aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835

General

Target

aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe
Size

90KB
MD5

76c33b2cb508f2cc32a9d26781449890
SHA1

f917eefd3074e6527938e5d2d6ddd20f86e3fa4e
SHA256

aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835
SHA512

2914b46ef3fcb0b0bd78f0bb7e41fbcefc3c4d6768b8c1ddda0627b14e1725758a5251515bcc4e9470e9d6a3c21e30786acd06cd94dc98ce8c205d261e755622
SSDEEP

1536:Y5rY4s5J1/9qjlrXPTimwCUBtS5Q5grdU3+kNS9Y/bmF6uIo6nX7mNeomBZzJ1JF:KYpJ7qjJ/HeaQ5g2Ow2Y/bmF65NCNeoU

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1624	BCSSync.exe
1760	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1260	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe
1260	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1364 set thread context of 1260	1364	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe	26
PID 1624 set thread context of 1760	1624	BCSSync.exe	28

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1260	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1260	1364	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe	26
PID 1364 wrote to memory of 1260	1364	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe	26
PID 1364 wrote to memory of 1260	1364	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe	26
PID 1364 wrote to memory of 1260	1364	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe	26
PID 1364 wrote to memory of 1260	1364	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe	26
PID 1364 wrote to memory of 1260	1364	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe	26
PID 1364 wrote to memory of 1260	1364	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe	26
PID 1364 wrote to memory of 1260	1364	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe	26
PID 1364 wrote to memory of 1260	1364	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe	26
PID 1260 wrote to memory of 1624	1260	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe	27
PID 1260 wrote to memory of 1624	1260	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe	27
PID 1260 wrote to memory of 1624	1260	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe	27
PID 1260 wrote to memory of 1624	1260	aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe	27
PID 1624 wrote to memory of 1760	1624	BCSSync.exe	28
PID 1624 wrote to memory of 1760	1624	BCSSync.exe	28
PID 1624 wrote to memory of 1760	1624	BCSSync.exe	28
PID 1624 wrote to memory of 1760	1624	BCSSync.exe	28
PID 1624 wrote to memory of 1760	1624	BCSSync.exe	28
PID 1624 wrote to memory of 1760	1624	BCSSync.exe	28
PID 1624 wrote to memory of 1760	1624	BCSSync.exe	28
PID 1624 wrote to memory of 1760	1624	BCSSync.exe	28
PID 1624 wrote to memory of 1760	1624	BCSSync.exe	28
PID 1760 wrote to memory of 560	1760	BCSSync.exe	29
PID 1760 wrote to memory of 560	1760	BCSSync.exe	29
PID 1760 wrote to memory of 560	1760	BCSSync.exe	29
PID 1760 wrote to memory of 560	1760	BCSSync.exe	29

C:\Users\Admin\AppData\Local\Temp\aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe
"C:\Users\Admin\AppData\Local\Temp\aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe
  "C:\Users\Admin\AppData\Local\Temp\aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\aa3e079ec98ce5e1831939ceef4ced1f762f4fd45170089aabc66aae1b79a835.exe
        5⤵
        
        PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
90KB

MD5
14712abf87785bc88c8879a76e7e2732

SHA1
46a1f86a062da4b171ea25a4590d101a696de44d

SHA256
e2289a81120b9ad39dcd96b37c4f7675f3fd0d366e2e3d684120a6186d7036a0

SHA512
9ddb5dfbe52c54905683d30ba4bbf5a87605f9b282af36b82b713472cfd0bc7a9e548b57fc3a511277b5ba12ea8945fd239e86efe58597830cbbd201a8e0481f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
90KB

MD5
14712abf87785bc88c8879a76e7e2732

SHA1
46a1f86a062da4b171ea25a4590d101a696de44d

SHA256
e2289a81120b9ad39dcd96b37c4f7675f3fd0d366e2e3d684120a6186d7036a0

SHA512
9ddb5dfbe52c54905683d30ba4bbf5a87605f9b282af36b82b713472cfd0bc7a9e548b57fc3a511277b5ba12ea8945fd239e86efe58597830cbbd201a8e0481f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
90KB

MD5
14712abf87785bc88c8879a76e7e2732

SHA1
46a1f86a062da4b171ea25a4590d101a696de44d

SHA256
e2289a81120b9ad39dcd96b37c4f7675f3fd0d366e2e3d684120a6186d7036a0

SHA512
9ddb5dfbe52c54905683d30ba4bbf5a87605f9b282af36b82b713472cfd0bc7a9e548b57fc3a511277b5ba12ea8945fd239e86efe58597830cbbd201a8e0481f

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
90KB

MD5
14712abf87785bc88c8879a76e7e2732

SHA1
46a1f86a062da4b171ea25a4590d101a696de44d

SHA256
e2289a81120b9ad39dcd96b37c4f7675f3fd0d366e2e3d684120a6186d7036a0

SHA512
9ddb5dfbe52c54905683d30ba4bbf5a87605f9b282af36b82b713472cfd0bc7a9e548b57fc3a511277b5ba12ea8945fd239e86efe58597830cbbd201a8e0481f

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
90KB

MD5
14712abf87785bc88c8879a76e7e2732

SHA1
46a1f86a062da4b171ea25a4590d101a696de44d

SHA256
e2289a81120b9ad39dcd96b37c4f7675f3fd0d366e2e3d684120a6186d7036a0

SHA512
9ddb5dfbe52c54905683d30ba4bbf5a87605f9b282af36b82b713472cfd0bc7a9e548b57fc3a511277b5ba12ea8945fd239e86efe58597830cbbd201a8e0481f

Download Submit
memory/1260-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1260-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1260-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1260-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1260-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1260-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1260-63-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1260-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1260-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1260-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1760-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1760-87-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing