fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11

General

Target

fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe
Size

35KB
MD5

34b97edbe38a1dcaa71f97013fe43bac
SHA1

2a5aed784f2caf5c63f1a3e9307c539c8c5fcbae
SHA256

fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11
SHA512

57afdac3589604381f250e9cd03ab3a109f06de4685d6a63757268ac2df0cf464542b0d86ce92329f9d62e71d55c3c3f1f99ae35e5e0cd2110bbbfc25f77c52b
SSDEEP

384:x9RlQG13BLgexxxaR0O834rfmAT/5bcicoAVmaqsj7T0oY7cQ67oJk1Ziwf6hycy:TQGpmes+olciha/sw8cF6srxLwN97jw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1864	BCSSync.exe
1212	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1100	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe
1100	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1816 set thread context of 1100	1816	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe	27
PID 1864 set thread context of 1212	1864	BCSSync.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1100	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1816	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe
1864	BCSSync.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1100	1816	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe	27
PID 1816 wrote to memory of 1100	1816	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe	27
PID 1816 wrote to memory of 1100	1816	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe	27
PID 1816 wrote to memory of 1100	1816	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe	27
PID 1816 wrote to memory of 1100	1816	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe	27
PID 1816 wrote to memory of 1100	1816	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe	27
PID 1816 wrote to memory of 1100	1816	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe	27
PID 1816 wrote to memory of 1100	1816	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe	27
PID 1816 wrote to memory of 1100	1816	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe	27
PID 1100 wrote to memory of 1864	1100	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe	28
PID 1100 wrote to memory of 1864	1100	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe	28
PID 1100 wrote to memory of 1864	1100	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe	28
PID 1100 wrote to memory of 1864	1100	fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe	28
PID 1864 wrote to memory of 1212	1864	BCSSync.exe	29
PID 1864 wrote to memory of 1212	1864	BCSSync.exe	29
PID 1864 wrote to memory of 1212	1864	BCSSync.exe	29
PID 1864 wrote to memory of 1212	1864	BCSSync.exe	29
PID 1864 wrote to memory of 1212	1864	BCSSync.exe	29
PID 1864 wrote to memory of 1212	1864	BCSSync.exe	29
PID 1864 wrote to memory of 1212	1864	BCSSync.exe	29
PID 1864 wrote to memory of 1212	1864	BCSSync.exe	29
PID 1864 wrote to memory of 1212	1864	BCSSync.exe	29
PID 1212 wrote to memory of 1372	1212	BCSSync.exe	30
PID 1212 wrote to memory of 1372	1212	BCSSync.exe	30
PID 1212 wrote to memory of 1372	1212	BCSSync.exe	30
PID 1212 wrote to memory of 1372	1212	BCSSync.exe	30

C:\Users\Admin\AppData\Local\Temp\fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe
"C:\Users\Admin\AppData\Local\Temp\fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Local\Temp\fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe
  "C:\Users\Admin\AppData\Local\Temp\fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1212
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\fcd82fa4130dbc64254d3a9bc838e03f12a139caa49fb0e0232b5cff92d8fa11.exe
        5⤵
        
        PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
35KB

MD5
9633cc3e598e317f70c55b4bc03fdbd2

SHA1
cca27fd5c02e6ee9da2033bb65bd6ce6bfa604c9

SHA256
77665be05ec260bc0a2ad4dddeb05dd921252c68cfce070bcb2cfd0330ef5180

SHA512
e067246d0030ce71c40c94a6cab25f64b48a250dfb905005439611eef002ca1e7556a3cd306993a5765df2aa798687aeec09ad75a82c41ef15ff50b69764ec83

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
35KB

MD5
9633cc3e598e317f70c55b4bc03fdbd2

SHA1
cca27fd5c02e6ee9da2033bb65bd6ce6bfa604c9

SHA256
77665be05ec260bc0a2ad4dddeb05dd921252c68cfce070bcb2cfd0330ef5180

SHA512
e067246d0030ce71c40c94a6cab25f64b48a250dfb905005439611eef002ca1e7556a3cd306993a5765df2aa798687aeec09ad75a82c41ef15ff50b69764ec83

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
35KB

MD5
9633cc3e598e317f70c55b4bc03fdbd2

SHA1
cca27fd5c02e6ee9da2033bb65bd6ce6bfa604c9

SHA256
77665be05ec260bc0a2ad4dddeb05dd921252c68cfce070bcb2cfd0330ef5180

SHA512
e067246d0030ce71c40c94a6cab25f64b48a250dfb905005439611eef002ca1e7556a3cd306993a5765df2aa798687aeec09ad75a82c41ef15ff50b69764ec83

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
35KB

MD5
9633cc3e598e317f70c55b4bc03fdbd2

SHA1
cca27fd5c02e6ee9da2033bb65bd6ce6bfa604c9

SHA256
77665be05ec260bc0a2ad4dddeb05dd921252c68cfce070bcb2cfd0330ef5180

SHA512
e067246d0030ce71c40c94a6cab25f64b48a250dfb905005439611eef002ca1e7556a3cd306993a5765df2aa798687aeec09ad75a82c41ef15ff50b69764ec83

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
35KB

MD5
9633cc3e598e317f70c55b4bc03fdbd2

SHA1
cca27fd5c02e6ee9da2033bb65bd6ce6bfa604c9

SHA256
77665be05ec260bc0a2ad4dddeb05dd921252c68cfce070bcb2cfd0330ef5180

SHA512
e067246d0030ce71c40c94a6cab25f64b48a250dfb905005439611eef002ca1e7556a3cd306993a5765df2aa798687aeec09ad75a82c41ef15ff50b69764ec83

Download Submit
memory/1100-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1100-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1100-63-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1100-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1100-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1100-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1100-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1100-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1100-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1100-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1212-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1212-87-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing