ff43602a591f2130c3c8fa71922a31abc01641e7ff048bf2e08e3d3d59c24253

General

Target

59051aeced793e477a13ce4f6ef1313c.exe
Size

37KB
MD5

59051aeced793e477a13ce4f6ef1313c
SHA1

1b52875eb7796037145089c9b2868882b549d7c7
SHA256

ff43602a591f2130c3c8fa71922a31abc01641e7ff048bf2e08e3d3d59c24253
SHA512

76c4d51ec8d77186598821b19ea371b72d706be8127a3643c2660a8608822624f0c2099b23112be055586514c5ef27e72f0e2340206f9674c71360320e50c4ad
SSDEEP

768:edIZ/alwuAknNWuCMQpb0ruFm1YqTrmHwbLyMy8:edILlknNU4rOobbLyn8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2896	BCSSync.exe
2884	BCSSync.exe

Loads dropped DLL 3 IoCs

pid	Process
2036	59051aeced793e477a13ce4f6ef1313c.exe
2036	59051aeced793e477a13ce4f6ef1313c.exe
2896	BCSSync.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2500 set thread context of 2036	2500	59051aeced793e477a13ce4f6ef1313c.exe	28
PID 2896 set thread context of 2884	2896	BCSSync.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	59051aeced793e477a13ce4f6ef1313c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	59051aeced793e477a13ce4f6ef1313c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2036	59051aeced793e477a13ce4f6ef1313c.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2036	2500	59051aeced793e477a13ce4f6ef1313c.exe	28
PID 2500 wrote to memory of 2036	2500	59051aeced793e477a13ce4f6ef1313c.exe	28
PID 2500 wrote to memory of 2036	2500	59051aeced793e477a13ce4f6ef1313c.exe	28
PID 2500 wrote to memory of 2036	2500	59051aeced793e477a13ce4f6ef1313c.exe	28
PID 2500 wrote to memory of 2036	2500	59051aeced793e477a13ce4f6ef1313c.exe	28
PID 2500 wrote to memory of 2036	2500	59051aeced793e477a13ce4f6ef1313c.exe	28
PID 2500 wrote to memory of 2036	2500	59051aeced793e477a13ce4f6ef1313c.exe	28
PID 2500 wrote to memory of 2036	2500	59051aeced793e477a13ce4f6ef1313c.exe	28
PID 2500 wrote to memory of 2036	2500	59051aeced793e477a13ce4f6ef1313c.exe	28
PID 2036 wrote to memory of 2896	2036	59051aeced793e477a13ce4f6ef1313c.exe	29
PID 2036 wrote to memory of 2896	2036	59051aeced793e477a13ce4f6ef1313c.exe	29
PID 2036 wrote to memory of 2896	2036	59051aeced793e477a13ce4f6ef1313c.exe	29
PID 2036 wrote to memory of 2896	2036	59051aeced793e477a13ce4f6ef1313c.exe	29
PID 2896 wrote to memory of 2884	2896	BCSSync.exe	30
PID 2896 wrote to memory of 2884	2896	BCSSync.exe	30
PID 2896 wrote to memory of 2884	2896	BCSSync.exe	30
PID 2896 wrote to memory of 2884	2896	BCSSync.exe	30
PID 2896 wrote to memory of 2884	2896	BCSSync.exe	30
PID 2896 wrote to memory of 2884	2896	BCSSync.exe	30
PID 2896 wrote to memory of 2884	2896	BCSSync.exe	30
PID 2896 wrote to memory of 2884	2896	BCSSync.exe	30
PID 2896 wrote to memory of 2884	2896	BCSSync.exe	30
PID 2884 wrote to memory of 2616	2884	BCSSync.exe	31
PID 2884 wrote to memory of 2616	2884	BCSSync.exe	31
PID 2884 wrote to memory of 2616	2884	BCSSync.exe	31
PID 2884 wrote to memory of 2616	2884	BCSSync.exe	31

C:\Users\Admin\AppData\Local\Temp\59051aeced793e477a13ce4f6ef1313c.exe
"C:\Users\Admin\AppData\Local\Temp\59051aeced793e477a13ce4f6ef1313c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\59051aeced793e477a13ce4f6ef1313c.exe
  "C:\Users\Admin\AppData\Local\Temp\59051aeced793e477a13ce4f6ef1313c.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\59051aeced793e477a13ce4f6ef1313c.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\59051aeced793e477a13ce4f6ef1313c.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\59051aeced793e477a13ce4f6ef1313c.exe
        5⤵
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
37KB

MD5
735bf5701ee89261ecaeaa78868053a3

SHA1
2e24928e02a60c421bc0d4efb58c311a3ec45a73

SHA256
4705f9462ba0eed6b065032624a0ba07ade8af89d0f496f977b0919e59395a29

SHA512
e5621d47af2758cffee60bd2f8a087592eb1780215ae851b632afa94b34bb91b239b7c93ca24ac58fa7fd0bf80c1ec9333354357d068b28a854c15c19d8a6d68

Download Submit
memory/2036-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2036-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2036-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2036-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2036-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2036-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2036-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2036-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2884-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2884-42-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing