1190df73979f3dc768713f51fcf6e2eb439b95caf7c4a2b998c377ea5a35e9d5

Analysis

max time kernel
112s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
11-03-2022 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

triage_dropped_file.exe
Size

308KB
MD5

e41def555743c430d0def4a513de4d96
SHA1

7c90a41062f1f867a1ae0bdeb1d37ca72cd2b95e
SHA256

1190df73979f3dc768713f51fcf6e2eb439b95caf7c4a2b998c377ea5a35e9d5
SHA512

331add20592a9cd8336bc902fe0f4934f6b50866904eb60f4cc3e6046c5edf8d29b5e901cc37f1619ffed9ae83201bbb93d165297ba41dda655b533870e722b6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

bifhcp.exe

pid process

2020 bifhcp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2020	bifhcp.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

triage_dropped_file.exebifhcp.exe

description	pid	process	target process
PID 4240 wrote to memory of 2020	4240	triage_dropped_file.exe	bifhcp.exe
PID 4240 wrote to memory of 2020	4240	triage_dropped_file.exe	bifhcp.exe
PID 4240 wrote to memory of 2020	4240	triage_dropped_file.exe	bifhcp.exe
PID 2020 wrote to memory of 3712	2020	bifhcp.exe	bifhcp.exe
PID 2020 wrote to memory of 3712	2020	bifhcp.exe	bifhcp.exe
PID 2020 wrote to memory of 3712	2020	bifhcp.exe	bifhcp.exe

C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe
"C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4240

C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
C:\Users\Admin\AppData\Local\Temp\bifhcp.exe C:\Users\Admin\AppData\Local\Temp\xvipmw
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
C:\Users\Admin\AppData\Local\Temp\bifhcp.exe C:\Users\Admin\AppData\Local\Temp\xvipmw
3⤵
PID:3712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8uvc6tb2cw52
MD5
ad8694bf41f9cbbb4d8e671a3ce0612a

SHA1
60b8f572210e8112f04d165b515bd63a2eefaebc

SHA256
f12abecd7d300f5e0077a910f46adff553a2f3d5492cc076443345ea5c038239

SHA512
10c9214615a73582dda0c288d297eacbc9c655977a6a6f01b78f5d0c1c2d748a0cecaf5ce08a54de75baee760629de6c77b81d2647e6c7a22465d844142be478

Download Submit
C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
MD5
40025a502304d446b8e53205991b96c1

SHA1
652b3f88b0521c3abd88290c5d69049e7486312c

SHA256
ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655

SHA512
042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
MD5
40025a502304d446b8e53205991b96c1

SHA1
652b3f88b0521c3abd88290c5d69049e7486312c

SHA256
ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655

SHA512
042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvipmw
MD5
da749731ed6579052c657302b892b44b

SHA1
7da4156af0f1e9ef397e836e9f7a75e90bce1a07

SHA256
c39222c6207fd53f6836e1dd1726f4d2f3f76622208b8113ce23fcb22cb88470

SHA512
e05b3dbd36daabc99edccbee11e31b3cc645b04f41226e2fb1c5772342e47240383d63564955ef35fa5b530e4b404af041f89836ad4ebea8b5c3d65fa3687d92

Download Submit
memory/2020-134-0x0000000000BD0000-0x0000000000BD2000-memory.dmp

Filesize
8KB

Download