:j0Rbb5WRQYt9ir/2wram

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1872	BCSSync.exe
1376	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1112	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe
1112	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe

Unexpected DNS network traffic destination 7 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1372 set thread context of 1112	1372	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe	28
PID 1872 set thread context of 1376	1872	BCSSync.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\6mSHBnGJY.com	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1376	BCSSync.exe
1112	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1112	1372	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe	28
PID 1372 wrote to memory of 1112	1372	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe	28
PID 1372 wrote to memory of 1112	1372	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe	28
PID 1372 wrote to memory of 1112	1372	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe	28
PID 1372 wrote to memory of 1112	1372	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe	28
PID 1372 wrote to memory of 1112	1372	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe	28
PID 1372 wrote to memory of 1112	1372	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe	28
PID 1372 wrote to memory of 1112	1372	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe	28
PID 1372 wrote to memory of 1112	1372	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe	28
PID 1112 wrote to memory of 1872	1112	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe	29
PID 1112 wrote to memory of 1872	1112	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe	29
PID 1112 wrote to memory of 1872	1112	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe	29
PID 1112 wrote to memory of 1872	1112	49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe	29
PID 1872 wrote to memory of 1376	1872	BCSSync.exe	30
PID 1872 wrote to memory of 1376	1872	BCSSync.exe	30
PID 1872 wrote to memory of 1376	1872	BCSSync.exe	30
PID 1872 wrote to memory of 1376	1872	BCSSync.exe	30
PID 1872 wrote to memory of 1376	1872	BCSSync.exe	30
PID 1872 wrote to memory of 1376	1872	BCSSync.exe	30
PID 1872 wrote to memory of 1376	1872	BCSSync.exe	30
PID 1872 wrote to memory of 1376	1872	BCSSync.exe	30
PID 1872 wrote to memory of 1376	1872	BCSSync.exe	30
PID 1376 wrote to memory of 1804	1376	BCSSync.exe	31
PID 1376 wrote to memory of 1804	1376	BCSSync.exe	31
PID 1376 wrote to memory of 1804	1376	BCSSync.exe	31
PID 1376 wrote to memory of 1804	1376	BCSSync.exe	31

C:\Users\Admin\AppData\Local\Temp\49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe
"C:\Users\Admin\AppData\Local\Temp\49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe
  C:\Users\Admin\AppData\Local\Temp\49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\49be22222c4a90a165848ab0da5963d19f3890d035dd2f09f556b62c88641408.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1376
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
        5⤵
        
        PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
2a9ce2bfbd9ae27354766c094e993845

SHA1
59a1851017fb73f6abc4d3e329457f452200ab27

SHA256
ea2d7cf6e2f31f80a02d6a80ee05998cc7d13f738c06f19503b25f6aa145ad62

SHA512
2fccb3a6ff22a77dc3f014a972af09bfbae6f60cec2e90a7dad3270ad29fc76b70ba63704779b1a18ad661e6daba5faa0e2efe74b5493e8e7e37f4a4821b2b4d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
2a9ce2bfbd9ae27354766c094e993845

SHA1
59a1851017fb73f6abc4d3e329457f452200ab27

SHA256
ea2d7cf6e2f31f80a02d6a80ee05998cc7d13f738c06f19503b25f6aa145ad62

SHA512
2fccb3a6ff22a77dc3f014a972af09bfbae6f60cec2e90a7dad3270ad29fc76b70ba63704779b1a18ad661e6daba5faa0e2efe74b5493e8e7e37f4a4821b2b4d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
2a9ce2bfbd9ae27354766c094e993845

SHA1
59a1851017fb73f6abc4d3e329457f452200ab27

SHA256
ea2d7cf6e2f31f80a02d6a80ee05998cc7d13f738c06f19503b25f6aa145ad62

SHA512
2fccb3a6ff22a77dc3f014a972af09bfbae6f60cec2e90a7dad3270ad29fc76b70ba63704779b1a18ad661e6daba5faa0e2efe74b5493e8e7e37f4a4821b2b4d

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
2a9ce2bfbd9ae27354766c094e993845

SHA1
59a1851017fb73f6abc4d3e329457f452200ab27

SHA256
ea2d7cf6e2f31f80a02d6a80ee05998cc7d13f738c06f19503b25f6aa145ad62

SHA512
2fccb3a6ff22a77dc3f014a972af09bfbae6f60cec2e90a7dad3270ad29fc76b70ba63704779b1a18ad661e6daba5faa0e2efe74b5493e8e7e37f4a4821b2b4d

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
2a9ce2bfbd9ae27354766c094e993845

SHA1
59a1851017fb73f6abc4d3e329457f452200ab27

SHA256
ea2d7cf6e2f31f80a02d6a80ee05998cc7d13f738c06f19503b25f6aa145ad62

SHA512
2fccb3a6ff22a77dc3f014a972af09bfbae6f60cec2e90a7dad3270ad29fc76b70ba63704779b1a18ad661e6daba5faa0e2efe74b5493e8e7e37f4a4821b2b4d

Download Submit
memory/1112-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1112-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1112-64-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1112-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1112-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1112-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1112-90-0x00000000749E1000-0x00000000749E3000-memory.dmp

Filesize
8KB

Download
memory/1112-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1112-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1112-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1112-72-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1372-54-0x00000000004F8000-0x0000000000509000-memory.dmp

Filesize
68KB

Download
memory/1376-86-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1376-89-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1872-71-0x0000000000578000-0x0000000000589000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing