c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86

General

Target

c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe
Size

34KB
MD5

22433b312ce49b70b9f4e0faa6afcb48
SHA1

021a92937aa884de83d8787a273e747c48d52c63
SHA256

c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86
SHA512

7f6ccecdeabb503d8559e654530a8d2fb24e8511f5f7a13753ded6bbaaab2d5efb0eaa0726cb5958957fe247966bf2120e47cc5e86ddeef3a943739ab96d9a24
SSDEEP

768:GwkBWuF+Wk5uMXYxiGmsox40ebUKAUdI2gQa5WND1QHQ:GBBWuFfw7YxitsoL/+mVYuw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
536	BCSSync.exe
828	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1116	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe
1116	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 576 set thread context of 1116	576	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	28
PID 536 set thread context of 828	536	BCSSync.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\pavUCoMb.com	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
828	BCSSync.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 1116	576	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	28
PID 576 wrote to memory of 1116	576	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	28
PID 576 wrote to memory of 1116	576	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	28
PID 576 wrote to memory of 1116	576	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	28
PID 576 wrote to memory of 1116	576	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	28
PID 576 wrote to memory of 1116	576	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	28
PID 576 wrote to memory of 1116	576	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	28
PID 576 wrote to memory of 1116	576	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	28
PID 576 wrote to memory of 1116	576	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	28
PID 1116 wrote to memory of 536	1116	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	29
PID 1116 wrote to memory of 536	1116	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	29
PID 1116 wrote to memory of 536	1116	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	29
PID 1116 wrote to memory of 536	1116	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	29
PID 536 wrote to memory of 828	536	BCSSync.exe	30
PID 536 wrote to memory of 828	536	BCSSync.exe	30
PID 536 wrote to memory of 828	536	BCSSync.exe	30
PID 536 wrote to memory of 828	536	BCSSync.exe	30
PID 536 wrote to memory of 828	536	BCSSync.exe	30
PID 536 wrote to memory of 828	536	BCSSync.exe	30
PID 536 wrote to memory of 828	536	BCSSync.exe	30
PID 536 wrote to memory of 828	536	BCSSync.exe	30
PID 536 wrote to memory of 828	536	BCSSync.exe	30
PID 828 wrote to memory of 868	828	BCSSync.exe	31
PID 828 wrote to memory of 868	828	BCSSync.exe	31
PID 828 wrote to memory of 868	828	BCSSync.exe	31
PID 828 wrote to memory of 868	828	BCSSync.exe	31

C:\Users\Admin\AppData\Local\Temp\c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe
"C:\Users\Admin\AppData\Local\Temp\c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Local\Temp\c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe
  "C:\Users\Admin\AppData\Local\Temp\c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:828
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe
        5⤵
        
        PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
34KB

MD5
3dcb50672b259667bd9d6d5d041b7ed1

SHA1
69ce17a57b639c2360d80a621e86c1e24d0c7141

SHA256
2ac09606afc22a2cc3e4ad18d147b9fa71edf0eda88bb4c2a0de9a038db900ce

SHA512
56cff438c9c51e1068437bffad42d0f5839e529658b1be589d8642b94c0f991ad557d0965f3a98bc086f89608bcda3d2c3333fecbe065da0608e803ecd91b2fd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
34KB

MD5
3dcb50672b259667bd9d6d5d041b7ed1

SHA1
69ce17a57b639c2360d80a621e86c1e24d0c7141

SHA256
2ac09606afc22a2cc3e4ad18d147b9fa71edf0eda88bb4c2a0de9a038db900ce

SHA512
56cff438c9c51e1068437bffad42d0f5839e529658b1be589d8642b94c0f991ad557d0965f3a98bc086f89608bcda3d2c3333fecbe065da0608e803ecd91b2fd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
34KB

MD5
3dcb50672b259667bd9d6d5d041b7ed1

SHA1
69ce17a57b639c2360d80a621e86c1e24d0c7141

SHA256
2ac09606afc22a2cc3e4ad18d147b9fa71edf0eda88bb4c2a0de9a038db900ce

SHA512
56cff438c9c51e1068437bffad42d0f5839e529658b1be589d8642b94c0f991ad557d0965f3a98bc086f89608bcda3d2c3333fecbe065da0608e803ecd91b2fd

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
34KB

MD5
3dcb50672b259667bd9d6d5d041b7ed1

SHA1
69ce17a57b639c2360d80a621e86c1e24d0c7141

SHA256
2ac09606afc22a2cc3e4ad18d147b9fa71edf0eda88bb4c2a0de9a038db900ce

SHA512
56cff438c9c51e1068437bffad42d0f5839e529658b1be589d8642b94c0f991ad557d0965f3a98bc086f89608bcda3d2c3333fecbe065da0608e803ecd91b2fd

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
34KB

MD5
3dcb50672b259667bd9d6d5d041b7ed1

SHA1
69ce17a57b639c2360d80a621e86c1e24d0c7141

SHA256
2ac09606afc22a2cc3e4ad18d147b9fa71edf0eda88bb4c2a0de9a038db900ce

SHA512
56cff438c9c51e1068437bffad42d0f5839e529658b1be589d8642b94c0f991ad557d0965f3a98bc086f89608bcda3d2c3333fecbe065da0608e803ecd91b2fd

Download Submit
memory/828-91-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1116-66-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/1116-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1116-64-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1116-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1116-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1116-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1116-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1116-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1116-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1116-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1116-94-0x00000000740C1000-0x00000000740C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing