9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b

General

Target

9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe
Size

92KB
MD5

06b8ac2e0629e9af0be6994a5ebc0baa
SHA1

993ccfd6d6711b777d8813a29df0698b0243efcd
SHA256

9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b
SHA512

23853452670d84e73f5e25f9824312ac59a671e78c6fab9e9feadd78d5b403744090c05aa37abc67e60d661e2065c3e1f9087cde4a27cf16365332b341193e66
SSDEEP

1536:jM0gNI+RqihfQxtQg1nhFc9pJpk+tCwmg+Q6buWkJ2/tnJs1v8pEekNEkpYA0g:jMbI+RFQxjJGJpTP65vFLGjNE5o

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1424	BCSSync.exe
1076	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
532	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe
532	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 532	1452	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe	26
PID 1424 set thread context of 1076	1424	BCSSync.exe	28

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
532	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 532	1452	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe	26
PID 1452 wrote to memory of 532	1452	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe	26
PID 1452 wrote to memory of 532	1452	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe	26
PID 1452 wrote to memory of 532	1452	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe	26
PID 1452 wrote to memory of 532	1452	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe	26
PID 1452 wrote to memory of 532	1452	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe	26
PID 1452 wrote to memory of 532	1452	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe	26
PID 1452 wrote to memory of 532	1452	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe	26
PID 1452 wrote to memory of 532	1452	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe	26
PID 532 wrote to memory of 1424	532	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe	27
PID 532 wrote to memory of 1424	532	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe	27
PID 532 wrote to memory of 1424	532	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe	27
PID 532 wrote to memory of 1424	532	9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe	27
PID 1424 wrote to memory of 1076	1424	BCSSync.exe	28
PID 1424 wrote to memory of 1076	1424	BCSSync.exe	28
PID 1424 wrote to memory of 1076	1424	BCSSync.exe	28
PID 1424 wrote to memory of 1076	1424	BCSSync.exe	28
PID 1424 wrote to memory of 1076	1424	BCSSync.exe	28
PID 1424 wrote to memory of 1076	1424	BCSSync.exe	28
PID 1424 wrote to memory of 1076	1424	BCSSync.exe	28
PID 1424 wrote to memory of 1076	1424	BCSSync.exe	28
PID 1424 wrote to memory of 1076	1424	BCSSync.exe	28
PID 1076 wrote to memory of 1824	1076	BCSSync.exe	29
PID 1076 wrote to memory of 1824	1076	BCSSync.exe	29
PID 1076 wrote to memory of 1824	1076	BCSSync.exe	29
PID 1076 wrote to memory of 1824	1076	BCSSync.exe	29

C:\Users\Admin\AppData\Local\Temp\9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe
"C:\Users\Admin\AppData\Local\Temp\9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe
  "C:\Users\Admin\AppData\Local\Temp\9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\9e811079d1d63f46c9296c3e8edbee380b407071b98532ed2d3c3c208606a92b.exe
        5⤵
        
        PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
92KB

MD5
9131fb06c906e5ab096b4be9bf6dea9c

SHA1
c8227abc9ede1087969bb9f346de2c1ce3d719c8

SHA256
82a33db241aa71d020a2295412a0f201677981425a7fde5222b4988fd880d0f9

SHA512
0d4ba14e4f4ee6d883f843cb043d4c8ed40fe17535bb1281e91687eb4dd8da4942888128a9e473e5bc4abd90a9fe524d87247ce9245c3848e13b80ddbc3ace02

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
92KB

MD5
9131fb06c906e5ab096b4be9bf6dea9c

SHA1
c8227abc9ede1087969bb9f346de2c1ce3d719c8

SHA256
82a33db241aa71d020a2295412a0f201677981425a7fde5222b4988fd880d0f9

SHA512
0d4ba14e4f4ee6d883f843cb043d4c8ed40fe17535bb1281e91687eb4dd8da4942888128a9e473e5bc4abd90a9fe524d87247ce9245c3848e13b80ddbc3ace02

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
92KB

MD5
9131fb06c906e5ab096b4be9bf6dea9c

SHA1
c8227abc9ede1087969bb9f346de2c1ce3d719c8

SHA256
82a33db241aa71d020a2295412a0f201677981425a7fde5222b4988fd880d0f9

SHA512
0d4ba14e4f4ee6d883f843cb043d4c8ed40fe17535bb1281e91687eb4dd8da4942888128a9e473e5bc4abd90a9fe524d87247ce9245c3848e13b80ddbc3ace02

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
92KB

MD5
9131fb06c906e5ab096b4be9bf6dea9c

SHA1
c8227abc9ede1087969bb9f346de2c1ce3d719c8

SHA256
82a33db241aa71d020a2295412a0f201677981425a7fde5222b4988fd880d0f9

SHA512
0d4ba14e4f4ee6d883f843cb043d4c8ed40fe17535bb1281e91687eb4dd8da4942888128a9e473e5bc4abd90a9fe524d87247ce9245c3848e13b80ddbc3ace02

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
92KB

MD5
9131fb06c906e5ab096b4be9bf6dea9c

SHA1
c8227abc9ede1087969bb9f346de2c1ce3d719c8

SHA256
82a33db241aa71d020a2295412a0f201677981425a7fde5222b4988fd880d0f9

SHA512
0d4ba14e4f4ee6d883f843cb043d4c8ed40fe17535bb1281e91687eb4dd8da4942888128a9e473e5bc4abd90a9fe524d87247ce9245c3848e13b80ddbc3ace02

Download Submit
memory/532-61-0x0000000000403C40-mapping.dmp

Download
memory/532-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/532-63-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/532-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/532-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/532-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/532-84-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/532-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/532-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/532-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/532-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1076-78-0x0000000000403C40-mapping.dmp

Download
memory/1076-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1076-87-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1424-68-0x0000000000000000-mapping.dmp

Download
memory/1824-85-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing