3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13

General

Target

3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe
Size

37KB
MD5

795c6dd5f6d5db045eda29d065dc58d2
SHA1

f7ca1ff7fd7cae7b759d1713a2e7cf29e162393d
SHA256

3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13
SHA512

180f21b4c9b0beced293b51e25c4786e58b8a054b8bedb8d74d304b1a9a6f4144d65db63794de55b5423a1e40dc15cd6ca5d7954f8e3fda1f4cabd7c317cba42
SSDEEP

768:jpuxbbb93pfzxWt7QYQ8IgDidhHPjAJYvHF0lwY437avXKrnrz:j0Rbb5WRQYt9ir/2wraM

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1168	BCSSync.exe
556	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1252	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe
1252	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1740 set thread context of 1252	1740	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe	27
PID 1168 set thread context of 556	1168	BCSSync.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\2nYrbdFef.com	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1252	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe
556	BCSSync.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1252	1740	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe	27
PID 1740 wrote to memory of 1252	1740	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe	27
PID 1740 wrote to memory of 1252	1740	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe	27
PID 1740 wrote to memory of 1252	1740	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe	27
PID 1740 wrote to memory of 1252	1740	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe	27
PID 1740 wrote to memory of 1252	1740	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe	27
PID 1740 wrote to memory of 1252	1740	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe	27
PID 1740 wrote to memory of 1252	1740	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe	27
PID 1740 wrote to memory of 1252	1740	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe	27
PID 1252 wrote to memory of 1168	1252	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe	28
PID 1252 wrote to memory of 1168	1252	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe	28
PID 1252 wrote to memory of 1168	1252	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe	28
PID 1252 wrote to memory of 1168	1252	3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe	28
PID 1168 wrote to memory of 556	1168	BCSSync.exe	29
PID 1168 wrote to memory of 556	1168	BCSSync.exe	29
PID 1168 wrote to memory of 556	1168	BCSSync.exe	29
PID 1168 wrote to memory of 556	1168	BCSSync.exe	29
PID 1168 wrote to memory of 556	1168	BCSSync.exe	29
PID 1168 wrote to memory of 556	1168	BCSSync.exe	29
PID 1168 wrote to memory of 556	1168	BCSSync.exe	29
PID 1168 wrote to memory of 556	1168	BCSSync.exe	29
PID 1168 wrote to memory of 556	1168	BCSSync.exe	29
PID 556 wrote to memory of 1336	556	BCSSync.exe	30
PID 556 wrote to memory of 1336	556	BCSSync.exe	30
PID 556 wrote to memory of 1336	556	BCSSync.exe	30
PID 556 wrote to memory of 1336	556	BCSSync.exe	30

C:\Users\Admin\AppData\Local\Temp\3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe
"C:\Users\Admin\AppData\Local\Temp\3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe
  C:\Users\Admin\AppData\Local\Temp\3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\3480c49b61dfeceddf49e4c8e2cd5eaee7889eb2522ec1533ef253437a799b13.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
        5⤵
        
        PID:1336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
c68625c1c782e6d2496e39df5b1aab11

SHA1
0bdf1149b9dc09df52f394b6eaabcc5933c06f03

SHA256
3e5d6a09bad8b8c5e77b8dc8dd8b0131ca8473b70943bb928068c2a6d621a0a9

SHA512
02706b99d4037f4bcb692b14af77ba6875a339fd049fac4b84bf3d96bfe28170238279100c4d198fbbe6590f1f1781d4c919742a71dab131af7ac3b58b81f5db

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
c68625c1c782e6d2496e39df5b1aab11

SHA1
0bdf1149b9dc09df52f394b6eaabcc5933c06f03

SHA256
3e5d6a09bad8b8c5e77b8dc8dd8b0131ca8473b70943bb928068c2a6d621a0a9

SHA512
02706b99d4037f4bcb692b14af77ba6875a339fd049fac4b84bf3d96bfe28170238279100c4d198fbbe6590f1f1781d4c919742a71dab131af7ac3b58b81f5db

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
c68625c1c782e6d2496e39df5b1aab11

SHA1
0bdf1149b9dc09df52f394b6eaabcc5933c06f03

SHA256
3e5d6a09bad8b8c5e77b8dc8dd8b0131ca8473b70943bb928068c2a6d621a0a9

SHA512
02706b99d4037f4bcb692b14af77ba6875a339fd049fac4b84bf3d96bfe28170238279100c4d198fbbe6590f1f1781d4c919742a71dab131af7ac3b58b81f5db

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
c68625c1c782e6d2496e39df5b1aab11

SHA1
0bdf1149b9dc09df52f394b6eaabcc5933c06f03

SHA256
3e5d6a09bad8b8c5e77b8dc8dd8b0131ca8473b70943bb928068c2a6d621a0a9

SHA512
02706b99d4037f4bcb692b14af77ba6875a339fd049fac4b84bf3d96bfe28170238279100c4d198fbbe6590f1f1781d4c919742a71dab131af7ac3b58b81f5db

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
c68625c1c782e6d2496e39df5b1aab11

SHA1
0bdf1149b9dc09df52f394b6eaabcc5933c06f03

SHA256
3e5d6a09bad8b8c5e77b8dc8dd8b0131ca8473b70943bb928068c2a6d621a0a9

SHA512
02706b99d4037f4bcb692b14af77ba6875a339fd049fac4b84bf3d96bfe28170238279100c4d198fbbe6590f1f1781d4c919742a71dab131af7ac3b58b81f5db

Download Submit
memory/556-90-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/556-85-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1168-71-0x0000000000558000-0x0000000000569000-memory.dmp

Filesize
68KB

Download
memory/1252-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1252-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1252-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1252-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1252-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1252-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1252-64-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1252-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1252-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1252-86-0x0000000073F81000-0x0000000073F83000-memory.dmp

Filesize
8KB

Download
memory/1252-87-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1740-54-0x0000000000528000-0x0000000000539000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing