Analysis
-
max time kernel
112s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
11-03-2022 12:55
Static task
static1
Behavioral task
behavioral1
Sample
triage_dropped_file.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
triage_dropped_file.exe
Resource
win10v2004-en-20220113
General
-
Target
triage_dropped_file.exe
-
Size
308KB
-
MD5
e41def555743c430d0def4a513de4d96
-
SHA1
7c90a41062f1f867a1ae0bdeb1d37ca72cd2b95e
-
SHA256
1190df73979f3dc768713f51fcf6e2eb439b95caf7c4a2b998c377ea5a35e9d5
-
SHA512
331add20592a9cd8336bc902fe0f4934f6b50866904eb60f4cc3e6046c5edf8d29b5e901cc37f1619ffed9ae83201bbb93d165297ba41dda655b533870e722b6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bifhcp.exepid process 2020 bifhcp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
triage_dropped_file.exebifhcp.exedescription pid process target process PID 4240 wrote to memory of 2020 4240 triage_dropped_file.exe bifhcp.exe PID 4240 wrote to memory of 2020 4240 triage_dropped_file.exe bifhcp.exe PID 4240 wrote to memory of 2020 4240 triage_dropped_file.exe bifhcp.exe PID 2020 wrote to memory of 3712 2020 bifhcp.exe bifhcp.exe PID 2020 wrote to memory of 3712 2020 bifhcp.exe bifhcp.exe PID 2020 wrote to memory of 3712 2020 bifhcp.exe bifhcp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bifhcp.exeC:\Users\Admin\AppData\Local\Temp\bifhcp.exe C:\Users\Admin\AppData\Local\Temp\xvipmw2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bifhcp.exeC:\Users\Admin\AppData\Local\Temp\bifhcp.exe C:\Users\Admin\AppData\Local\Temp\xvipmw3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8uvc6tb2cw52MD5
ad8694bf41f9cbbb4d8e671a3ce0612a
SHA160b8f572210e8112f04d165b515bd63a2eefaebc
SHA256f12abecd7d300f5e0077a910f46adff553a2f3d5492cc076443345ea5c038239
SHA51210c9214615a73582dda0c288d297eacbc9c655977a6a6f01b78f5d0c1c2d748a0cecaf5ce08a54de75baee760629de6c77b81d2647e6c7a22465d844142be478
-
C:\Users\Admin\AppData\Local\Temp\bifhcp.exeMD5
40025a502304d446b8e53205991b96c1
SHA1652b3f88b0521c3abd88290c5d69049e7486312c
SHA256ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655
SHA512042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2
-
C:\Users\Admin\AppData\Local\Temp\bifhcp.exeMD5
40025a502304d446b8e53205991b96c1
SHA1652b3f88b0521c3abd88290c5d69049e7486312c
SHA256ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655
SHA512042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2
-
C:\Users\Admin\AppData\Local\Temp\xvipmwMD5
da749731ed6579052c657302b892b44b
SHA17da4156af0f1e9ef397e836e9f7a75e90bce1a07
SHA256c39222c6207fd53f6836e1dd1726f4d2f3f76622208b8113ce23fcb22cb88470
SHA512e05b3dbd36daabc99edccbee11e31b3cc645b04f41226e2fb1c5772342e47240383d63564955ef35fa5b530e4b404af041f89836ad4ebea8b5c3d65fa3687d92
-
memory/2020-134-0x0000000000BD0000-0x0000000000BD2000-memory.dmpFilesize
8KB