a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621

General

Target

a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe
Size

92KB
MD5

6a915e71e0ccfdfbf873d4c344b91c7d
SHA1

5fb0e3c222fc3b75406a67a44ce75f8d2af30f20
SHA256

a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621
SHA512

0ac0c5ebacc310d4edea3859c69abd92bc34782d298b240c64065ff8feb1fb93729ff902d705e9651e5f670dd0ae42bf54d59e775f6437da1a745b298c9134f7
SSDEEP

1536:/rT5WG67FWBMk/r2mvWh7XjNd3s3WX2o2PYFzwJOpWB8aPzeZIZAKkxTE4n0xC7/://YL7f4r2RheSFrWB8aLe4A/xTEe0Mz

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1688	BCSSync.exe
268	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1928	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe
1928	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1048 set thread context of 1928	1048	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe	27
PID 1688 set thread context of 268	1688	BCSSync.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\2nYrbdFef.com	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1928	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1928	1048	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe	27
PID 1048 wrote to memory of 1928	1048	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe	27
PID 1048 wrote to memory of 1928	1048	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe	27
PID 1048 wrote to memory of 1928	1048	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe	27
PID 1048 wrote to memory of 1928	1048	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe	27
PID 1048 wrote to memory of 1928	1048	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe	27
PID 1048 wrote to memory of 1928	1048	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe	27
PID 1048 wrote to memory of 1928	1048	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe	27
PID 1048 wrote to memory of 1928	1048	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe	27
PID 1928 wrote to memory of 1688	1928	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe	28
PID 1928 wrote to memory of 1688	1928	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe	28
PID 1928 wrote to memory of 1688	1928	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe	28
PID 1928 wrote to memory of 1688	1928	a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe	28
PID 1688 wrote to memory of 268	1688	BCSSync.exe	29
PID 1688 wrote to memory of 268	1688	BCSSync.exe	29
PID 1688 wrote to memory of 268	1688	BCSSync.exe	29
PID 1688 wrote to memory of 268	1688	BCSSync.exe	29
PID 1688 wrote to memory of 268	1688	BCSSync.exe	29
PID 1688 wrote to memory of 268	1688	BCSSync.exe	29
PID 1688 wrote to memory of 268	1688	BCSSync.exe	29
PID 1688 wrote to memory of 268	1688	BCSSync.exe	29
PID 1688 wrote to memory of 268	1688	BCSSync.exe	29
PID 268 wrote to memory of 816	268	BCSSync.exe	30
PID 268 wrote to memory of 816	268	BCSSync.exe	30
PID 268 wrote to memory of 816	268	BCSSync.exe	30
PID 268 wrote to memory of 816	268	BCSSync.exe	30

C:\Users\Admin\AppData\Local\Temp\a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe
"C:\Users\Admin\AppData\Local\Temp\a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe
  "C:\Users\Admin\AppData\Local\Temp\a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:268
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\a294258e8b2e1fd36217a8fafd15c41c3954eec26808407c03cf40df1df9d621.exe
        5⤵
        
        PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
92KB

MD5
df4d9c6e17079ddd1c684c9752d845d4

SHA1
9b3a2d7b188f20cdb094b7a62dbff499a0d87400

SHA256
4b5e3753e9e1d3df48662c9b400630cac20731f7cdd87d2938ce7553bce9ac33

SHA512
b0f3cc1724402dcb1d3682a16f94d978320c1f4d5f036c611e53aaceff9869dad0038ffa66c7d2fce66ffef4416bddba525a7ca84f942171a2e5ee837f7b5075

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
92KB

MD5
df4d9c6e17079ddd1c684c9752d845d4

SHA1
9b3a2d7b188f20cdb094b7a62dbff499a0d87400

SHA256
4b5e3753e9e1d3df48662c9b400630cac20731f7cdd87d2938ce7553bce9ac33

SHA512
b0f3cc1724402dcb1d3682a16f94d978320c1f4d5f036c611e53aaceff9869dad0038ffa66c7d2fce66ffef4416bddba525a7ca84f942171a2e5ee837f7b5075

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
92KB

MD5
df4d9c6e17079ddd1c684c9752d845d4

SHA1
9b3a2d7b188f20cdb094b7a62dbff499a0d87400

SHA256
4b5e3753e9e1d3df48662c9b400630cac20731f7cdd87d2938ce7553bce9ac33

SHA512
b0f3cc1724402dcb1d3682a16f94d978320c1f4d5f036c611e53aaceff9869dad0038ffa66c7d2fce66ffef4416bddba525a7ca84f942171a2e5ee837f7b5075

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
92KB

MD5
df4d9c6e17079ddd1c684c9752d845d4

SHA1
9b3a2d7b188f20cdb094b7a62dbff499a0d87400

SHA256
4b5e3753e9e1d3df48662c9b400630cac20731f7cdd87d2938ce7553bce9ac33

SHA512
b0f3cc1724402dcb1d3682a16f94d978320c1f4d5f036c611e53aaceff9869dad0038ffa66c7d2fce66ffef4416bddba525a7ca84f942171a2e5ee837f7b5075

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
92KB

MD5
df4d9c6e17079ddd1c684c9752d845d4

SHA1
9b3a2d7b188f20cdb094b7a62dbff499a0d87400

SHA256
4b5e3753e9e1d3df48662c9b400630cac20731f7cdd87d2938ce7553bce9ac33

SHA512
b0f3cc1724402dcb1d3682a16f94d978320c1f4d5f036c611e53aaceff9869dad0038ffa66c7d2fce66ffef4416bddba525a7ca84f942171a2e5ee837f7b5075

Download Submit
memory/268-91-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1928-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1928-65-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/1928-64-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1928-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1928-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1928-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1928-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1928-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1928-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1928-92-0x0000000074861000-0x0000000074863000-memory.dmp

Filesize
8KB

Download
memory/1928-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing