badrabbit | 62ee56badb9240aeb1e5b6e6256e0e1bfc5314f2a0c9d8b816d022c6955fab2b

General

Target

62ee56badb9240aeb1e5b6e6256e0e1bfc5314f2a0c9d8b816d022c6955fab2b.exe
Size

768KB
MD5

87eb0ff2fac6f376f08047aedc54691e
SHA1

4e2bfe1433bdd0d1b52de35d631560479bb52746
SHA256

62ee56badb9240aeb1e5b6e6256e0e1bfc5314f2a0c9d8b816d022c6955fab2b
SHA512

aca36e77d5045a834898879a2a969a09503211914e8f9916bd2daa5a72ca4097591329b3ed68b1509ce37771d4945a0afa74b12dea84b32f4d29b8730720f6a8

Score

10^/10

badrabbit ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit

Executes dropped EXE 2 IoCs

pid	Process
3980	~87eb0ff2.exe
2792	8916.tmp

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\8916.tmp	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2872	schtasks.exe
3940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3176	62ee56badb9240aeb1e5b6e6256e0e1bfc5314f2a0c9d8b816d022c6955fab2b.exe
3176	62ee56badb9240aeb1e5b6e6256e0e1bfc5314f2a0c9d8b816d022c6955fab2b.exe
3176	62ee56badb9240aeb1e5b6e6256e0e1bfc5314f2a0c9d8b816d022c6955fab2b.exe
3176	62ee56badb9240aeb1e5b6e6256e0e1bfc5314f2a0c9d8b816d022c6955fab2b.exe
3900	rundll32.exe
3900	rundll32.exe
3900	rundll32.exe
3900	rundll32.exe
2792	8916.tmp
2792	8916.tmp
2792	8916.tmp
2792	8916.tmp
2792	8916.tmp
2792	8916.tmp
3900	rundll32.exe
3900	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3900	rundll32.exe
Token: SeDebugPrivilege	3900	rundll32.exe
Token: SeTcbPrivilege	3900	rundll32.exe
Token: SeDebugPrivilege	2792	8916.tmp

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 3980	3176	62ee56badb9240aeb1e5b6e6256e0e1bfc5314f2a0c9d8b816d022c6955fab2b.exe	79
PID 3176 wrote to memory of 3980	3176	62ee56badb9240aeb1e5b6e6256e0e1bfc5314f2a0c9d8b816d022c6955fab2b.exe	79
PID 2104 wrote to memory of 3900	2104	rundll32.exe	82
PID 2104 wrote to memory of 3900	2104	rundll32.exe	82
PID 2104 wrote to memory of 3900	2104	rundll32.exe	82
PID 3900 wrote to memory of 196	3900	rundll32.exe	83
PID 3900 wrote to memory of 196	3900	rundll32.exe	83
PID 3900 wrote to memory of 196	3900	rundll32.exe	83
PID 196 wrote to memory of 1468	196	cmd.exe	85
PID 196 wrote to memory of 1468	196	cmd.exe	85
PID 196 wrote to memory of 1468	196	cmd.exe	85
PID 3900 wrote to memory of 2020	3900	rundll32.exe	86
PID 3900 wrote to memory of 2020	3900	rundll32.exe	86
PID 3900 wrote to memory of 2020	3900	rundll32.exe	86
PID 3900 wrote to memory of 1400	3900	rundll32.exe	88
PID 3900 wrote to memory of 1400	3900	rundll32.exe	88
PID 3900 wrote to memory of 1400	3900	rundll32.exe	88
PID 3900 wrote to memory of 2792	3900	rundll32.exe	90
PID 3900 wrote to memory of 2792	3900	rundll32.exe	90
PID 2020 wrote to memory of 2872	2020	cmd.exe	92
PID 2020 wrote to memory of 2872	2020	cmd.exe	92
PID 2020 wrote to memory of 2872	2020	cmd.exe	92
PID 1400 wrote to memory of 3940	1400	cmd.exe	93
PID 1400 wrote to memory of 3940	1400	cmd.exe	93
PID 1400 wrote to memory of 3940	1400	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\62ee56badb9240aeb1e5b6e6256e0e1bfc5314f2a0c9d8b816d022c6955fab2b.exe
"C:\Users\Admin\AppData\Local\Temp\62ee56badb9240aeb1e5b6e6256e0e1bfc5314f2a0c9d8b816d022c6955fab2b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\~87eb0ff2.exe
  "C:\Users\Admin\AppData\Local\Temp\~87eb0ff2.exe"
  2⤵
  - Executes dropped EXE
  PID:3980

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:196
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2850603417 && exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2850603417 && exit"
      4⤵
      Creates scheduled task(s)
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:42:00
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:42:00
      4⤵
      Creates scheduled task(s)
      PID:3940
- - C:\Windows\8916.tmp
    "C:\Windows\8916.tmp" \\.\pipe\{A0B51934-4050-4C29-B75A-05EC74F0B99C}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3176-114-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/3900-120-0x0000000003940000-0x00000000039A8000-memory.dmp

Filesize
416KB

Download
memory/3900-125-0x0000000003940000-0x00000000039A8000-memory.dmp

Filesize
416KB

Download
memory/3980-118-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads