cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244

General

Target

cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe
Size

37KB
MD5

f82fa6aecf3e57b48f3e46c152a1b79e
SHA1

30e6a79892504a7ea03ac49693cae4ed60d139a9
SHA256

cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244
SHA512

2a3c0a07da4e2a1d98b86ce68b2ad00496b3642003ac38c55b199455c49539dc7a394c6fd9c972a7860f0c633414a5d7dfb2d047a65202374d9b02a5d7895001
SSDEEP

768:edIZ/alwuAknNWuCMQpb0ruFm1YqTrmHwbLyMy/:edILlknNU4rOobbLyn/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1176	BCSSync.exe
1912	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1240	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe
1240	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1204 set thread context of 1240	1204	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe	28
PID 1176 set thread context of 1912	1176	BCSSync.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1240	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1240	1204	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe	28
PID 1204 wrote to memory of 1240	1204	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe	28
PID 1204 wrote to memory of 1240	1204	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe	28
PID 1204 wrote to memory of 1240	1204	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe	28
PID 1204 wrote to memory of 1240	1204	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe	28
PID 1204 wrote to memory of 1240	1204	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe	28
PID 1204 wrote to memory of 1240	1204	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe	28
PID 1204 wrote to memory of 1240	1204	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe	28
PID 1204 wrote to memory of 1240	1204	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe	28
PID 1240 wrote to memory of 1176	1240	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe	29
PID 1240 wrote to memory of 1176	1240	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe	29
PID 1240 wrote to memory of 1176	1240	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe	29
PID 1240 wrote to memory of 1176	1240	cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe	29
PID 1176 wrote to memory of 1912	1176	BCSSync.exe	30
PID 1176 wrote to memory of 1912	1176	BCSSync.exe	30
PID 1176 wrote to memory of 1912	1176	BCSSync.exe	30
PID 1176 wrote to memory of 1912	1176	BCSSync.exe	30
PID 1176 wrote to memory of 1912	1176	BCSSync.exe	30
PID 1176 wrote to memory of 1912	1176	BCSSync.exe	30
PID 1176 wrote to memory of 1912	1176	BCSSync.exe	30
PID 1176 wrote to memory of 1912	1176	BCSSync.exe	30
PID 1176 wrote to memory of 1912	1176	BCSSync.exe	30
PID 1912 wrote to memory of 1612	1912	BCSSync.exe	31
PID 1912 wrote to memory of 1612	1912	BCSSync.exe	31
PID 1912 wrote to memory of 1612	1912	BCSSync.exe	31
PID 1912 wrote to memory of 1612	1912	BCSSync.exe	31

C:\Users\Admin\AppData\Local\Temp\cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe
"C:\Users\Admin\AppData\Local\Temp\cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe
  "C:\Users\Admin\AppData\Local\Temp\cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\cf6e69cc3a8bca1212e03301dcfeaf4e86f553636786f2d2cfb9d3ddd8c45244.exe
        5⤵
        
        PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
7ed78718851572b7fdfcebd4eb82c6e1

SHA1
2f2fd2e27345932328017aa353892260c539b0ba

SHA256
783ff61b781bdb07da63c685260bd41e270e08ca9743366a9879d59b4394c837

SHA512
9792500d30abac45c6ec34a4faf465c3999f9fc597786ad8cc3585652b5b2cb036bfaeeaac24a583142ca2c1b4999f070d7f30666cacea1992b29a4755597d00

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
7ed78718851572b7fdfcebd4eb82c6e1

SHA1
2f2fd2e27345932328017aa353892260c539b0ba

SHA256
783ff61b781bdb07da63c685260bd41e270e08ca9743366a9879d59b4394c837

SHA512
9792500d30abac45c6ec34a4faf465c3999f9fc597786ad8cc3585652b5b2cb036bfaeeaac24a583142ca2c1b4999f070d7f30666cacea1992b29a4755597d00

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
7ed78718851572b7fdfcebd4eb82c6e1

SHA1
2f2fd2e27345932328017aa353892260c539b0ba

SHA256
783ff61b781bdb07da63c685260bd41e270e08ca9743366a9879d59b4394c837

SHA512
9792500d30abac45c6ec34a4faf465c3999f9fc597786ad8cc3585652b5b2cb036bfaeeaac24a583142ca2c1b4999f070d7f30666cacea1992b29a4755597d00

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
7ed78718851572b7fdfcebd4eb82c6e1

SHA1
2f2fd2e27345932328017aa353892260c539b0ba

SHA256
783ff61b781bdb07da63c685260bd41e270e08ca9743366a9879d59b4394c837

SHA512
9792500d30abac45c6ec34a4faf465c3999f9fc597786ad8cc3585652b5b2cb036bfaeeaac24a583142ca2c1b4999f070d7f30666cacea1992b29a4755597d00

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
7ed78718851572b7fdfcebd4eb82c6e1

SHA1
2f2fd2e27345932328017aa353892260c539b0ba

SHA256
783ff61b781bdb07da63c685260bd41e270e08ca9743366a9879d59b4394c837

SHA512
9792500d30abac45c6ec34a4faf465c3999f9fc597786ad8cc3585652b5b2cb036bfaeeaac24a583142ca2c1b4999f070d7f30666cacea1992b29a4755597d00

Download Submit
memory/1240-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1240-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1240-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1240-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1240-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1240-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1240-63-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1240-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1240-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1240-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1912-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1912-87-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing