badrabbit | 7bb62a1edd5f9f56e9d9ca31451034831961358839c12ea73a29faa160b7db84

General

Target

7bb62a1edd5f9f56e9d9ca31451034831961358839c12ea73a29faa160b7db84.exe
Size

154KB
MD5

6496c79fa5ea7fcadc63204ac7486736
SHA1

1e4b8f0c2deb96fda4f007ffd9413746b73ca04d
SHA256

7bb62a1edd5f9f56e9d9ca31451034831961358839c12ea73a29faa160b7db84
SHA512

3f845fb9e7df300f39c3ba24a20fdf07e49eaa92b65ff63bd65b3550c99bc2bc9822c1ebb2d5c83d386806fcde7a4bcf8d3529fea040479fefca25a05da334b8

Score

10^/10

badrabbit evasion ransomware spyware stealer trojan

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2412	updF99D.tmp
3344	A123.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updF99D.tmp

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\A123.tmp	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1524	schtasks.exe
1508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2412	updF99D.tmp
2412	updF99D.tmp
2412	updF99D.tmp
2412	updF99D.tmp
2412	updF99D.tmp
2412	updF99D.tmp
2412	updF99D.tmp
2412	updF99D.tmp
2412	updF99D.tmp
2412	updF99D.tmp
2412	updF99D.tmp
2412	updF99D.tmp
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3344	A123.tmp
3344	A123.tmp
3344	A123.tmp
3344	A123.tmp
3344	A123.tmp
3344	A123.tmp
3808	rundll32.exe
3808	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3808	rundll32.exe
Token: SeDebugPrivilege	3808	rundll32.exe
Token: SeTcbPrivilege	3808	rundll32.exe
Token: SeDebugPrivilege	3344	A123.tmp

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 2412	3904	7bb62a1edd5f9f56e9d9ca31451034831961358839c12ea73a29faa160b7db84.exe	76
PID 3904 wrote to memory of 2412	3904	7bb62a1edd5f9f56e9d9ca31451034831961358839c12ea73a29faa160b7db84.exe	76
PID 3904 wrote to memory of 2412	3904	7bb62a1edd5f9f56e9d9ca31451034831961358839c12ea73a29faa160b7db84.exe	76
PID 3836 wrote to memory of 3808	3836	rundll32.exe	81
PID 3836 wrote to memory of 3808	3836	rundll32.exe	81
PID 3836 wrote to memory of 3808	3836	rundll32.exe	81
PID 3808 wrote to memory of 3980	3808	rundll32.exe	82
PID 3808 wrote to memory of 3980	3808	rundll32.exe	82
PID 3808 wrote to memory of 3980	3808	rundll32.exe	82
PID 3980 wrote to memory of 1584	3980	cmd.exe	84
PID 3980 wrote to memory of 1584	3980	cmd.exe	84
PID 3980 wrote to memory of 1584	3980	cmd.exe	84
PID 3808 wrote to memory of 2528	3808	rundll32.exe	85
PID 3808 wrote to memory of 2528	3808	rundll32.exe	85
PID 3808 wrote to memory of 2528	3808	rundll32.exe	85
PID 3808 wrote to memory of 2712	3808	rundll32.exe	87
PID 3808 wrote to memory of 2712	3808	rundll32.exe	87
PID 3808 wrote to memory of 2712	3808	rundll32.exe	87
PID 3808 wrote to memory of 3344	3808	rundll32.exe	88
PID 3808 wrote to memory of 3344	3808	rundll32.exe	88
PID 2712 wrote to memory of 1524	2712	cmd.exe	91
PID 2712 wrote to memory of 1524	2712	cmd.exe	91
PID 2712 wrote to memory of 1524	2712	cmd.exe	91
PID 2528 wrote to memory of 1508	2528	cmd.exe	92
PID 2528 wrote to memory of 1508	2528	cmd.exe	92
PID 2528 wrote to memory of 1508	2528	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\7bb62a1edd5f9f56e9d9ca31451034831961358839c12ea73a29faa160b7db84.exe
"C:\Users\Admin\AppData\Local\Temp\7bb62a1edd5f9f56e9d9ca31451034831961358839c12ea73a29faa160b7db84.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\updF99D.tmp
  "C:\Users\Admin\AppData\Local\Temp\updF99D.tmp" --bpl="eyJpbnN0YWxsX3VybCI6ICJodHRwczovL2dvc29mdGRsLm1haWwucnUvc3dpdGNoZXJfcGRfM185LmV4ZSIsICJjb21tYW5kX2xpbmUiOiAiIiwgInRzIjogMTU1NzQ0NzMxOSwgImNsaV92ZXIiOiAyLCAicXVlcnlfc3RyaW5nIjogInJmcj03ODkyNjMmcGFydG5lcmlkPTc4OTI2MyZ1YV9yZnI9MTI4MjlfNzg5MjYzJmFtX2RlZmF1bHQ9MCZhbWlnb19pbnN0YWxsPTEmYXR0cj1tbmR0JnBhcnRuZXJfbmV3X3VybD1odHRwJTNBJTJGJTJGc2V0c3RhdC5ydSUyRmFwaSUyRnNhdmVQb3N0YmFjayUzRnRva2VuJTNEN3BxZk5TcDhTeSUyNnR5cGUlM0RhbWlnbyUyNm92ciUzRCUyNF9fT1ZSJTI2c2lnJTNEJTI0X19TSUclMjZndWlkJTNEJTI0X19HVUlEJTI2cmVmJTNENzg5MjYzJTI2c3ViaWQlM0RzbmVsd2lsY294IiwgImxvY2F0aW9uX2lkIjogImxhbmRfcGFydG5lciJ9"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  PID:2412

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
1⤵
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2211089077 && exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2211089077 && exit"
      4⤵
      Creates scheduled task(s)
      PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:42:00
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:42:00
      4⤵
      Creates scheduled task(s)
      PID:1524
- - C:\Windows\A123.tmp
    "C:\Windows\A123.tmp" \\.\pipe\{957D942D-122B-436F-A9AE-E4626E013F8A}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3808-124-0x0000000002EC0000-0x0000000002F28000-memory.dmp

Filesize
416KB

Download
memory/3808-119-0x0000000002EC0000-0x0000000002F28000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads