Analysis
-
max time kernel
41s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 14:48
Behavioral task
behavioral1
Sample
bifrost.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bifrost.exe
Resource
win10v2004-20220901-en
General
-
Target
bifrost.exe
-
Size
1.8MB
-
MD5
57b40349e764218a84dcc24771912013
-
SHA1
632c4fb859357d53ff200258a7f287cb4ac729a1
-
SHA256
13a336fd1c6148134a22d9d6a0b65e6d1b8d0512fc0d4a8cb68ca1967a96aba5
-
SHA512
90a049509b4ea5d6b0c4c60cff6c7a174a1370a630490a047af0285900efb57c6b89fc56fbad45ee61b64c4f7fdcfc785e3a8d5d72d7fc3e36a7e275390da6f8
-
SSDEEP
24576:JmrRJmzQVspzfungCHOfGnK7pMrJ26L7PtcpzR6GD+ZCXM4YwtQRIkV6+:JmrRUzZragOyB7p2J26HepsnL
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
10.exe10.exepid process 4244 10.exe 5076 10.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bifrost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation bifrost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
10.exedescription pid process target process PID 4244 set thread context of 5076 4244 10.exe 10.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
10.exepid process 5076 10.exe 5076 10.exe 5076 10.exe 5076 10.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10.exedescription pid process Token: SeDebugPrivilege 4244 10.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
bifrost.exe10.exe10.exedescription pid process target process PID 1828 wrote to memory of 4244 1828 bifrost.exe 10.exe PID 1828 wrote to memory of 4244 1828 bifrost.exe 10.exe PID 1828 wrote to memory of 4244 1828 bifrost.exe 10.exe PID 4244 wrote to memory of 3796 4244 10.exe 10.exe PID 4244 wrote to memory of 3796 4244 10.exe 10.exe PID 4244 wrote to memory of 3796 4244 10.exe 10.exe PID 4244 wrote to memory of 5076 4244 10.exe 10.exe PID 4244 wrote to memory of 5076 4244 10.exe 10.exe PID 4244 wrote to memory of 5076 4244 10.exe 10.exe PID 4244 wrote to memory of 5076 4244 10.exe 10.exe PID 4244 wrote to memory of 5076 4244 10.exe 10.exe PID 4244 wrote to memory of 5076 4244 10.exe 10.exe PID 4244 wrote to memory of 5076 4244 10.exe 10.exe PID 5076 wrote to memory of 3040 5076 10.exe Explorer.EXE PID 5076 wrote to memory of 3040 5076 10.exe Explorer.EXE PID 5076 wrote to memory of 3040 5076 10.exe Explorer.EXE PID 5076 wrote to memory of 3040 5076 10.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\bifrost.exe"C:\Users\Admin\AppData\Local\Temp\bifrost.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\10.exe"C:\Users\Admin\AppData\Local\Temp\10.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\10.exeC:\Users\Admin\AppData\Local\Temp\10.exe4⤵PID:3796
-
C:\Users\Admin\AppData\Local\Temp\10.exeC:\Users\Admin\AppData\Local\Temp\10.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\10.exeFilesize
421KB
MD51681ddaa65e6039f4e01b9c5d2b66de1
SHA169e66bba05d57499109aa62a50fb3e4a37325939
SHA256d476dc93cb32252f42fa156eff2655643a2deabfcfb8c442c2567a9443ab05c0
SHA5124885eb4d268c2513a67eb280660fa80b8506b106850183921a82ba14a46409a770ea2cb7a674a9d0d79668564fdb45c102a8584b09d7011bff0951bae6aac6ac
-
C:\Users\Admin\AppData\Local\Temp\10.exeFilesize
421KB
MD51681ddaa65e6039f4e01b9c5d2b66de1
SHA169e66bba05d57499109aa62a50fb3e4a37325939
SHA256d476dc93cb32252f42fa156eff2655643a2deabfcfb8c442c2567a9443ab05c0
SHA5124885eb4d268c2513a67eb280660fa80b8506b106850183921a82ba14a46409a770ea2cb7a674a9d0d79668564fdb45c102a8584b09d7011bff0951bae6aac6ac
-
C:\Users\Admin\AppData\Local\Temp\10.exeFilesize
421KB
MD51681ddaa65e6039f4e01b9c5d2b66de1
SHA169e66bba05d57499109aa62a50fb3e4a37325939
SHA256d476dc93cb32252f42fa156eff2655643a2deabfcfb8c442c2567a9443ab05c0
SHA5124885eb4d268c2513a67eb280660fa80b8506b106850183921a82ba14a46409a770ea2cb7a674a9d0d79668564fdb45c102a8584b09d7011bff0951bae6aac6ac
-
memory/3040-145-0x000000007FFF0000-0x000000007FFF7000-memory.dmpFilesize
28KB
-
memory/4244-132-0x0000000000000000-mapping.dmp
-
memory/4244-135-0x0000000000690000-0x00000000006E0000-memory.dmpFilesize
320KB
-
memory/4244-138-0x00000000735D0000-0x0000000073B81000-memory.dmpFilesize
5.7MB
-
memory/4244-143-0x00000000735D0000-0x0000000073B81000-memory.dmpFilesize
5.7MB
-
memory/5076-139-0x0000000000000000-mapping.dmp
-
memory/5076-140-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/5076-144-0x0000000000400000-0x0000000000408960-memory.dmpFilesize
34KB
-
memory/5076-146-0x0000000010000000-0x0000000010013000-memory.dmpFilesize
76KB