badrabbit | f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Target

[email protected]
Size

1.0MB
MD5

0002dddba512e20c3f82aaab8bad8b4d
SHA1

493286b108822ba636cc0e53b8259e4f06ecf900
SHA256

2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512

497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

Score

10^/10

badrabbit bootkit discovery evasion persistence ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Deletes NTFS Change Journal 2 TTPs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
ransomware

Inhibit System Recovery
T1490

Data Destruction
T1485
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070

Blacklisted process makes network request 2 IoCs

flow	pid	Process
360	1624	rundll32.exe
372	1624	rundll32.exe

Executes dropped EXE 5 IoCs

pid	Process
3872	is-C3CH1.tmp
1412	RegistrySmart.exe
1224	Launcher.exe
3124	RegistrySmart.exe
816	9DBE.tmp

Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

Enables rebooting of the machine without requiring login credentials.

ransomware bootkit

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\RestoreClose.tiff	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	is-C3CH1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegistrySmart = "\"C:\\Program Files\\RegistrySmart\\RegistrySmart.exe\" -boot"	is-C3CH1.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\RegistrySmart\is-56H0E.tmp	is-C3CH1.tmp
File created	C:\Program Files (x86)\RegistrySmart\is-K6R2K.tmp	is-C3CH1.tmp
File opened for modification	C:\Program Files (x86)\RegistrySmart\RegistrySmart.url	is-C3CH1.tmp
File opened for modification	C:\Program Files (x86)\RegistrySmart\unins000.dat	is-C3CH1.tmp
File created	C:\Program Files (x86)\RegistrySmart\unins000.dat	is-C3CH1.tmp
File created	C:\Program Files (x86)\RegistrySmart\is-MPR21.tmp	is-C3CH1.tmp
File created	C:\Program Files (x86)\RegistrySmart\is-B6UH2.tmp	is-C3CH1.tmp

