dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc

General

Target

dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe
Size

39KB
MD5

8fff0160e82ca7433d1f4ffd3909c9ed
SHA1

cb0fbbea06a4527e5b45b3b77b31af3b7b44293d
SHA256

dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc
SHA512

895464b0a63f1cd920f14e9747de0f57435235ae3fe708b156fbea7c5d55cd98adeece7f9cf93fcd1af474e14d9e71994fec4b6df4811bc7f459830bd3065b43
SSDEEP

768:SzLoYj/s3MY2C162DG9pFz6uEpYJgiMgIf2aNBIFZCzccx5BXPow:0MYQ3n2WTczxqYJgHf2aNBSZ5cx5FB

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
992	BCSSync.exe
1712	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1884	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe
1884	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 1884	1452	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe	28
PID 992 set thread context of 1712	992	BCSSync.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\FLyIUhq20.com	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1712	BCSSync.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1884	1452	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe	28
PID 1452 wrote to memory of 1884	1452	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe	28
PID 1452 wrote to memory of 1884	1452	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe	28
PID 1452 wrote to memory of 1884	1452	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe	28
PID 1452 wrote to memory of 1884	1452	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe	28
PID 1452 wrote to memory of 1884	1452	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe	28
PID 1452 wrote to memory of 1884	1452	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe	28
PID 1452 wrote to memory of 1884	1452	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe	28
PID 1452 wrote to memory of 1884	1452	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe	28
PID 1884 wrote to memory of 992	1884	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe	29
PID 1884 wrote to memory of 992	1884	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe	29
PID 1884 wrote to memory of 992	1884	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe	29
PID 1884 wrote to memory of 992	1884	dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe	29
PID 992 wrote to memory of 1712	992	BCSSync.exe	30
PID 992 wrote to memory of 1712	992	BCSSync.exe	30
PID 992 wrote to memory of 1712	992	BCSSync.exe	30
PID 992 wrote to memory of 1712	992	BCSSync.exe	30
PID 992 wrote to memory of 1712	992	BCSSync.exe	30
PID 992 wrote to memory of 1712	992	BCSSync.exe	30
PID 992 wrote to memory of 1712	992	BCSSync.exe	30
PID 992 wrote to memory of 1712	992	BCSSync.exe	30
PID 992 wrote to memory of 1712	992	BCSSync.exe	30
PID 1712 wrote to memory of 968	1712	BCSSync.exe	31
PID 1712 wrote to memory of 968	1712	BCSSync.exe	31
PID 1712 wrote to memory of 968	1712	BCSSync.exe	31
PID 1712 wrote to memory of 968	1712	BCSSync.exe	31

C:\Users\Admin\AppData\Local\Temp\dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe
"C:\Users\Admin\AppData\Local\Temp\dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe
  "C:\Users\Admin\AppData\Local\Temp\dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\dad1010a9ca877e2ddbef25079a9a4f18e524bdd5bbcbe91b7ea00c68a22a5fc.exe
        5⤵
        
        PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
39KB

MD5
ee34c05e9df3c0dc183ab80d47d16c28

SHA1
f4c52e8d2b8b7c4bc9ecbd1fb82d39e4fb05db5a

SHA256
cbbbacf294cc927d451987aa2e70d455789b2c78a2dfa0861038264c3b80db42

SHA512
ec0aec59095d2ebc325deba0a61f78b932c6535adab9eb58111b1a095ba6a4f4071be4763f0e8c01fc4e3d0aa2725a424a800199bf67bb3c07d8c56f49052e74

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
39KB

MD5
ee34c05e9df3c0dc183ab80d47d16c28

SHA1
f4c52e8d2b8b7c4bc9ecbd1fb82d39e4fb05db5a

SHA256
cbbbacf294cc927d451987aa2e70d455789b2c78a2dfa0861038264c3b80db42

SHA512
ec0aec59095d2ebc325deba0a61f78b932c6535adab9eb58111b1a095ba6a4f4071be4763f0e8c01fc4e3d0aa2725a424a800199bf67bb3c07d8c56f49052e74

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
39KB

MD5
ee34c05e9df3c0dc183ab80d47d16c28

SHA1
f4c52e8d2b8b7c4bc9ecbd1fb82d39e4fb05db5a

SHA256
cbbbacf294cc927d451987aa2e70d455789b2c78a2dfa0861038264c3b80db42

SHA512
ec0aec59095d2ebc325deba0a61f78b932c6535adab9eb58111b1a095ba6a4f4071be4763f0e8c01fc4e3d0aa2725a424a800199bf67bb3c07d8c56f49052e74

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
39KB

MD5
ee34c05e9df3c0dc183ab80d47d16c28

SHA1
f4c52e8d2b8b7c4bc9ecbd1fb82d39e4fb05db5a

SHA256
cbbbacf294cc927d451987aa2e70d455789b2c78a2dfa0861038264c3b80db42

SHA512
ec0aec59095d2ebc325deba0a61f78b932c6535adab9eb58111b1a095ba6a4f4071be4763f0e8c01fc4e3d0aa2725a424a800199bf67bb3c07d8c56f49052e74

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
39KB

MD5
ee34c05e9df3c0dc183ab80d47d16c28

SHA1
f4c52e8d2b8b7c4bc9ecbd1fb82d39e4fb05db5a

SHA256
cbbbacf294cc927d451987aa2e70d455789b2c78a2dfa0861038264c3b80db42

SHA512
ec0aec59095d2ebc325deba0a61f78b932c6535adab9eb58111b1a095ba6a4f4071be4763f0e8c01fc4e3d0aa2725a424a800199bf67bb3c07d8c56f49052e74

Download Submit
memory/1712-91-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1884-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1884-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1884-65-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/1884-64-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/1884-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1884-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1884-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1884-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1884-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1884-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing