badrabbit | da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec

Analysis

max time kernel
150s
max time network
154s
platform
windows10_x64
resource
win10v20210410
submitted
15-05-2021 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
Size

880KB
MD5

ba92eb82a0d8e11e398699805443ddfb
SHA1

1be55fa2dfb0d523160a96294f15f08d5af65808
SHA256

da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec
SHA512

24e59f57f059e683abf567c77b78d7899888c8c8f419aa1429e2d22b6c01b6d835a7d532d4c58e0a075dc9b41bd959df3c06f1239fd32ccbd071e672275764f3

Score

10^/10

badrabbit ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 192 created 3868	192	WerFault.exe	68

Executes dropped EXE 1 IoCs

pid	Process
3676	3096.tmp

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\LockCheckpoint.tiff	rundll32.exe

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File created	\??\c:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File created	\??\c:\Program Files\desktop.ini	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\desktop.ini	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\eventlog_provider.dll	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\CIEXYZ.pf	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\lt.pak	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_font.dll	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansDemiBold.ttf	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\libGLESv2.dll	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ku.txt	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\msdatl3.dll	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\jli.dll	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pt_BR.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\kab.txt	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\si.txt	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\fontmanager.dll	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\rtscom.dll	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\af.txt	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\Stationery\Roses.htm	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ca.pak	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\db\LICENSE	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\net.dll	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\msxactps.dll	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ps.txt	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\calendars.properties	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File created	\??\c:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\pl.txt	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.dll	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\LanguageModel\chstic.dgml	da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\3096.tmp	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
192	3868	WerFault.exe	68

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2696	schtasks.exe
3136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
3676	3096.tmp
3676	3096.tmp
3676	3096.tmp
3676	3096.tmp
3676	3096.tmp
3676	3096.tmp
2056	rundll32.exe
2056	rundll32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	192	WerFault.exe
Token: SeBackupPrivilege	192	WerFault.exe
Token: SeDebugPrivilege	192	WerFault.exe
Token: SeShutdownPrivilege	2056	rundll32.exe
Token: SeDebugPrivilege	2056	rundll32.exe
Token: SeTcbPrivilege	2056	rundll32.exe
Token: SeDebugPrivilege	3676	3096.tmp

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2056	2108	rundll32.exe	82
PID 2108 wrote to memory of 2056	2108	rundll32.exe	82
PID 2108 wrote to memory of 2056	2108	rundll32.exe	82
PID 2056 wrote to memory of 2308	2056	rundll32.exe	83
PID 2056 wrote to memory of 2308	2056	rundll32.exe	83
PID 2056 wrote to memory of 2308	2056	rundll32.exe	83
PID 2308 wrote to memory of 3748	2308	cmd.exe	85
PID 2308 wrote to memory of 3748	2308	cmd.exe	85
PID 2308 wrote to memory of 3748	2308	cmd.exe	85
PID 2056 wrote to memory of 2076	2056	rundll32.exe	86
PID 2056 wrote to memory of 2076	2056	rundll32.exe	86
PID 2056 wrote to memory of 2076	2056	rundll32.exe	86
PID 2056 wrote to memory of 2736	2056	rundll32.exe	88
PID 2056 wrote to memory of 2736	2056	rundll32.exe	88
PID 2056 wrote to memory of 2736	2056	rundll32.exe	88
PID 2056 wrote to memory of 3676	2056	rundll32.exe	90
PID 2056 wrote to memory of 3676	2056	rundll32.exe	90
PID 2736 wrote to memory of 2696	2736	cmd.exe	92
PID 2736 wrote to memory of 2696	2736	cmd.exe	92
PID 2736 wrote to memory of 2696	2736	cmd.exe	92
PID 2076 wrote to memory of 3136	2076	cmd.exe	93
PID 2076 wrote to memory of 3136	2076	cmd.exe	93
PID 2076 wrote to memory of 3136	2076	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe
"C:\Users\Admin\AppData\Local\Temp\da2d8650452e6d1f8eaaaadac6b9ff015c99615d4e0b97ede0d462f1ed91f3ec.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:3868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 736
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:192

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
1⤵
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Modifies extensions of user files
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 272757890 && exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 272757890 && exit"
      4⤵
      Creates scheduled task(s)
      PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:43:00
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:43:00
      4⤵
      Creates scheduled task(s)
      PID:2696
- - C:\Windows\3096.tmp
    "C:\Windows\3096.tmp" \\.\pipe\{2292D0AD-7E1C-45A1-80EC-C9063875BF67}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2056-115-0x0000000000B00000-0x0000000000B68000-memory.dmp

Filesize
416KB

Download
memory/2056-120-0x0000000000B00000-0x0000000000B68000-memory.dmp

Filesize
416KB

Download