badrabbit | 395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6

Analysis

max time kernel
149s
max time network
145s
platform
windows10_x64
resource
win10v20210410
submitted
15-05-2021 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe
Size

440KB
MD5

4a8d3539c3078a16c93c766fef28c605
SHA1

6da0d3b40762f46486f1b989548fdf9d777fc894
SHA256

395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6
SHA512

a3124ee40d95c8673e0cbcacd12b2af453f3b6a1a51e494344c822dee47fce97970b0cf0ee31767dee31682b4f017b32f651ff2486cc3ea6586dad14dbbcdef8

Score

10^/10

badrabbit ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit

Executes dropped EXE 2 IoCs

pid	Process
3672	ctfmon.exe
1532	817A.tmp

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\OptimizeResume.tiff	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qltsjfurnc\ctfmon.exe	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3692	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe
3672	ctfmon.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\817A.tmp	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
196	schtasks.exe
3512	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1408	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2156	rundll32.exe
2156	rundll32.exe
2156	rundll32.exe
2156	rundll32.exe
1532	817A.tmp
1532	817A.tmp
1532	817A.tmp
1532	817A.tmp
1532	817A.tmp
1532	817A.tmp
2156	rundll32.exe
2156	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3672	ctfmon.exe
Token: SeShutdownPrivilege	2156	rundll32.exe
Token: SeDebugPrivilege	2156	rundll32.exe
Token: SeTcbPrivilege	2156	rundll32.exe
Token: SeDebugPrivilege	1532	817A.tmp

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 3672	3692	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe	75
PID 3692 wrote to memory of 3672	3692	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe	75
PID 3692 wrote to memory of 3672	3692	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe	75
PID 3692 wrote to memory of 808	3692	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe	76
PID 3692 wrote to memory of 808	3692	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe	76
PID 3692 wrote to memory of 808	3692	395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe	76
PID 808 wrote to memory of 1408	808	cmd.exe	78
PID 808 wrote to memory of 1408	808	cmd.exe	78
PID 808 wrote to memory of 1408	808	cmd.exe	78
PID 3808 wrote to memory of 2156	3808	rundll32.exe	84
PID 3808 wrote to memory of 2156	3808	rundll32.exe	84
PID 3808 wrote to memory of 2156	3808	rundll32.exe	84
PID 2156 wrote to memory of 2916	2156	rundll32.exe	85
PID 2156 wrote to memory of 2916	2156	rundll32.exe	85
PID 2156 wrote to memory of 2916	2156	rundll32.exe	85
PID 2916 wrote to memory of 3856	2916	cmd.exe	87
PID 2916 wrote to memory of 3856	2916	cmd.exe	87
PID 2916 wrote to memory of 3856	2916	cmd.exe	87
PID 2156 wrote to memory of 388	2156	rundll32.exe	88
PID 2156 wrote to memory of 388	2156	rundll32.exe	88
PID 2156 wrote to memory of 388	2156	rundll32.exe	88
PID 388 wrote to memory of 196	388	cmd.exe	90
PID 388 wrote to memory of 196	388	cmd.exe	90
PID 388 wrote to memory of 196	388	cmd.exe	90
PID 2156 wrote to memory of 2484	2156	rundll32.exe	91
PID 2156 wrote to memory of 2484	2156	rundll32.exe	91
PID 2156 wrote to memory of 2484	2156	rundll32.exe	91
PID 2156 wrote to memory of 1532	2156	rundll32.exe	93
PID 2156 wrote to memory of 1532	2156	rundll32.exe	93
PID 2484 wrote to memory of 3512	2484	cmd.exe	94
PID 2484 wrote to memory of 3512	2484	cmd.exe	94
PID 2484 wrote to memory of 3512	2484	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe
"C:\Users\Admin\AppData\Local\Temp\395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Windows\SysWOW64\qltsjfurnc\ctfmon.exe
  C:\Windows\system32\\qltsjfurnc\ctfmon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:3672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 >nul&del/f/s/q "C:\Users\Admin\AppData\Local\Temp\395a9ab8d031a088642324c0632ab6009e7da6a5282a9c6265175eb79a9e10e6.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:1408

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
1⤵
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Modifies extensions of user files
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3451232950 && exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3451232950 && exit"
      4⤵
      Creates scheduled task(s)
      PID:196
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:42:00
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:42:00
      4⤵
      Creates scheduled task(s)
      PID:3512
- - C:\Windows\817A.tmp
    "C:\Windows\817A.tmp" \\.\pipe\{A1D99CCE-8F05-4668-9DFA-D6D30AF1F1B2}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2156-120-0x0000000003400000-0x0000000003468000-memory.dmp

Filesize
416KB

Download
memory/2156-125-0x0000000003400000-0x0000000003468000-memory.dmp

Filesize
416KB

Download