55e097d3c8bcae2ebd43f9bd054eccb274b7d0d3a8a4026170a5fdb9b0f793e6

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25095cd5326c5c3972a94c82e5bc368d.exe
Size

678KB
MD5

25095cd5326c5c3972a94c82e5bc368d
SHA1

af568d5edad1174a662d7e52fab148548152dc4c
SHA256

55e097d3c8bcae2ebd43f9bd054eccb274b7d0d3a8a4026170a5fdb9b0f793e6
SHA512

14e1f9612c45dd1390836cb2bc154a9569bb1875c2c6cd93adf22db7127e7e6bf747cee0c5c07311c038812230b2e025c75151925c65630bd9373e33be833d81
SSDEEP

12288:B27/bTehEqclr/tOCvrK7TggkHpRI26/LinyFmaXUxH9K8iszknSau+dGHlNz30:Bu/PWcx/f27Tob6/LinYmaXUxHRdFRH4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1236	Bifrost.exe

Loads dropped DLL 2 IoCs

pid	Process
2480	25095cd5326c5c3972a94c82e5bc368d.exe
2480	25095cd5326c5c3972a94c82e5bc368d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1236	Bifrost.exe
1236	Bifrost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 1236	2480	25095cd5326c5c3972a94c82e5bc368d.exe	16
PID 2480 wrote to memory of 1236	2480	25095cd5326c5c3972a94c82e5bc368d.exe	16
PID 2480 wrote to memory of 1236	2480	25095cd5326c5c3972a94c82e5bc368d.exe	16
PID 2480 wrote to memory of 1236	2480	25095cd5326c5c3972a94c82e5bc368d.exe	16
PID 2480 wrote to memory of 1236	2480	25095cd5326c5c3972a94c82e5bc368d.exe	16
PID 2480 wrote to memory of 1236	2480	25095cd5326c5c3972a94c82e5bc368d.exe	16
PID 2480 wrote to memory of 1236	2480	25095cd5326c5c3972a94c82e5bc368d.exe	16

C:\Users\Admin\AppData\Local\Temp\25095cd5326c5c3972a94c82e5bc368d.exe
"C:\Users\Admin\AppData\Local\Temp\25095cd5326c5c3972a94c82e5bc368d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\Bifrost.exe
  "C:\Users\Admin\AppData\Local\Temp\Bifrost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bifrost.exe

Filesize
92KB

MD5
fd951e8bc3a256c5cc21840fa0fa15bd

SHA1
a72fbfc9edc32682d94d780ba3adfc0300dc1fb3

SHA256
1302e09e07bf7286ce708eb6df44b228c6f14a941cfa1d45d814d8b4402ac768

SHA512
88c3df497a694178f43272dba43be81e2d91bd30420e08fad18405b8b5fc6741466f0acd29709d5053583ae3eb73fda4e62a05ef51380d18c303eb5a27b525fe

Download Submit
\Users\Admin\AppData\Local\Temp\Bifrost.exe

Filesize
607KB

MD5
c390fa302fad89aa84e295a6a5473fd4

SHA1
9915d7cf90b88c50aa4e387ba4ce12cc98eeef9d

SHA256
c8dcc9b7ab64c622d1d19bfe0316ac28a65e3f804d5b0843d2f7a4acf70ece4c

SHA512
8f98d778491192fe77f5d970db419bb72ef4b6fcb6267747b2d4a3c9aea5f46f16c6e9d37c7ceaa10be3dd0af5bc30f2a3c1cd267909f596aa5be4d3c6b35d5d

Download Submit
\Users\Admin\AppData\Local\Temp\Bifrost.exe

Filesize
98KB

MD5
1e76cfb8189e5e306e82668546f94cdb

SHA1
dff0b9543c2ee85059e03f4ad400305c5b7fd83d

SHA256
224faca35b9a11342ba24ea24e948fc6fc2f28fd73757bde685cdd6d8f480793

SHA512
ee4e65262730f252820d141998f9f46b172cf8cd998cc57c700868812357f345f89d6cfdd3c985759b414b1e6fd82e851404a56765cd79988605090b68b78bb7

Download Submit
memory/1236-12-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/1236-11-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/1236-14-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download