Overview

overview

10

Static

static

d21aef628f...95.exe

windows7_x64

3

d21aef628f...95.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-05-2021 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe

  • Size

    788KB

  • MD5

    bf7a7748c4499a6d44c688ba37896a53

  • SHA1

    45c68363fdb2eeae08c827307206f6f9fe7bf944

  • SHA256

    d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095

  • SHA512

    60089da79f1b8e72ce6e0ebcfc9fac7e3b1b82cc49b64be89556b4c89b4b117db95c158eb6126be2a3291a22cca5640ffe5f4710f0a3fab42ac40d8151ec4602

Score
10/10
badrabbitransomware

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
    "C:\Users\Admin\AppData\Local\Temp\d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe"
    1⤵
      PID:1824
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 588
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1292
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4012
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
        2⤵
        • Modifies extensions of user files
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1908
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Delete /F /TN rhaegal
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3624
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Delete /F /TN rhaegal
            4⤵
              PID:2100
          • C:\Windows\SysWOW64\cmd.exe
            /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 922500635 && exit"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3856
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 922500635 && exit"
              4⤵
              • Creates scheduled task(s)
              PID:2288
          • C:\Windows\SysWOW64\cmd.exe
            /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:42:00
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2360
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:42:00
              4⤵
              • Creates scheduled task(s)
              PID:3572
          • C:\Windows\FCE4.tmp
            "C:\Windows\FCE4.tmp" \\.\pipe\{2F0B4EA3-4146-4F83-BBE0-5A9FD4B589A6}
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3568

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1908-115-0x0000000003790000-0x00000000037F8000-memory.dmp

        Filesize

        416KB

        Download

      • memory/1908-120-0x0000000003790000-0x00000000037F8000-memory.dmp

        Filesize

        416KB

        Download