Overview

overview

10

Static

static

10

ฺฺฺ�...ฺฺ

windows10_x64

ฺฺฺ�...ฺฺ

windows10_x64

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

7

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

1

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

1

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

9

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

5

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

10

Resubmissions

03-07-2024 22:59

240703-2yn7wszhlp 10

03-07-2024 16:13

240703-tn93lsyglf 10

03-07-2024 16:11

240703-tm84xsyfma 10

10-05-2024 16:25

240510-tw1h5shh47 10

24-08-2023 11:16

230824-nda8msdf8z 10

Analysis

  • max time kernel
    306s
  • max time network
    311s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03-02-2021 11:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    [email protected]

  • Size

    396KB

  • MD5

    13f4b868603cf0dd6c32702d1bd858c9

  • SHA1

    a595ab75e134f5616679be5f11deefdfaae1de15

  • SHA256

    cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

  • SHA512

    e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

Score
10/10
badrabbitdiscoverypersistenceransomware

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit
  • Executes dropped EXE 4 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Drops file in Windows directory 8 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
      "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
        "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
        3⤵
        • Executes dropped EXE
        PID:2200
      • C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
        "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
        3⤵
        • Executes dropped EXE
        PID:3260
  • C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3392
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
      2⤵
      • Modifies extensions of user files
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:64
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Delete /F /TN rhaegal
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /F /TN rhaegal
          4⤵
            PID:3812
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4042766786 && exit"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2568
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4042766786 && exit"
            4⤵
            • Creates scheduled task(s)
            PID:3596
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:01:00
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3972
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:01:00
            4⤵
            • Creates scheduled task(s)
            PID:1580
        • C:\Windows\B094.tmp
          "C:\Windows\B094.tmp" \\.\pipe\{52CE986F-4B10-49EF-9E03-4BC3E341382A}
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:736

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/64-11-0x00000000036C0000-0x0000000003728000-memory.dmp

      Filesize

      416KB

      Download

    • memory/2200-29-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2200-31-0x0000000005203000-0x0000000005205000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2200-24-0x0000000073280000-0x000000007396E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2200-28-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2200-30-0x0000000005200000-0x0000000005201000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2200-27-0x0000000005510000-0x0000000005511000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2200-25-0x0000000000610000-0x0000000000611000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2988-6-0x000001EF4D100000-0x000001EF4D101000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2988-8-0x000001EF4EE20000-0x000001EF4EE22000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2988-9-0x000001EF4EE22000-0x000001EF4EE24000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2988-5-0x00007FFB8A380000-0x00007FFB8AD6C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3260-34-0x0000000073280000-0x000000007396E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3260-40-0x0000000005330000-0x0000000005331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3260-41-0x0000000005333000-0x0000000005335000-memory.dmp

      Filesize

      8KB

      Download