Overview

overview

10

Static

static

f05758c648...db.exe

windows7_x64

1

f05758c648...db.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-05-2021 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f05758c648da3f68d5d6bd44eff1f87808cd768103038d65230bc517a9d1dedb.exe

  • Size

    24KB

  • MD5

    91516a89dfd2a50be40e012fc3a8e7e1

  • SHA1

    b4be2d16df6a504ff19b2708c02ac8f10d0c75c4

  • SHA256

    f05758c648da3f68d5d6bd44eff1f87808cd768103038d65230bc517a9d1dedb

  • SHA512

    494cbdf081760db86784da44833fc3903444233f7908fc3ce235b78008bced64c36ff72e3ef009b41ab38a57274e44083a7fb7b12542455d84faeb7f672516ce

Score
10/10
badrabbitransomware

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f05758c648da3f68d5d6bd44eff1f87808cd768103038d65230bc517a9d1dedb.exe
    "C:\Users\Admin\AppData\Local\Temp\f05758c648da3f68d5d6bd44eff1f87808cd768103038d65230bc517a9d1dedb.exe"
    1⤵
      PID:3988
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4032
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
        2⤵
        • Modifies extensions of user files
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3636
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Delete /F /TN rhaegal
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2132
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Delete /F /TN rhaegal
            4⤵
              PID:1260
          • C:\Windows\SysWOW64\cmd.exe
            /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2682773206 && exit"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3236
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2682773206 && exit"
              4⤵
              • Creates scheduled task(s)
              PID:2040
          • C:\Windows\SysWOW64\cmd.exe
            /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:42:00
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2308
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:42:00
              4⤵
              • Creates scheduled task(s)
              PID:2684
          • C:\Windows\FA63.tmp
            "C:\Windows\FA63.tmp" \\.\pipe\{351F9051-2346-49FB-B8CE-23524199DAFE}
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1760

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3636-115-0x0000000002C40000-0x0000000002CA8000-memory.dmp

        Filesize

        416KB

        Download

      • memory/3636-120-0x0000000002C40000-0x0000000002CA8000-memory.dmp

        Filesize

        416KB

        Download