75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92

General

Target

75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe
Size

36KB
MD5

e2b9b7f22d5b7c3012e5ba7e0f45d43d
SHA1

49b041797997eb515bd27d2f0203dad081f68e04
SHA256

75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92
SHA512

88898662a4ca5d4f4e291dcd85728de3f0a50f9135f354aee32215df6a0ce3832f516f8764bcd9cd48fb941c12291cedacacb200b911d9ee1da36f5b659c7535
SSDEEP

768:DlcTwpQJkYYTgOnHBqQTZqDsQw6AL7oh2q7vm6PrP2578NkbU:h8wyJnYEOH9ZqDw8h3bzPD2meU

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1168	BCSSync.exe
676	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1284	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe
1284	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 1284	1768	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe	27
PID 1168 set thread context of 676	1168	BCSSync.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1284	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1284	1768	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe	27
PID 1768 wrote to memory of 1284	1768	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe	27
PID 1768 wrote to memory of 1284	1768	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe	27
PID 1768 wrote to memory of 1284	1768	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe	27
PID 1768 wrote to memory of 1284	1768	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe	27
PID 1768 wrote to memory of 1284	1768	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe	27
PID 1768 wrote to memory of 1284	1768	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe	27
PID 1768 wrote to memory of 1284	1768	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe	27
PID 1768 wrote to memory of 1284	1768	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe	27
PID 1284 wrote to memory of 1168	1284	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe	28
PID 1284 wrote to memory of 1168	1284	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe	28
PID 1284 wrote to memory of 1168	1284	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe	28
PID 1284 wrote to memory of 1168	1284	75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe	28
PID 1168 wrote to memory of 676	1168	BCSSync.exe	29
PID 1168 wrote to memory of 676	1168	BCSSync.exe	29
PID 1168 wrote to memory of 676	1168	BCSSync.exe	29
PID 1168 wrote to memory of 676	1168	BCSSync.exe	29
PID 1168 wrote to memory of 676	1168	BCSSync.exe	29
PID 1168 wrote to memory of 676	1168	BCSSync.exe	29
PID 1168 wrote to memory of 676	1168	BCSSync.exe	29
PID 1168 wrote to memory of 676	1168	BCSSync.exe	29
PID 1168 wrote to memory of 676	1168	BCSSync.exe	29
PID 676 wrote to memory of 972	676	BCSSync.exe	30
PID 676 wrote to memory of 972	676	BCSSync.exe	30
PID 676 wrote to memory of 972	676	BCSSync.exe	30
PID 676 wrote to memory of 972	676	BCSSync.exe	30

C:\Users\Admin\AppData\Local\Temp\75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe
"C:\Users\Admin\AppData\Local\Temp\75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe
  "C:\Users\Admin\AppData\Local\Temp\75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:676
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\75264303cf8b6b72d8e5b1aaec0881a416dad63651c2ef795d72f7c0b6f29d92.exe
        5⤵
        
        PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
36KB

MD5
39180eb30409b2508df8d2c6d36be2bc

SHA1
e829fd69054d6373923b7e7603bee038f4a0ebd0

SHA256
a6026d9f56588db00a2f3202d0883f7e3ec2b6ae4b943ed93b0efb0fef4f623a

SHA512
07ddc8ac8a3cb24427ae242f1e736308f58ad0ae2e4aff97c43ff276b60e557ca0d763d5db32be46647ff9d1319ee6833f7cb6ae8e183c64d7126b43331b5ef3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
36KB

MD5
39180eb30409b2508df8d2c6d36be2bc

SHA1
e829fd69054d6373923b7e7603bee038f4a0ebd0

SHA256
a6026d9f56588db00a2f3202d0883f7e3ec2b6ae4b943ed93b0efb0fef4f623a

SHA512
07ddc8ac8a3cb24427ae242f1e736308f58ad0ae2e4aff97c43ff276b60e557ca0d763d5db32be46647ff9d1319ee6833f7cb6ae8e183c64d7126b43331b5ef3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
36KB

MD5
39180eb30409b2508df8d2c6d36be2bc

SHA1
e829fd69054d6373923b7e7603bee038f4a0ebd0

SHA256
a6026d9f56588db00a2f3202d0883f7e3ec2b6ae4b943ed93b0efb0fef4f623a

SHA512
07ddc8ac8a3cb24427ae242f1e736308f58ad0ae2e4aff97c43ff276b60e557ca0d763d5db32be46647ff9d1319ee6833f7cb6ae8e183c64d7126b43331b5ef3

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
36KB

MD5
39180eb30409b2508df8d2c6d36be2bc

SHA1
e829fd69054d6373923b7e7603bee038f4a0ebd0

SHA256
a6026d9f56588db00a2f3202d0883f7e3ec2b6ae4b943ed93b0efb0fef4f623a

SHA512
07ddc8ac8a3cb24427ae242f1e736308f58ad0ae2e4aff97c43ff276b60e557ca0d763d5db32be46647ff9d1319ee6833f7cb6ae8e183c64d7126b43331b5ef3

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
36KB

MD5
39180eb30409b2508df8d2c6d36be2bc

SHA1
e829fd69054d6373923b7e7603bee038f4a0ebd0

SHA256
a6026d9f56588db00a2f3202d0883f7e3ec2b6ae4b943ed93b0efb0fef4f623a

SHA512
07ddc8ac8a3cb24427ae242f1e736308f58ad0ae2e4aff97c43ff276b60e557ca0d763d5db32be46647ff9d1319ee6833f7cb6ae8e183c64d7126b43331b5ef3

Download Submit
memory/676-87-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/676-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1284-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1284-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1284-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1284-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1284-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1284-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1284-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1284-63-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1284-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1284-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing