1b501290005166f344cc02e53e8dbd8d5356e3f3c188ec191d0542c052c10091

Analysis

max time kernel
11s
max time network
11s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20-01-2025 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bridgeporthost.exe
Size

1.8MB
MD5

c41f7b7c7d877445c487255bf87ca031
SHA1

3e915af8bbdf9b085a9f3c2bd4c0cbb5c34de0e9
SHA256

1b501290005166f344cc02e53e8dbd8d5356e3f3c188ec191d0542c052c10091
SHA512

f0b7d5ed8b11048de74c3ea0b29a5f187a981c148a1414630eaa97320810df993c47d0f2973a6d3081feac87c5e25d162a99dbfb0d206551a4572104b97bb319
SSDEEP

24576:SDCHCRqelY7npkw0lrwVMUb0YB5YXBIZxV99CQg3N1ePrUoz4v/9H/1wBLQ+5VoO:SDaxawOU4UWSZxVqQuj4nkyLdfo

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000\Control Panel\International\Geo\Nation	bridgeporthost.exe

Executes dropped EXE 1 IoCs

pid	Process
2340	OfficeClickToRun.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\taskhostw.exe	bridgeporthost.exe
File created	C:\Program Files (x86)\Windows Mail\ea9f0e6c9e2dcd	bridgeporthost.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RuntimeBroker.exe	bridgeporthost.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\9e8d7a4ca61bd9	bridgeporthost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ShellExperiences\OfficeClickToRun.exe	bridgeporthost.exe
File created	C:\Windows\ShellExperiences\e6c9b481da804f	bridgeporthost.exe
File created	C:\Windows\Setup\fontdrvhost.exe	bridgeporthost.exe
File created	C:\Windows\Setup\5b884080fd4f94	bridgeporthost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000_Classes\Local Settings	bridgeporthost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
548	bridgeporthost.exe
2340	OfficeClickToRun.exe
2340	OfficeClickToRun.exe
2340	OfficeClickToRun.exe
2340	OfficeClickToRun.exe
2340	OfficeClickToRun.exe
2340	OfficeClickToRun.exe
2340	OfficeClickToRun.exe
2340	OfficeClickToRun.exe
2340	OfficeClickToRun.exe
2340	OfficeClickToRun.exe
2340	OfficeClickToRun.exe
2340	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	bridgeporthost.exe
Token: SeDebugPrivilege	2340	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 1664	548	bridgeporthost.exe	82
PID 548 wrote to memory of 1664	548	bridgeporthost.exe	82
PID 1664 wrote to memory of 2596	1664	cmd.exe	84
PID 1664 wrote to memory of 2596	1664	cmd.exe	84
PID 1664 wrote to memory of 2288	1664	cmd.exe	85
PID 1664 wrote to memory of 2288	1664	cmd.exe	85
PID 1664 wrote to memory of 2340	1664	cmd.exe	86
PID 1664 wrote to memory of 2340	1664	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\bridgeporthost.exe
"C:\Users\Admin\AppData\Local\Temp\bridgeporthost.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V6zSrEjk26.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2596
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2288
- - C:\Windows\ShellExperiences\OfficeClickToRun.exe
    "C:\Windows\ShellExperiences\OfficeClickToRun.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\V6zSrEjk26.bat

Filesize
224B

MD5
90b2750b676eed2414da9c8c7382d9b3

SHA1
8ddfc0ae2714e664acedda9eac2fa434a1ee6fb8

SHA256
110562d7730f388caccd483583adaa973980d1118bfc9036e8f23fff52cfff46

SHA512
0cb108fd6192f45b284076a5b45b70be3bafbb933a7613ba37df9c4eb93e596951ff720f0941c28469aa8431c7b4cf8b48195c9500b8df29af3f78581624f00d

Download Submit
C:\Windows\ShellExperiences\OfficeClickToRun.exe

Filesize
1.8MB

MD5
c41f7b7c7d877445c487255bf87ca031

SHA1
3e915af8bbdf9b085a9f3c2bd4c0cbb5c34de0e9

SHA256
1b501290005166f344cc02e53e8dbd8d5356e3f3c188ec191d0542c052c10091

SHA512
f0b7d5ed8b11048de74c3ea0b29a5f187a981c148a1414630eaa97320810df993c47d0f2973a6d3081feac87c5e25d162a99dbfb0d206551a4572104b97bb319

Download Submit
memory/548-9-0x000000001B360000-0x000000001B3B0000-memory.dmp

Filesize
320KB

Download
memory/548-11-0x0000000002470000-0x0000000002488000-memory.dmp

Filesize
96KB

Download
memory/548-4-0x00007FF813510000-0x00007FF813FD2000-memory.dmp

Filesize
10.8MB

Download
memory/548-6-0x0000000002450000-0x000000000246C000-memory.dmp

Filesize
112KB

Download
memory/548-7-0x00007FF813510000-0x00007FF813FD2000-memory.dmp

Filesize
10.8MB

Download
memory/548-8-0x00000000009F0000-0x0000000000A0C000-memory.dmp

Filesize
112KB

Download
memory/548-0-0x00007FF813513000-0x00007FF813515000-memory.dmp

Filesize
8KB

Download
memory/548-3-0x00007FF813510000-0x00007FF813FD2000-memory.dmp

Filesize
10.8MB

Download
memory/548-14-0x0000000002460000-0x000000000246E000-memory.dmp

Filesize
56KB

Download
memory/548-12-0x00007FF813510000-0x00007FF813FD2000-memory.dmp

Filesize
10.8MB

Download
memory/548-20-0x00007FF813510000-0x00007FF813FD2000-memory.dmp

Filesize
10.8MB

Download
memory/548-24-0x00007FF813510000-0x00007FF813FD2000-memory.dmp

Filesize
10.8MB

Download
memory/548-2-0x00007FF813510000-0x00007FF813FD2000-memory.dmp

Filesize
10.8MB

Download
memory/548-31-0x00007FF813510000-0x00007FF813FD2000-memory.dmp

Filesize
10.8MB

Download
memory/548-1-0x0000000000160000-0x0000000000336000-memory.dmp

Filesize
1.8MB

Download
memory/2340-33-0x00007FF813510000-0x00007FF813FD2000-memory.dmp

Filesize
10.8MB

Download