d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80

General

Target

d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe
Size

64KB
MD5

656c54728398b591a5cfac76d206e097
SHA1

13fb21e405360dba19a264b482276676bc51f49f
SHA256

d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80
SHA512

255c5417327c7e05ac7638323556bfa8763a660adad8120f6d43944154d100d1b7bd81e34c8fdc26c25b4ab8188023298f88238539acb6096406178cabcb0587
SSDEEP

768:bBwa3wLSqZkETG/j53wbU4oF4/EOi97emHGqn5DLDdQOn2skZI:r3wLSeK/FqU4/PHmHGq5DndQ0272

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1320	BCSSync.exe
1808	BCSSync.exe

Loads dropped DLL 2 IoCs

pid	Process
1204	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe
1204	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1348 set thread context of 1204	1348	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe	27
PID 1320 set thread context of 1808	1320	BCSSync.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\2nYrbdFef.com	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1204	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1204	1348	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe	27
PID 1348 wrote to memory of 1204	1348	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe	27
PID 1348 wrote to memory of 1204	1348	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe	27
PID 1348 wrote to memory of 1204	1348	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe	27
PID 1348 wrote to memory of 1204	1348	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe	27
PID 1348 wrote to memory of 1204	1348	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe	27
PID 1348 wrote to memory of 1204	1348	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe	27
PID 1348 wrote to memory of 1204	1348	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe	27
PID 1348 wrote to memory of 1204	1348	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe	27
PID 1204 wrote to memory of 1320	1204	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe	28
PID 1204 wrote to memory of 1320	1204	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe	28
PID 1204 wrote to memory of 1320	1204	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe	28
PID 1204 wrote to memory of 1320	1204	d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe	28
PID 1320 wrote to memory of 1808	1320	BCSSync.exe	29
PID 1320 wrote to memory of 1808	1320	BCSSync.exe	29
PID 1320 wrote to memory of 1808	1320	BCSSync.exe	29
PID 1320 wrote to memory of 1808	1320	BCSSync.exe	29
PID 1320 wrote to memory of 1808	1320	BCSSync.exe	29
PID 1320 wrote to memory of 1808	1320	BCSSync.exe	29
PID 1320 wrote to memory of 1808	1320	BCSSync.exe	29
PID 1320 wrote to memory of 1808	1320	BCSSync.exe	29
PID 1320 wrote to memory of 1808	1320	BCSSync.exe	29
PID 1808 wrote to memory of 1552	1808	BCSSync.exe	30
PID 1808 wrote to memory of 1552	1808	BCSSync.exe	30
PID 1808 wrote to memory of 1552	1808	BCSSync.exe	30
PID 1808 wrote to memory of 1552	1808	BCSSync.exe	30

C:\Users\Admin\AppData\Local\Temp\d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe
"C:\Users\Admin\AppData\Local\Temp\d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe
  "C:\Users\Admin\AppData\Local\Temp\d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\d1ba2091c52a840e80a8563a3870cc2b1bad41c9d205e19d4e845ee4f774db80.exe
        5⤵
        
        PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
64KB

MD5
4d30ce0b5ab2896bee95e029ab5971ab

SHA1
247766d61b72e346a53c0662f29e61c77373a490

SHA256
39f4695be3a26590e0304aad92b20249604a851d3d58e04491a17b4c702889ed

SHA512
28acdb06ad80da2a4524e72cdacb2b954fd7dda86eb9259f71e78eaadcd942372255af0bcab1ba0ba4382d6e0647b790d3dea20e28bba0bab9e4cb7f8e3f529b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
64KB

MD5
4d30ce0b5ab2896bee95e029ab5971ab

SHA1
247766d61b72e346a53c0662f29e61c77373a490

SHA256
39f4695be3a26590e0304aad92b20249604a851d3d58e04491a17b4c702889ed

SHA512
28acdb06ad80da2a4524e72cdacb2b954fd7dda86eb9259f71e78eaadcd942372255af0bcab1ba0ba4382d6e0647b790d3dea20e28bba0bab9e4cb7f8e3f529b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
64KB

MD5
4d30ce0b5ab2896bee95e029ab5971ab

SHA1
247766d61b72e346a53c0662f29e61c77373a490

SHA256
39f4695be3a26590e0304aad92b20249604a851d3d58e04491a17b4c702889ed

SHA512
28acdb06ad80da2a4524e72cdacb2b954fd7dda86eb9259f71e78eaadcd942372255af0bcab1ba0ba4382d6e0647b790d3dea20e28bba0bab9e4cb7f8e3f529b

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
64KB

MD5
4d30ce0b5ab2896bee95e029ab5971ab

SHA1
247766d61b72e346a53c0662f29e61c77373a490

SHA256
39f4695be3a26590e0304aad92b20249604a851d3d58e04491a17b4c702889ed

SHA512
28acdb06ad80da2a4524e72cdacb2b954fd7dda86eb9259f71e78eaadcd942372255af0bcab1ba0ba4382d6e0647b790d3dea20e28bba0bab9e4cb7f8e3f529b

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
64KB

MD5
4d30ce0b5ab2896bee95e029ab5971ab

SHA1
247766d61b72e346a53c0662f29e61c77373a490

SHA256
39f4695be3a26590e0304aad92b20249604a851d3d58e04491a17b4c702889ed

SHA512
28acdb06ad80da2a4524e72cdacb2b954fd7dda86eb9259f71e78eaadcd942372255af0bcab1ba0ba4382d6e0647b790d3dea20e28bba0bab9e4cb7f8e3f529b

Download Submit
memory/1204-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1204-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1204-100-0x0000000001F80000-0x0000000001F94000-memory.dmp

Filesize
80KB

Download
memory/1204-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1204-65-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1204-66-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/1204-70-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1204-94-0x0000000001F80000-0x0000000001F94000-memory.dmp

Filesize
80KB

Download
memory/1204-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1204-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1204-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1204-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1204-99-0x0000000001F80000-0x0000000001F94000-memory.dmp

Filesize
80KB

Download
memory/1204-96-0x00000000744D1000-0x00000000744D3000-memory.dmp

Filesize
8KB

Download
memory/1204-93-0x0000000001F80000-0x0000000001F94000-memory.dmp

Filesize
80KB

Download
memory/1320-86-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1348-63-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1808-95-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing