405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77

General

Target

405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
Size

34KB
MD5

ecfa895afaf344e90ea5bc2fe3c37700
SHA1

d9d643073b4089ded6505ac8f6f283fbf4271adb
SHA256

405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77
SHA512

706ae69f69af2d538442cdd01c84ea20e5a02108559c7ba2de9ef5f6a929b5eee3c19399775220b721eef08a288ef3c83a96c0c12382513da83d75197a094449
SSDEEP

768:F22jpAzhjQo8hR/4cxgBLrjyP2/yWBMQo1afeTE5sT9M3jPEa:IYiJLrjyey6eM5sTOTr

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2872	BCSSync.exe
2732	BCSSync.exe

Loads dropped DLL 3 IoCs

pid	Process
2396	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
2396	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
2872	BCSSync.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139
Destination IP	83.133.119.139

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1152 set thread context of 2396	1152	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	31
PID 2872 set thread context of 2732	2872	BCSSync.exe	33

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\0HVJRgp.com	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync .exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2396	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2396	1152	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	31
PID 1152 wrote to memory of 2396	1152	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	31
PID 1152 wrote to memory of 2396	1152	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	31
PID 1152 wrote to memory of 2396	1152	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	31
PID 1152 wrote to memory of 2396	1152	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	31
PID 1152 wrote to memory of 2396	1152	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	31
PID 1152 wrote to memory of 2396	1152	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	31
PID 1152 wrote to memory of 2396	1152	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	31
PID 1152 wrote to memory of 2396	1152	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	31
PID 2396 wrote to memory of 2872	2396	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	32
PID 2396 wrote to memory of 2872	2396	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	32
PID 2396 wrote to memory of 2872	2396	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	32
PID 2396 wrote to memory of 2872	2396	405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe	32
PID 2872 wrote to memory of 2732	2872	BCSSync.exe	33
PID 2872 wrote to memory of 2732	2872	BCSSync.exe	33
PID 2872 wrote to memory of 2732	2872	BCSSync.exe	33
PID 2872 wrote to memory of 2732	2872	BCSSync.exe	33
PID 2872 wrote to memory of 2732	2872	BCSSync.exe	33
PID 2872 wrote to memory of 2732	2872	BCSSync.exe	33
PID 2872 wrote to memory of 2732	2872	BCSSync.exe	33
PID 2872 wrote to memory of 2732	2872	BCSSync.exe	33
PID 2872 wrote to memory of 2732	2872	BCSSync.exe	33
PID 2732 wrote to memory of 2168	2732	BCSSync.exe	34
PID 2732 wrote to memory of 2168	2732	BCSSync.exe	34
PID 2732 wrote to memory of 2168	2732	BCSSync.exe	34
PID 2732 wrote to memory of 2168	2732	BCSSync.exe	34

C:\Users\Admin\AppData\Local\Temp\405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
"C:\Users\Admin\AppData\Local\Temp\405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
  "C:\Users\Admin\AppData\Local\Temp\405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\405711995f6a3c1eb78b121f91b769509fe69fb216a6e7115f416327c3b4bd77N.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
34KB

MD5
e1645ab1be44a507ea4aa7b4643e75dc

SHA1
4ef62946e5cbe5c8bd4de7a6a74dbff4cea470fa

SHA256
a069b92b429240b51217331ebab859c17541b7509be111be748fa5c4583dd8d4

SHA512
7814ec2c35ed60f6b9fdeefda5aa9e822933e10e291388ccda01511a1aa9f77b36bfbef56366f0ac7e917226b40b3f77f45b002178fb1d7717092d031a2cd21d

Download Submit
memory/2396-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2396-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2396-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2396-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2396-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2396-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2396-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2396-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2396-14-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2732-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing