ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee

General

Target

ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe
Size

37KB
MD5

40138f0fcb7ce7cac68320bcb0ae4580
SHA1

35106d53585b170dbbb956e5498731b93a1562c0
SHA256

ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee
SHA512

e94717209281dccf32c8402da5f0efe6895203bfcaf623f95bb0760336f2c5e0c9d134023b25f2b4fa2477c58456111879c6fc5e5db51aae027c8f2a15e573a3
SSDEEP

768:edIZ/alwuAknNWuCMQpb0ruFm1YqTrmHwbLyMyg:edILlknNU4rOobbLyng

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1592	BCSSync.exe
1596	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1172	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe
1172	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1132 set thread context of 1172	1132	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe	27
PID 1592 set thread context of 1596	1592	BCSSync.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1172	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1172	1132	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe	27
PID 1132 wrote to memory of 1172	1132	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe	27
PID 1132 wrote to memory of 1172	1132	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe	27
PID 1132 wrote to memory of 1172	1132	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe	27
PID 1132 wrote to memory of 1172	1132	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe	27
PID 1132 wrote to memory of 1172	1132	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe	27
PID 1132 wrote to memory of 1172	1132	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe	27
PID 1132 wrote to memory of 1172	1132	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe	27
PID 1132 wrote to memory of 1172	1132	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe	27
PID 1172 wrote to memory of 1592	1172	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe	28
PID 1172 wrote to memory of 1592	1172	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe	28
PID 1172 wrote to memory of 1592	1172	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe	28
PID 1172 wrote to memory of 1592	1172	ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe	28
PID 1592 wrote to memory of 1596	1592	BCSSync.exe	29
PID 1592 wrote to memory of 1596	1592	BCSSync.exe	29
PID 1592 wrote to memory of 1596	1592	BCSSync.exe	29
PID 1592 wrote to memory of 1596	1592	BCSSync.exe	29
PID 1592 wrote to memory of 1596	1592	BCSSync.exe	29
PID 1592 wrote to memory of 1596	1592	BCSSync.exe	29
PID 1592 wrote to memory of 1596	1592	BCSSync.exe	29
PID 1592 wrote to memory of 1596	1592	BCSSync.exe	29
PID 1592 wrote to memory of 1596	1592	BCSSync.exe	29
PID 1596 wrote to memory of 572	1596	BCSSync.exe	30
PID 1596 wrote to memory of 572	1596	BCSSync.exe	30
PID 1596 wrote to memory of 572	1596	BCSSync.exe	30
PID 1596 wrote to memory of 572	1596	BCSSync.exe	30

C:\Users\Admin\AppData\Local\Temp\ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe
"C:\Users\Admin\AppData\Local\Temp\ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Local\Temp\ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe
  "C:\Users\Admin\AppData\Local\Temp\ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\ace41064895b9f95cae84724ec674bb2181b784af96904882e1c59677269bcee.exe
        5⤵
        
        PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
374a9e655adef1b7d8e7bec935894692

SHA1
44f527121070fbec486053f0ff8e9479b05f74d7

SHA256
f2ca14d915bdfb1cbae3fc016de7ede38c0d7a61fbab9e832344899f146661ad

SHA512
fce3b629b7c9e894bc239819335d1b4386e6d79b1c8330ffbe411f691347fda7510bdf5f9342447f38b5e467ff4d01ea20e6ad4a890a587a03c633b1f63270cb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
374a9e655adef1b7d8e7bec935894692

SHA1
44f527121070fbec486053f0ff8e9479b05f74d7

SHA256
f2ca14d915bdfb1cbae3fc016de7ede38c0d7a61fbab9e832344899f146661ad

SHA512
fce3b629b7c9e894bc239819335d1b4386e6d79b1c8330ffbe411f691347fda7510bdf5f9342447f38b5e467ff4d01ea20e6ad4a890a587a03c633b1f63270cb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
374a9e655adef1b7d8e7bec935894692

SHA1
44f527121070fbec486053f0ff8e9479b05f74d7

SHA256
f2ca14d915bdfb1cbae3fc016de7ede38c0d7a61fbab9e832344899f146661ad

SHA512
fce3b629b7c9e894bc239819335d1b4386e6d79b1c8330ffbe411f691347fda7510bdf5f9342447f38b5e467ff4d01ea20e6ad4a890a587a03c633b1f63270cb

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
374a9e655adef1b7d8e7bec935894692

SHA1
44f527121070fbec486053f0ff8e9479b05f74d7

SHA256
f2ca14d915bdfb1cbae3fc016de7ede38c0d7a61fbab9e832344899f146661ad

SHA512
fce3b629b7c9e894bc239819335d1b4386e6d79b1c8330ffbe411f691347fda7510bdf5f9342447f38b5e467ff4d01ea20e6ad4a890a587a03c633b1f63270cb

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
374a9e655adef1b7d8e7bec935894692

SHA1
44f527121070fbec486053f0ff8e9479b05f74d7

SHA256
f2ca14d915bdfb1cbae3fc016de7ede38c0d7a61fbab9e832344899f146661ad

SHA512
fce3b629b7c9e894bc239819335d1b4386e6d79b1c8330ffbe411f691347fda7510bdf5f9342447f38b5e467ff4d01ea20e6ad4a890a587a03c633b1f63270cb

Download Submit
memory/1172-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1172-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1172-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1172-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1172-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1172-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1172-63-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1172-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1172-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1172-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1596-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1596-87-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing