d82f617d94c35546c60d5c428182dd59676b274069f637e261bef100b681baf0

General

Target

d82f617d94c35546c60d5c428182dd59676b274069f637e261bef100b681baf0.exe
Size

178KB
MD5

6d580dce5fa658941103c41aa4233e79
SHA1

4476601fb39b3462090048738c78898188b6a461
SHA256

d82f617d94c35546c60d5c428182dd59676b274069f637e261bef100b681baf0
SHA512

b15b1639c0252ec7b3a4267793a2d50410d8e19f021acbd4944fac47d6ebf70a45406f4716b3c51d00d774224071879fa7a050cb1ccee5e15880fd0780a8b988
SSDEEP

3072:KzNWMKKRZYchObK91C8sV6Xmoo4LEpYmHvWP+lX1q+OjC01BmD:KZuuObR8sVImcyYmeP+llGjCYBmD

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
268	server_original_original_original.sfx.exe
1192	server_original_original_original.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}	server_original_original_original.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}\stubpath = "C:\\Program Files (x86)\\Bifrost\\Server.exe s"	server_original_original_original.exe

Loads dropped DLL 3 IoCs

pid	Process
1220	d82f617d94c35546c60d5c428182dd59676b274069f637e261bef100b681baf0.exe
268	server_original_original_original.sfx.exe
268	server_original_original_original.sfx.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Bifrost\Server.exe	server_original_original_original.exe
File opened for modification	C:\Program Files (x86)\Bifrost\logg.dat	server_original_original_original.exe
File opened for modification	C:\Program Files (x86)\Bifrost\Server.exe	server_original_original_original.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	server_original_original_original.exe
Token: SeDebugPrivilege	1192	server_original_original_original.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1192	server_original_original_original.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 268	1220	d82f617d94c35546c60d5c428182dd59676b274069f637e261bef100b681baf0.exe	28
PID 1220 wrote to memory of 268	1220	d82f617d94c35546c60d5c428182dd59676b274069f637e261bef100b681baf0.exe	28
PID 1220 wrote to memory of 268	1220	d82f617d94c35546c60d5c428182dd59676b274069f637e261bef100b681baf0.exe	28
PID 1220 wrote to memory of 268	1220	d82f617d94c35546c60d5c428182dd59676b274069f637e261bef100b681baf0.exe	28
PID 268 wrote to memory of 1192	268	server_original_original_original.sfx.exe	29
PID 268 wrote to memory of 1192	268	server_original_original_original.sfx.exe	29
PID 268 wrote to memory of 1192	268	server_original_original_original.sfx.exe	29
PID 268 wrote to memory of 1192	268	server_original_original_original.sfx.exe	29

C:\Users\Admin\AppData\Local\Temp\d82f617d94c35546c60d5c428182dd59676b274069f637e261bef100b681baf0.exe
"C:\Users\Admin\AppData\Local\Temp\d82f617d94c35546c60d5c428182dd59676b274069f637e261bef100b681baf0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\server_original_original_original.sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\server_original_original_original.sfx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Users\Admin\AppData\Local\Temp\server_original_original_original.exe
    "C:\Users\Admin\AppData\Local\Temp\server_original_original_original.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server_original_original_original.exe

Filesize
39KB

MD5
4170b4754ac84fe2f367da83cd4db36f

SHA1
57b407b0867702ed938fc1c0fd59ce65b24463fa

SHA256
3875ef9d636b8cdf209f477dd62974d908ad6e45ecf8f5578083dd7e545c69e4

SHA512
c95fcfe9d61bbbd35e14602c6c42fdeb49f84413f11cd32c5876e599d7837c5f7935ec34d8fb8088cee6da2be9f9cc58c05e385b1fa66e74bf9686d3e0763dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_original_original_original.exe

Filesize
39KB

MD5
4170b4754ac84fe2f367da83cd4db36f

SHA1
57b407b0867702ed938fc1c0fd59ce65b24463fa

SHA256
3875ef9d636b8cdf209f477dd62974d908ad6e45ecf8f5578083dd7e545c69e4

SHA512
c95fcfe9d61bbbd35e14602c6c42fdeb49f84413f11cd32c5876e599d7837c5f7935ec34d8fb8088cee6da2be9f9cc58c05e385b1fa66e74bf9686d3e0763dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_original_original_original.sfx.exe

Filesize
128KB

MD5
894e6f7b13efc7e3a4fd3157fbab3b80

SHA1
120b98b09c0574def39243234a4e16ce9a12df9c

SHA256
54b99737844218f218104a36e59063792d4e7cd573689593330032adafcde757

SHA512
2b2881e44814ebfab16973f2451459b0fb49d43e2e0d430075e4a339c08a0f1a401fa3fca698d3c22ef968ddd83294c2ab3e59b95a6395f51a133d0b3ca2eb86

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_original_original_original.sfx.exe

Filesize
128KB

MD5
894e6f7b13efc7e3a4fd3157fbab3b80

SHA1
120b98b09c0574def39243234a4e16ce9a12df9c

SHA256
54b99737844218f218104a36e59063792d4e7cd573689593330032adafcde757

SHA512
2b2881e44814ebfab16973f2451459b0fb49d43e2e0d430075e4a339c08a0f1a401fa3fca698d3c22ef968ddd83294c2ab3e59b95a6395f51a133d0b3ca2eb86

Download Submit
\Users\Admin\AppData\Local\Temp\server_original_original_original.exe

Filesize
39KB

MD5
4170b4754ac84fe2f367da83cd4db36f

SHA1
57b407b0867702ed938fc1c0fd59ce65b24463fa

SHA256
3875ef9d636b8cdf209f477dd62974d908ad6e45ecf8f5578083dd7e545c69e4

SHA512
c95fcfe9d61bbbd35e14602c6c42fdeb49f84413f11cd32c5876e599d7837c5f7935ec34d8fb8088cee6da2be9f9cc58c05e385b1fa66e74bf9686d3e0763dc6

Download Submit
\Users\Admin\AppData\Local\Temp\server_original_original_original.exe

Filesize
39KB

MD5
4170b4754ac84fe2f367da83cd4db36f

SHA1
57b407b0867702ed938fc1c0fd59ce65b24463fa

SHA256
3875ef9d636b8cdf209f477dd62974d908ad6e45ecf8f5578083dd7e545c69e4

SHA512
c95fcfe9d61bbbd35e14602c6c42fdeb49f84413f11cd32c5876e599d7837c5f7935ec34d8fb8088cee6da2be9f9cc58c05e385b1fa66e74bf9686d3e0763dc6

Download Submit
\Users\Admin\AppData\Local\Temp\server_original_original_original.sfx.exe

Filesize
128KB

MD5
894e6f7b13efc7e3a4fd3157fbab3b80

SHA1
120b98b09c0574def39243234a4e16ce9a12df9c

SHA256
54b99737844218f218104a36e59063792d4e7cd573689593330032adafcde757

SHA512
2b2881e44814ebfab16973f2451459b0fb49d43e2e0d430075e4a339c08a0f1a401fa3fca698d3c22ef968ddd83294c2ab3e59b95a6395f51a133d0b3ca2eb86

Download Submit
memory/1192-66-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1192-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1192-69-0x0000000077C60000-0x0000000077D00000-memory.dmp

Filesize
640KB

Download
memory/1192-67-0x0000000077C60000-0x0000000077D00000-memory.dmp

Filesize
640KB

Download
memory/1192-70-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1220-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing