badrabbit | 7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10v20210410
submitted
16-05-2021 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
Size

88KB
MD5

b9fd952b27bc30f2561efbd2b2919ec7
SHA1

a8066d045f15b399bd1cb684b687537f56eb703f
SHA256

7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db
SHA512

55d9eee46fedf05e33a64a66382a26903140c25a55500adbbab1a4f87cae530abe9a1da98a4f5b61a0a9d10835fc883f21eba438e00e1c907edd3e5848fafd7e

Score

10^/10

badrabbit persistence ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe "	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2704	5C3F.tmp

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\BlockComplete.tiff	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\SearchInstall.tiff	rundll32.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\chrome_proxy.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\misc.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\msoasb.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\mip.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Client\AppVLP.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\5C3F.tmp	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1128	schtasks.exe
4084	schtasks.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt \ = " exefile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe "	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe "	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1220	rundll32.exe
1220	rundll32.exe
1220	rundll32.exe
1220	rundll32.exe
2704	5C3F.tmp
2704	5C3F.tmp
2704	5C3F.tmp
2704	5C3F.tmp
2704	5C3F.tmp
2704	5C3F.tmp
1220	rundll32.exe
1220	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1220	rundll32.exe
Token: SeDebugPrivilege	1220	rundll32.exe
Token: SeTcbPrivilege	1220	rundll32.exe
Token: SeDebugPrivilege	2704	5C3F.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 956	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	73
PID 2256 wrote to memory of 956	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	73
PID 2256 wrote to memory of 956	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	73
PID 2256 wrote to memory of 3144	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	78
PID 2256 wrote to memory of 3144	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	78
PID 2256 wrote to memory of 3144	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	78
PID 2256 wrote to memory of 680	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	79
PID 2256 wrote to memory of 680	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	79
PID 2256 wrote to memory of 680	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	79
PID 2256 wrote to memory of 2972	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	80
PID 2256 wrote to memory of 2972	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	80
PID 2256 wrote to memory of 2972	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	80
PID 2256 wrote to memory of 1868	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	82
PID 2256 wrote to memory of 1868	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	82
PID 2256 wrote to memory of 1868	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	82
PID 2256 wrote to memory of 3616	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	83
PID 2256 wrote to memory of 3616	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	83
PID 2256 wrote to memory of 3616	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	83
PID 2256 wrote to memory of 3028	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	87
PID 2256 wrote to memory of 3028	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	87
PID 2256 wrote to memory of 3028	2256	7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe	87
PID 3144 wrote to memory of 4000	3144	cmd.exe	90
PID 3144 wrote to memory of 4000	3144	cmd.exe	90
PID 3144 wrote to memory of 4000	3144	cmd.exe	90
PID 3144 wrote to memory of 3768	3144	cmd.exe	91
PID 3144 wrote to memory of 3768	3144	cmd.exe	91
PID 3144 wrote to memory of 3768	3144	cmd.exe	91
PID 3144 wrote to memory of 3756	3144	cmd.exe	92
PID 3144 wrote to memory of 3756	3144	cmd.exe	92
PID 3144 wrote to memory of 3756	3144	cmd.exe	92
PID 2876 wrote to memory of 1220	2876	rundll32.exe	96
PID 2876 wrote to memory of 1220	2876	rundll32.exe	96
PID 2876 wrote to memory of 1220	2876	rundll32.exe	96
PID 1220 wrote to memory of 2104	1220	rundll32.exe	97
PID 1220 wrote to memory of 2104	1220	rundll32.exe	97
PID 1220 wrote to memory of 2104	1220	rundll32.exe	97
PID 2104 wrote to memory of 3776	2104	cmd.exe	99
PID 2104 wrote to memory of 3776	2104	cmd.exe	99
PID 2104 wrote to memory of 3776	2104	cmd.exe	99
PID 1220 wrote to memory of 3940	1220	rundll32.exe	101
PID 1220 wrote to memory of 3940	1220	rundll32.exe	101
PID 1220 wrote to memory of 3940	1220	rundll32.exe	101
PID 1220 wrote to memory of 2208	1220	rundll32.exe	104
PID 1220 wrote to memory of 2208	1220	rundll32.exe	104
PID 1220 wrote to memory of 2208	1220	rundll32.exe	104
PID 3940 wrote to memory of 1128	3940	cmd.exe	103
PID 3940 wrote to memory of 1128	3940	cmd.exe	103
PID 3940 wrote to memory of 1128	3940	cmd.exe	103
PID 1220 wrote to memory of 2704	1220	rundll32.exe	105
PID 1220 wrote to memory of 2704	1220	rundll32.exe	105
PID 2208 wrote to memory of 4084	2208	cmd.exe	108
PID 2208 wrote to memory of 4084	2208	cmd.exe	108
PID 2208 wrote to memory of 4084	2208	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
"C:\Users\Admin\AppData\Local\Temp\7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe
  2⤵
  PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\123.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f
    3⤵
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c assoc .txt = exefile
  2⤵
  - Modifies registry class
  PID:680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype comfile=C:\Users\Admin\AppData\Local\Temp\7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
  2⤵
  - Modifies system executable filetype association
  - Modifies registry class
  PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype zipfile=C:\Users\Admin\AppData\Local\Temp\7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
  2⤵
  - Modifies registry class
  PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype jpgfile=C:\Users\Admin\AppData\Local\Temp\7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
  2⤵
  - Modifies registry class
  PID:3616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ftype txtfile=C:\Users\Admin\AppData\Local\Temp\7148ca8cc9041482682156ca16a1e83eba1333e16f41e80e522363a55ff2a0db.exe
  2⤵
  - Modifies registry class
  PID:3028

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
1⤵
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Modifies extensions of user files
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1650755206 && exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1650755206 && exit"
      4⤵
      Creates scheduled task(s)
      PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:43:00
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:43:00
      4⤵
      Creates scheduled task(s)
      PID:4084
- - C:\Windows\5C3F.tmp
    "C:\Windows\5C3F.tmp" \\.\pipe\{8B5ECF9B-52B7-443B-AD0D-A756779CA155}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-128-0x0000000002EB0000-0x0000000002F18000-memory.dmp

Filesize
416KB

Download
memory/1220-133-0x0000000002EB0000-0x0000000002F18000-memory.dmp

Filesize
416KB

Download