d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b

General

Target

d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe
Size

90KB
MD5

917261429bc944cba20fa569f83a55f1
SHA1

16ba5e8964d6ab2ab41306689e6c6b9f0db09ca5
SHA256

d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b
SHA512

a64620a2d26f1425071536a319057620739555ad8675daa9589b236bf81a880509d910bd71da1aef54400acf75ec18cb03db89b61376edc9ca13e3baf992d101
SSDEEP

1536:Y5rY4s5J1/9qjlrXPTimwCUBtS5Q5grdU3+kNS9Y/bmF6uIo6nX7mNeomBZzJ1J2:KYpJ7qjJ/HeaQ5g2Ow2Y/bmF65NCNeo3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2012	BCSSync.exe
1740	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
888	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe
888	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 304 set thread context of 888	304	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe	27
PID 2012 set thread context of 1740	2012	BCSSync.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
888	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 304 wrote to memory of 888	304	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe	27
PID 304 wrote to memory of 888	304	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe	27
PID 304 wrote to memory of 888	304	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe	27
PID 304 wrote to memory of 888	304	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe	27
PID 304 wrote to memory of 888	304	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe	27
PID 304 wrote to memory of 888	304	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe	27
PID 304 wrote to memory of 888	304	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe	27
PID 304 wrote to memory of 888	304	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe	27
PID 304 wrote to memory of 888	304	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe	27
PID 888 wrote to memory of 2012	888	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe	28
PID 888 wrote to memory of 2012	888	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe	28
PID 888 wrote to memory of 2012	888	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe	28
PID 888 wrote to memory of 2012	888	d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe	28
PID 2012 wrote to memory of 1740	2012	BCSSync.exe	29
PID 2012 wrote to memory of 1740	2012	BCSSync.exe	29
PID 2012 wrote to memory of 1740	2012	BCSSync.exe	29
PID 2012 wrote to memory of 1740	2012	BCSSync.exe	29
PID 2012 wrote to memory of 1740	2012	BCSSync.exe	29
PID 2012 wrote to memory of 1740	2012	BCSSync.exe	29
PID 2012 wrote to memory of 1740	2012	BCSSync.exe	29
PID 2012 wrote to memory of 1740	2012	BCSSync.exe	29
PID 2012 wrote to memory of 1740	2012	BCSSync.exe	29
PID 1740 wrote to memory of 1764	1740	BCSSync.exe	30
PID 1740 wrote to memory of 1764	1740	BCSSync.exe	30
PID 1740 wrote to memory of 1764	1740	BCSSync.exe	30
PID 1740 wrote to memory of 1764	1740	BCSSync.exe	30

C:\Users\Admin\AppData\Local\Temp\d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe
"C:\Users\Admin\AppData\Local\Temp\d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:304
- C:\Users\Admin\AppData\Local\Temp\d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe
  "C:\Users\Admin\AppData\Local\Temp\d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\d3e884dafb03384fd1923fb62a10c46cef967ab91a56d4bea9ddbb2f9893251b.exe
        5⤵
        
        PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
90KB

MD5
3303a6a392f923b19961baed0c6cd14e

SHA1
0ed7cfbd0fd38a0ce7ff96f25d8d037db3cea6a6

SHA256
e23de21a9da728eec1e150fcefdd6e9796011c9ef530cea1cf7c8cfd0ccf1a13

SHA512
3ec9acc3d0eaf141cfa4b1a22e66d9672d92bb82a08ab5d45a2653357f867c905c0973f8f1b6b93bec67e7d4c097b553dc2e3eb746a15010f28e29a456f65fa3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
90KB

MD5
3303a6a392f923b19961baed0c6cd14e

SHA1
0ed7cfbd0fd38a0ce7ff96f25d8d037db3cea6a6

SHA256
e23de21a9da728eec1e150fcefdd6e9796011c9ef530cea1cf7c8cfd0ccf1a13

SHA512
3ec9acc3d0eaf141cfa4b1a22e66d9672d92bb82a08ab5d45a2653357f867c905c0973f8f1b6b93bec67e7d4c097b553dc2e3eb746a15010f28e29a456f65fa3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
90KB

MD5
3303a6a392f923b19961baed0c6cd14e

SHA1
0ed7cfbd0fd38a0ce7ff96f25d8d037db3cea6a6

SHA256
e23de21a9da728eec1e150fcefdd6e9796011c9ef530cea1cf7c8cfd0ccf1a13

SHA512
3ec9acc3d0eaf141cfa4b1a22e66d9672d92bb82a08ab5d45a2653357f867c905c0973f8f1b6b93bec67e7d4c097b553dc2e3eb746a15010f28e29a456f65fa3

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
90KB

MD5
3303a6a392f923b19961baed0c6cd14e

SHA1
0ed7cfbd0fd38a0ce7ff96f25d8d037db3cea6a6

SHA256
e23de21a9da728eec1e150fcefdd6e9796011c9ef530cea1cf7c8cfd0ccf1a13

SHA512
3ec9acc3d0eaf141cfa4b1a22e66d9672d92bb82a08ab5d45a2653357f867c905c0973f8f1b6b93bec67e7d4c097b553dc2e3eb746a15010f28e29a456f65fa3

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
90KB

MD5
3303a6a392f923b19961baed0c6cd14e

SHA1
0ed7cfbd0fd38a0ce7ff96f25d8d037db3cea6a6

SHA256
e23de21a9da728eec1e150fcefdd6e9796011c9ef530cea1cf7c8cfd0ccf1a13

SHA512
3ec9acc3d0eaf141cfa4b1a22e66d9672d92bb82a08ab5d45a2653357f867c905c0973f8f1b6b93bec67e7d4c097b553dc2e3eb746a15010f28e29a456f65fa3

Download Submit
memory/888-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/888-63-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/888-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/888-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/888-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/888-82-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/888-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/888-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/888-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/888-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1740-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1740-87-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1740-88-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing