023123cc7367ab37e8a9993a75b29d2e370a1e8b600e220eb043cc2cb16412aa

General

Target

bifrost.exe
Size

1.8MB
MD5

57b40349e764218a84dcc24771912013
SHA1

632c4fb859357d53ff200258a7f287cb4ac729a1
SHA256

13a336fd1c6148134a22d9d6a0b65e6d1b8d0512fc0d4a8cb68ca1967a96aba5
SHA512

90a049509b4ea5d6b0c4c60cff6c7a174a1370a630490a047af0285900efb57c6b89fc56fbad45ee61b64c4f7fdcfc785e3a8d5d72d7fc3e36a7e275390da6f8
SSDEEP

24576:JmrRJmzQVspzfungCHOfGnK7pMrJ26L7PtcpzR6GD+ZCXM4YwtQRIkV6+:JmrRUzZragOyB7p2J26HepsnL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

10.exe

pid process

876 10.exe
Loads dropped DLL 2 IoCs

Processes:

bifrost.exe

pid process

1764 bifrost.exe
1764 bifrost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
876	10.exe

pid	process
1764	bifrost.exe
1764	bifrost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bifrost.exe

description	pid	process	target process
PID 1764 wrote to memory of 876	1764	bifrost.exe	10.exe
PID 1764 wrote to memory of 876	1764	bifrost.exe	10.exe
PID 1764 wrote to memory of 876	1764	bifrost.exe	10.exe
PID 1764 wrote to memory of 876	1764	bifrost.exe	10.exe

C:\Users\Admin\AppData\Local\Temp\bifrost.exe
"C:\Users\Admin\AppData\Local\Temp\bifrost.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\10.exe
"C:\Users\Admin\AppData\Local\Temp\10.exe"
2⤵
- Executes dropped EXE
PID:876

C:\Users\Admin\AppData\Local\Temp\10.exe
C:\Users\Admin\AppData\Local\Temp\10.exe
3⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\10.exe
C:\Users\Admin\AppData\Local\Temp\10.exe
3⤵
PID:916

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10.exe
Filesize
421KB

MD5
1681ddaa65e6039f4e01b9c5d2b66de1

SHA1
69e66bba05d57499109aa62a50fb3e4a37325939

SHA256
d476dc93cb32252f42fa156eff2655643a2deabfcfb8c442c2567a9443ab05c0

SHA512
4885eb4d268c2513a67eb280660fa80b8506b106850183921a82ba14a46409a770ea2cb7a674a9d0d79668564fdb45c102a8584b09d7011bff0951bae6aac6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.exe
Filesize
421KB

MD5
1681ddaa65e6039f4e01b9c5d2b66de1

SHA1
69e66bba05d57499109aa62a50fb3e4a37325939

SHA256
d476dc93cb32252f42fa156eff2655643a2deabfcfb8c442c2567a9443ab05c0

SHA512
4885eb4d268c2513a67eb280660fa80b8506b106850183921a82ba14a46409a770ea2cb7a674a9d0d79668564fdb45c102a8584b09d7011bff0951bae6aac6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.exe
Filesize
421KB

MD5
1681ddaa65e6039f4e01b9c5d2b66de1

SHA1
69e66bba05d57499109aa62a50fb3e4a37325939

SHA256
d476dc93cb32252f42fa156eff2655643a2deabfcfb8c442c2567a9443ab05c0

SHA512
4885eb4d268c2513a67eb280660fa80b8506b106850183921a82ba14a46409a770ea2cb7a674a9d0d79668564fdb45c102a8584b09d7011bff0951bae6aac6ac

Download Submit
\Users\Admin\AppData\Local\Temp\10.exe
Filesize
421KB

MD5
1681ddaa65e6039f4e01b9c5d2b66de1

SHA1
69e66bba05d57499109aa62a50fb3e4a37325939

SHA256
d476dc93cb32252f42fa156eff2655643a2deabfcfb8c442c2567a9443ab05c0

SHA512
4885eb4d268c2513a67eb280660fa80b8506b106850183921a82ba14a46409a770ea2cb7a674a9d0d79668564fdb45c102a8584b09d7011bff0951bae6aac6ac

Download Submit
\Users\Admin\AppData\Local\Temp\10.exe
Filesize
421KB

MD5
1681ddaa65e6039f4e01b9c5d2b66de1

SHA1
69e66bba05d57499109aa62a50fb3e4a37325939

SHA256
d476dc93cb32252f42fa156eff2655643a2deabfcfb8c442c2567a9443ab05c0

SHA512
4885eb4d268c2513a67eb280660fa80b8506b106850183921a82ba14a46409a770ea2cb7a674a9d0d79668564fdb45c102a8584b09d7011bff0951bae6aac6ac

Download Submit
\Users\Admin\AppData\Local\Temp\10.exe
Filesize
421KB

MD5
1681ddaa65e6039f4e01b9c5d2b66de1

SHA1
69e66bba05d57499109aa62a50fb3e4a37325939

SHA256
d476dc93cb32252f42fa156eff2655643a2deabfcfb8c442c2567a9443ab05c0

SHA512
4885eb4d268c2513a67eb280660fa80b8506b106850183921a82ba14a46409a770ea2cb7a674a9d0d79668564fdb45c102a8584b09d7011bff0951bae6aac6ac

Download Submit
\Users\Admin\AppData\Local\Temp\10.exe
Filesize
421KB

MD5
1681ddaa65e6039f4e01b9c5d2b66de1

SHA1
69e66bba05d57499109aa62a50fb3e4a37325939

SHA256
d476dc93cb32252f42fa156eff2655643a2deabfcfb8c442c2567a9443ab05c0

SHA512
4885eb4d268c2513a67eb280660fa80b8506b106850183921a82ba14a46409a770ea2cb7a674a9d0d79668564fdb45c102a8584b09d7011bff0951bae6aac6ac

Download Submit
memory/876-59-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/876-57-0x0000000000000000-mapping.dmp

Download
memory/876-63-0x0000000073D50000-0x00000000742FB000-memory.dmp

Filesize
5.7MB

Download
memory/876-76-0x0000000073D50000-0x00000000742FB000-memory.dmp

Filesize
5.7MB

Download
memory/876-64-0x0000000073D50000-0x00000000742FB000-memory.dmp

Filesize
5.7MB

Download
memory/916-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/916-71-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/916-72-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/916-73-0x0000000000407C89-mapping.dmp

Download
memory/916-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/916-77-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/916-82-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1280-79-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1764-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing