ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44

General

Target

ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe
Size

37KB
MD5

cee7a6c99ae62d85fec0bd5b96de41e3
SHA1

5df3e434749d6d575d2ef6e5620750fd4b150dad
SHA256

ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44
SHA512

658f6b2b51ee9ef998299d9ab4bc6c56d9eaf89ee2ff2a12c65a23236fedb76e17bfea9533fd4526d0a1c8ab3510afda19da9447d501f8a62b487df3e2935c69
SSDEEP

768:edIZ/alwuAknNWuCMQpb0ruFm1YqTrmHwbLyMyI:edILlknNU4rOobbLynI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1240	BCSSync.exe
852	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
2020	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe
2020	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 2020	1736	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe	28
PID 1240 set thread context of 852	1240	BCSSync.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2020	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2020	1736	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe	28
PID 1736 wrote to memory of 2020	1736	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe	28
PID 1736 wrote to memory of 2020	1736	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe	28
PID 1736 wrote to memory of 2020	1736	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe	28
PID 1736 wrote to memory of 2020	1736	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe	28
PID 1736 wrote to memory of 2020	1736	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe	28
PID 1736 wrote to memory of 2020	1736	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe	28
PID 1736 wrote to memory of 2020	1736	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe	28
PID 1736 wrote to memory of 2020	1736	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe	28
PID 2020 wrote to memory of 1240	2020	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe	29
PID 2020 wrote to memory of 1240	2020	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe	29
PID 2020 wrote to memory of 1240	2020	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe	29
PID 2020 wrote to memory of 1240	2020	ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe	29
PID 1240 wrote to memory of 852	1240	BCSSync.exe	30
PID 1240 wrote to memory of 852	1240	BCSSync.exe	30
PID 1240 wrote to memory of 852	1240	BCSSync.exe	30
PID 1240 wrote to memory of 852	1240	BCSSync.exe	30
PID 1240 wrote to memory of 852	1240	BCSSync.exe	30
PID 1240 wrote to memory of 852	1240	BCSSync.exe	30
PID 1240 wrote to memory of 852	1240	BCSSync.exe	30
PID 1240 wrote to memory of 852	1240	BCSSync.exe	30
PID 1240 wrote to memory of 852	1240	BCSSync.exe	30
PID 852 wrote to memory of 432	852	BCSSync.exe	31
PID 852 wrote to memory of 432	852	BCSSync.exe	31
PID 852 wrote to memory of 432	852	BCSSync.exe	31
PID 852 wrote to memory of 432	852	BCSSync.exe	31

C:\Users\Admin\AppData\Local\Temp\ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe
"C:\Users\Admin\AppData\Local\Temp\ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe
  "C:\Users\Admin\AppData\Local\Temp\ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\ceebe2e47c6a1704b526a980354bf62ac54cc10acbc213973500a7ed0aea0f44.exe
        5⤵
        
        PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
945bc3246e4155e2a37b7d648c7ae85d

SHA1
aaf6839bf1e71de61d15b4785654d43ab39952e8

SHA256
2d233afdf07434def421391fd5a8d77dc48bb4b5fe5b1989aabf5dd303d15612

SHA512
d27e6c1efda84e0c4ebd94913f5a7437fddc62ed99fece278b0ea9e8e0eb67fb1091a23871a3c4d2b038d5092299a71b25494188a41ea25f7fda53df7786b68b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
945bc3246e4155e2a37b7d648c7ae85d

SHA1
aaf6839bf1e71de61d15b4785654d43ab39952e8

SHA256
2d233afdf07434def421391fd5a8d77dc48bb4b5fe5b1989aabf5dd303d15612

SHA512
d27e6c1efda84e0c4ebd94913f5a7437fddc62ed99fece278b0ea9e8e0eb67fb1091a23871a3c4d2b038d5092299a71b25494188a41ea25f7fda53df7786b68b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
945bc3246e4155e2a37b7d648c7ae85d

SHA1
aaf6839bf1e71de61d15b4785654d43ab39952e8

SHA256
2d233afdf07434def421391fd5a8d77dc48bb4b5fe5b1989aabf5dd303d15612

SHA512
d27e6c1efda84e0c4ebd94913f5a7437fddc62ed99fece278b0ea9e8e0eb67fb1091a23871a3c4d2b038d5092299a71b25494188a41ea25f7fda53df7786b68b

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
945bc3246e4155e2a37b7d648c7ae85d

SHA1
aaf6839bf1e71de61d15b4785654d43ab39952e8

SHA256
2d233afdf07434def421391fd5a8d77dc48bb4b5fe5b1989aabf5dd303d15612

SHA512
d27e6c1efda84e0c4ebd94913f5a7437fddc62ed99fece278b0ea9e8e0eb67fb1091a23871a3c4d2b038d5092299a71b25494188a41ea25f7fda53df7786b68b

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
945bc3246e4155e2a37b7d648c7ae85d

SHA1
aaf6839bf1e71de61d15b4785654d43ab39952e8

SHA256
2d233afdf07434def421391fd5a8d77dc48bb4b5fe5b1989aabf5dd303d15612

SHA512
d27e6c1efda84e0c4ebd94913f5a7437fddc62ed99fece278b0ea9e8e0eb67fb1091a23871a3c4d2b038d5092299a71b25494188a41ea25f7fda53df7786b68b

Download Submit
memory/432-85-0x0000000000000000-mapping.dmp

Download
memory/852-87-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/852-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/852-79-0x0000000000403C40-mapping.dmp

Download
memory/1240-69-0x0000000000000000-mapping.dmp

Download
memory/2020-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2020-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2020-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2020-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2020-63-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/2020-61-0x0000000000403C40-mapping.dmp

Download
memory/2020-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2020-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2020-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2020-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2020-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing