dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f

General

Target

dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe
Size

39KB
MD5

0b6eca84b1386c95671242ffd7825731
SHA1

c059035395dab8239784c92ec8ed39080672d601
SHA256

dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f
SHA512

fd35a735f7aa5f4e8f9effe916a13df6a4826fdd9a24cf0dc43368c4c128173bb93949543247956f7f086817f06b531c3eeefa1fbafb89993669edb47bf62cfc
SSDEEP

768:30hvZ7K2gJSRzmKxBqg+9ZPba3QagR9DZGYVW6YXcTLNNr:kHSEHBq95XagR9lGYV/p

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1936	BCSSync.exe
1488	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
964	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe
964	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251
Destination IP	50.7.247.251

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1184 set thread context of 964	1184	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe	26
PID 1936 set thread context of 1488	1936	BCSSync.exe	28

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\T540i71.com	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1488	BCSSync.exe
964	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 964	1184	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe	26
PID 1184 wrote to memory of 964	1184	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe	26
PID 1184 wrote to memory of 964	1184	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe	26
PID 1184 wrote to memory of 964	1184	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe	26
PID 1184 wrote to memory of 964	1184	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe	26
PID 1184 wrote to memory of 964	1184	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe	26
PID 1184 wrote to memory of 964	1184	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe	26
PID 1184 wrote to memory of 964	1184	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe	26
PID 1184 wrote to memory of 964	1184	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe	26
PID 964 wrote to memory of 1936	964	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe	27
PID 964 wrote to memory of 1936	964	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe	27
PID 964 wrote to memory of 1936	964	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe	27
PID 964 wrote to memory of 1936	964	dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe	27
PID 1936 wrote to memory of 1488	1936	BCSSync.exe	28
PID 1936 wrote to memory of 1488	1936	BCSSync.exe	28
PID 1936 wrote to memory of 1488	1936	BCSSync.exe	28
PID 1936 wrote to memory of 1488	1936	BCSSync.exe	28
PID 1936 wrote to memory of 1488	1936	BCSSync.exe	28
PID 1936 wrote to memory of 1488	1936	BCSSync.exe	28
PID 1936 wrote to memory of 1488	1936	BCSSync.exe	28
PID 1936 wrote to memory of 1488	1936	BCSSync.exe	28
PID 1936 wrote to memory of 1488	1936	BCSSync.exe	28
PID 1488 wrote to memory of 1816	1488	BCSSync.exe	29
PID 1488 wrote to memory of 1816	1488	BCSSync.exe	29
PID 1488 wrote to memory of 1816	1488	BCSSync.exe	29
PID 1488 wrote to memory of 1816	1488	BCSSync.exe	29

C:\Users\Admin\AppData\Local\Temp\dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe
"C:\Users\Admin\AppData\Local\Temp\dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe
  C:\Users\Admin\AppData\Local\Temp\dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\dacc50b6c9dd7ed5388ab9947e473effc0faf19686d6a42e6c1e72c80a021e1f.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"
        5⤵
        
        PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
39KB

MD5
a39c31fcd5b739b0dd40db35a9c1b74f

SHA1
6e43602004cb24529f817fd20aeaeb6d66006f9b

SHA256
19f33473d26a8ac32070681d04138a72dba40872cdb9b7212bd782939e06e721

SHA512
b1b88f24eb11ebae0e474d46315ea6863c0c620056761ba490d9d3ae3c044746acd5e532dc7f1c352108f6779830ff400875498f66f77c904e9508126f3fe589

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
39KB

MD5
a39c31fcd5b739b0dd40db35a9c1b74f

SHA1
6e43602004cb24529f817fd20aeaeb6d66006f9b

SHA256
19f33473d26a8ac32070681d04138a72dba40872cdb9b7212bd782939e06e721

SHA512
b1b88f24eb11ebae0e474d46315ea6863c0c620056761ba490d9d3ae3c044746acd5e532dc7f1c352108f6779830ff400875498f66f77c904e9508126f3fe589

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
39KB

MD5
a39c31fcd5b739b0dd40db35a9c1b74f

SHA1
6e43602004cb24529f817fd20aeaeb6d66006f9b

SHA256
19f33473d26a8ac32070681d04138a72dba40872cdb9b7212bd782939e06e721

SHA512
b1b88f24eb11ebae0e474d46315ea6863c0c620056761ba490d9d3ae3c044746acd5e532dc7f1c352108f6779830ff400875498f66f77c904e9508126f3fe589

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
39KB

MD5
a39c31fcd5b739b0dd40db35a9c1b74f

SHA1
6e43602004cb24529f817fd20aeaeb6d66006f9b

SHA256
19f33473d26a8ac32070681d04138a72dba40872cdb9b7212bd782939e06e721

SHA512
b1b88f24eb11ebae0e474d46315ea6863c0c620056761ba490d9d3ae3c044746acd5e532dc7f1c352108f6779830ff400875498f66f77c904e9508126f3fe589

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
39KB

MD5
a39c31fcd5b739b0dd40db35a9c1b74f

SHA1
6e43602004cb24529f817fd20aeaeb6d66006f9b

SHA256
19f33473d26a8ac32070681d04138a72dba40872cdb9b7212bd782939e06e721

SHA512
b1b88f24eb11ebae0e474d46315ea6863c0c620056761ba490d9d3ae3c044746acd5e532dc7f1c352108f6779830ff400875498f66f77c904e9508126f3fe589

Download Submit
memory/964-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/964-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/964-63-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/964-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/964-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/964-87-0x0000000074141000-0x0000000074143000-memory.dmp

Filesize
8KB

Download
memory/964-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/964-61-0x0000000000403DD9-mapping.dmp

Download
memory/964-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/964-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/964-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1488-78-0x0000000000403DD9-mapping.dmp

Download
memory/1488-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1488-86-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1816-84-0x0000000000000000-mapping.dmp

Download
memory/1936-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing