Overview

overview

10

Static

static

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

7

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

7

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

6

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

9

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

7

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

Resubmissions

03-07-2024 22:59

240703-2yn7wszhlp 10

03-07-2024 16:13

240703-tn93lsyglf 10

03-07-2024 16:11

240703-tm84xsyfma 10

10-05-2024 16:25

240510-tw1h5shh47 10

24-08-2023 11:16

230824-nda8msdf8z 10

Analysis

  • max time kernel
    1120s
  • max time network
    1131s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22-11-2020 06:42

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    [email protected]

  • Size

    878KB

  • MD5

    e4d4a59494265949993e26dee7b077d1

  • SHA1

    83e3d0c7e544117d6054e7d55932a7d2dbaf1163

  • SHA256

    5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd

  • SHA512

    efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

Score
10/10
badrabbitbootkitevasionpersistenceransomware

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit
  • Deletes NTFS Change Journal 2 TTPs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

    ransomware
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Clears Windows event logs 1 TTPs
    evasionransomware
  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

    ransomwarebootkit
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • JavaScript code in executable 1 IoCs
  • Modifies service 2 TTPs 161 IoCs
    persistence
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 16 IoCs
  • Checks SCSI registry key(s) 3 TTPs 96 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 27 IoCs
  • Modifies registry class 31 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 153 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:768
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Modifies service
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3300
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Modifies service
      PID:2664
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1F79EE20C3059F2441123B4678BA2642 E Global\MSI0000
      2⤵
      • Modifies WinLogon for persistence
      • Modifies data under HKEY_USERS
      PID:4392
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:4320
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
    1⤵
    • Checks SCSI registry key(s)
    • Modifies data under HKEY_USERS
    PID:1136
  • C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
      2⤵
      • Modifies extensions of user files
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Delete /F /TN rhaegal
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4668
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /F /TN rhaegal
          4⤵
            PID:1488
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2333987964 && exit"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4468
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2333987964 && exit"
            4⤵
            • Creates scheduled task(s)
            PID:4364
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:02:00
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2208
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:02:00
            4⤵
            • Creates scheduled task(s)
            PID:5028
        • C:\Windows\CC5F.tmp
          "C:\Windows\CC5F.tmp" \\.\pipe\{717F4F2C-F49B-4686-BB05-5684ABD90307}
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3120
        • C:\Windows\SysWOW64\cmd.exe
          /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4588
          • C:\Windows\SysWOW64\wevtutil.exe
            wevtutil cl Setup
            4⤵
              PID:4628
            • C:\Windows\SysWOW64\wevtutil.exe
              wevtutil cl System
              4⤵
                PID:4456
              • C:\Windows\SysWOW64\wevtutil.exe
                wevtutil cl Security
                4⤵
                  PID:2608
                • C:\Windows\SysWOW64\wevtutil.exe
                  wevtutil cl Application
                  4⤵
                    PID:2916
                  • C:\Windows\SysWOW64\fsutil.exe
                    fsutil usn deletejournal /D C:
                    4⤵
                      PID:228
                  • C:\Windows\SysWOW64\cmd.exe
                    /c schtasks /Delete /F /TN drogon
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:224
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /Delete /F /TN drogon
                      4⤵
                        PID:3968
                • C:\Windows\system32\LogonUI.exe
                  "LogonUI.exe" /flags:0x0 /state0:0xa3ad8055 /state1:0x41c64e6d
                  1⤵
                  • Modifies WinLogon to allow AutoLogon
                  • Modifies data under HKEY_USERS
                  • Suspicious use of SetWindowsHookEx
                  PID:4580

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi
                  MD5

                  7f728acab22868ca02cc1ba0a14f5d64

                  SHA1

                  9e3e82b152447b8bcd27583fbdab7aa91ca4739d

                  SHA256

                  586f9a9af50b2a3321e77d2b4583741cc4842967af9429cc371534f7179caec4

                  SHA512

                  9bc8bb97e6d4f18ec484fcd792466cb5df0bf0447cbaa19a41258ef80e599e8a2b2c83c700f32f30bef578b03614af1b554844d051435dc9f510ccbd56686800

                  Download Submit

                • C:\Windows\CC5F.tmp
                  MD5

                  347ac3b6b791054de3e5720a7144a977

                  SHA1

                  413eba3973a15c1a6429d9f170f3e8287f98c21c

                  SHA256

                  301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

                  SHA512

                  9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

                  Download Submit

                • C:\Windows\CC5F.tmp
                  MD5

                  347ac3b6b791054de3e5720a7144a977

                  SHA1

                  413eba3973a15c1a6429d9f170f3e8287f98c21c

                  SHA256

                  301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

                  SHA512

                  9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

                  Download Submit

                • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                  MD5

                  a6d6bd6aef748e56cf4a1266f705978b

                  SHA1

                  b195f66c142584ed23170ea7738d0b6a8a6cbadf

                  SHA256

                  82dcccd3dd717e2524eb254501bb2692ea2788f36abd0277bc73bcfc64f2931e

                  SHA512

                  4612682a427a75d67e7bf67d0002f5621b3a9d176d10c0977e157db7695dc67c8eb7951b060e4f2522127aa8ac7e73ab757912fcc36eb7c226997e1ff53ae0c0

                  Download Submit

                • \??\Volume{f994966a-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{decd01c7-3405-4392-8919-5d2d34187499}_OnDiskSnapshotProp
                  MD5

                  418f6ffa237c2a767e8734850fbf024a

                  SHA1

                  7bd8a5e3d902b0d7bdca745e494ec6aedd53ea3e

                  SHA256

                  dba8ab3972379fec6897ce58fea7a40c15474c84ce56ecd8ba376890a4be0c78

                  SHA512

                  e04cb544754f86b30cd9314693586b4817400bd7eed8a1e6e88e04eb4dd3c41eef83c333a1327480200756ed97652c8da40329bec8da8428dde7f8109ff1985f

                  Download Submit

                • memory/224-35-0x0000000000000000-mapping.dmp

                  Download

                • memory/228-34-0x0000000000000000-mapping.dmp

                  Download

                • memory/768-2-0x0000000000000000-mapping.dmp

                  Download

                • memory/1488-21-0x0000000000000000-mapping.dmp

                  Download

                • memory/2208-24-0x0000000000000000-mapping.dmp

                  Download

                • memory/2608-32-0x0000000000000000-mapping.dmp

                  Download

                • memory/2632-19-0x00000000032A0000-0x0000000003308000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2632-18-0x0000000000000000-mapping.dmp

                  Download

                • memory/2664-12-0x0000000000000000-mapping.dmp

                  Download

                • memory/2916-33-0x0000000000000000-mapping.dmp

                  Download

                • memory/3120-25-0x0000000000000000-mapping.dmp

                  Download

                • memory/3968-36-0x0000000000000000-mapping.dmp

                  Download

                • memory/4364-23-0x0000000000000000-mapping.dmp

                  Download

                • memory/4392-15-0x0000000000000000-mapping.dmp

                  Download

                • memory/4456-31-0x0000000000000000-mapping.dmp

                  Download

                • memory/4468-22-0x0000000000000000-mapping.dmp

                  Download

                • memory/4588-29-0x0000000000000000-mapping.dmp

                  Download

                • memory/4628-30-0x0000000000000000-mapping.dmp

                  Download

                • memory/4668-20-0x0000000000000000-mapping.dmp

                  Download

                • memory/4760-3-0x0000000002590000-0x0000000002591000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/5028-28-0x0000000000000000-mapping.dmp

                  Download