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\9DBE.tmp	rundll32.exe
File created	C:\Windows\Tasks\RegistrySmart Scheduled Scan.job	RegistrySmart.exe
File opened for modification	C:\Windows\Tasks\RegistrySmart Scheduled Scan.job	RegistrySmart.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3180	schtasks.exe
3316	schtasks.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
816	9DBE.tmp
816	9DBE.tmp
816	9DBE.tmp
816	9DBE.tmp
816	9DBE.tmp
816	9DBE.tmp
1624	rundll32.exe
1624	rundll32.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1624	rundll32.exe
Token: SeDebugPrivilege	1624	rundll32.exe
Token: SeTcbPrivilege	1624	rundll32.exe
Token: SeDebugPrivilege	816	9DBE.tmp
Token: SeSecurityPrivilege	3228	wevtutil.exe
Token: SeBackupPrivilege	3228	wevtutil.exe
Token: SeSecurityPrivilege	1424	wevtutil.exe
Token: SeBackupPrivilege	1424	wevtutil.exe
Token: SeSecurityPrivilege	8	wevtutil.exe
Token: SeBackupPrivilege	8	wevtutil.exe
Token: SeSecurityPrivilege	1740	wevtutil.exe
Token: SeBackupPrivilege	1740	wevtutil.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1412	RegistrySmart.exe
1412	RegistrySmart.exe
3124	RegistrySmart.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1412	RegistrySmart.exe
1412	RegistrySmart.exe
3124	RegistrySmart.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1412	RegistrySmart.exe
1412	RegistrySmart.exe
1224	Launcher.exe
3124	RegistrySmart.exe
3124	RegistrySmart.exe
3124	RegistrySmart.exe
3408	LogonUI.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 3872	360	[email protected]	74
PID 360 wrote to memory of 3872	360	[email protected]	74
PID 360 wrote to memory of 3872	360	[email protected]	74
PID 3872 wrote to memory of 1412	3872	is-C3CH1.tmp	80
PID 3872 wrote to memory of 1412	3872	is-C3CH1.tmp	80
PID 3872 wrote to memory of 1412	3872	is-C3CH1.tmp	80
PID 1412 wrote to memory of 1224	1412	RegistrySmart.exe	81
PID 1412 wrote to memory of 1224	1412	RegistrySmart.exe	81
PID 1412 wrote to memory of 1224	1412	RegistrySmart.exe	81
PID 1224 wrote to memory of 3124	1224	Launcher.exe	82
PID 1224 wrote to memory of 3124	1224	Launcher.exe	82
PID 1224 wrote to memory of 3124	1224	Launcher.exe	82
PID 2496 wrote to memory of 1624	2496	rundll32.exe	86
PID 2496 wrote to memory of 1624	2496	rundll32.exe	86
PID 2496 wrote to memory of 1624	2496	rundll32.exe	86
PID 1624 wrote to memory of 4084	1624	rundll32.exe	87
PID 1624 wrote to memory of 4084	1624	rundll32.exe	87
PID 1624 wrote to memory of 4084	1624	rundll32.exe	87
PID 4084 wrote to memory of 1344	4084	cmd.exe	89
PID 4084 wrote to memory of 1344	4084	cmd.exe	89
PID 4084 wrote to memory of 1344	4084	cmd.exe	89
PID 1624 wrote to memory of 4056	1624	rundll32.exe	90
PID 1624 wrote to memory of 4056	1624	rundll32.exe	90
PID 1624 wrote to memory of 4056	1624	rundll32.exe	90
PID 1624 wrote to memory of 1964	1624	rundll32.exe	92
PID 1624 wrote to memory of 1964	1624	rundll32.exe	92
PID 1624 wrote to memory of 1964	1624	rundll32.exe	92
PID 4056 wrote to memory of 3180	4056	cmd.exe	93
PID 4056 wrote to memory of 3180	4056	cmd.exe	93
PID 4056 wrote to memory of 3180	4056	cmd.exe	93
PID 1624 wrote to memory of 816	1624	rundll32.exe	95
PID 1624 wrote to memory of 816	1624	rundll32.exe	95
PID 1964 wrote to memory of 3316	1964	cmd.exe	97
PID 1964 wrote to memory of 3316	1964	cmd.exe	97
PID 1964 wrote to memory of 3316	1964	cmd.exe	97
PID 1624 wrote to memory of 1804	1624	rundll32.exe	99
PID 1624 wrote to memory of 1804	1624	rundll32.exe	99
PID 1624 wrote to memory of 1804	1624	rundll32.exe	99
PID 1804 wrote to memory of 3228	1804	cmd.exe	101
PID 1804 wrote to memory of 3228	1804	cmd.exe	101
PID 1804 wrote to memory of 3228	1804	cmd.exe	101
PID 1804 wrote to memory of 1424	1804	cmd.exe	102
PID 1804 wrote to memory of 1424	1804	cmd.exe	102
PID 1804 wrote to memory of 1424	1804	cmd.exe	102
PID 1804 wrote to memory of 8	1804	cmd.exe	103
PID 1804 wrote to memory of 8	1804	cmd.exe	103
PID 1804 wrote to memory of 8	1804	cmd.exe	103
PID 1804 wrote to memory of 1740	1804	cmd.exe	104
PID 1804 wrote to memory of 1740	1804	cmd.exe	104
PID 1804 wrote to memory of 1740	1804	cmd.exe	104
PID 1804 wrote to memory of 2264	1804	cmd.exe	105
PID 1804 wrote to memory of 2264	1804	cmd.exe	105
PID 1804 wrote to memory of 2264	1804	cmd.exe	105
PID 1624 wrote to memory of 296	1624	rundll32.exe	106
PID 1624 wrote to memory of 296	1624	rundll32.exe	106
PID 1624 wrote to memory of 296	1624	rundll32.exe	106
PID 296 wrote to memory of 2968	296	cmd.exe	109
PID 296 wrote to memory of 2968	296	cmd.exe	109
PID 296 wrote to memory of 2968	296	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Suspicious use of WriteProcessMemory
PID:360
- C:\Users\Admin\AppData\Local\Temp\is-ITHO4.tmp\is-C3CH1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ITHO4.tmp\is-C3CH1.tmp" /SL4 $20118 "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe
    "C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Program Files (x86)\RegistrySmart\Launcher.exe
      "C:\Program Files (x86)\RegistrySmart\Launcher.exe" 0:
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1224
    - - C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe
        
        "C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe" launch
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3124

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
1⤵
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Blacklisted process makes network request
  - Modifies extensions of user files
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3986010080 && exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3986010080 && exit"
      4⤵
      Creates scheduled task(s)
      PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:02:00
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:02:00
      4⤵
      Creates scheduled task(s)
      PID:3316
- - C:\Windows\9DBE.tmp
    "C:\Windows\9DBE.tmp" \\.\pipe\{EB320252-F393-4574-A51C-EA9681B5F958}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- - C:\Windows\SysWOW64\cmd.exe
    /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil cl Setup
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil cl System
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1424
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil cl Security
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil cl Application
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1740
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil usn deletejournal /D C:
      4⤵
      PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN drogon
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:296
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN drogon
      4⤵
      PID:2968

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad7855 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1624-13-0x0000000003A80000-0x0000000003AE8000-memory.dmp

Filesize
416KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads