badrabbit | 0642a552c182937af9875f855b94fe3b3e355f239c21a57d33fe070188b1a3c3

Analysis

max time kernel
151s
max time network
142s
platform
windows10_x64
resource
win10v20210410
submitted
16-05-2021 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0642a552c182937af9875f855b94fe3b3e355f239c21a57d33fe070188b1a3c3.exe
Size

440KB
MD5

013ccaecc95e64172c47b1fbee601452
SHA1

aaeb69f63db3cad489d5f9779b91f860b2c7c4d7
SHA256

0642a552c182937af9875f855b94fe3b3e355f239c21a57d33fe070188b1a3c3
SHA512

3edf399669457504b6fe0c981ba7b896260e92194770e41fd8395656263398f677b7f740483ef9e9cff8df66d1a9419933c45f39eb82497edbb64fcf56a45416

Score

10^/10

badrabbit ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit

Executes dropped EXE 2 IoCs

pid	Process
212	csrss.exe
1692	4701.tmp

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\aoskgxnns\csrss.exe	0642a552c182937af9875f855b94fe3b3e355f239c21a57d33fe070188b1a3c3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1704	0642a552c182937af9875f855b94fe3b3e355f239c21a57d33fe070188b1a3c3.exe
212	csrss.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\4701.tmp	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2724	schtasks.exe
2740	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1948	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
200	rundll32.exe
200	rundll32.exe
200	rundll32.exe
200	rundll32.exe
1692	4701.tmp
1692	4701.tmp
1692	4701.tmp
1692	4701.tmp
1692	4701.tmp
1692	4701.tmp
200	rundll32.exe
200	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	csrss.exe
Token: SeShutdownPrivilege	200	rundll32.exe
Token: SeDebugPrivilege	200	rundll32.exe
Token: SeTcbPrivilege	200	rundll32.exe
Token: SeDebugPrivilege	1692	4701.tmp

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 212	1704	0642a552c182937af9875f855b94fe3b3e355f239c21a57d33fe070188b1a3c3.exe	75
PID 1704 wrote to memory of 212	1704	0642a552c182937af9875f855b94fe3b3e355f239c21a57d33fe070188b1a3c3.exe	75
PID 1704 wrote to memory of 212	1704	0642a552c182937af9875f855b94fe3b3e355f239c21a57d33fe070188b1a3c3.exe	75
PID 1704 wrote to memory of 2780	1704	0642a552c182937af9875f855b94fe3b3e355f239c21a57d33fe070188b1a3c3.exe	76
PID 1704 wrote to memory of 2780	1704	0642a552c182937af9875f855b94fe3b3e355f239c21a57d33fe070188b1a3c3.exe	76
PID 1704 wrote to memory of 2780	1704	0642a552c182937af9875f855b94fe3b3e355f239c21a57d33fe070188b1a3c3.exe	76
PID 2780 wrote to memory of 1948	2780	cmd.exe	78
PID 2780 wrote to memory of 1948	2780	cmd.exe	78
PID 2780 wrote to memory of 1948	2780	cmd.exe	78
PID 3264 wrote to memory of 200	3264	rundll32.exe	84
PID 3264 wrote to memory of 200	3264	rundll32.exe	84
PID 3264 wrote to memory of 200	3264	rundll32.exe	84
PID 200 wrote to memory of 2160	200	rundll32.exe	85
PID 200 wrote to memory of 2160	200	rundll32.exe	85
PID 200 wrote to memory of 2160	200	rundll32.exe	85
PID 2160 wrote to memory of 2804	2160	cmd.exe	87
PID 2160 wrote to memory of 2804	2160	cmd.exe	87
PID 2160 wrote to memory of 2804	2160	cmd.exe	87
PID 200 wrote to memory of 3408	200	rundll32.exe	88
PID 200 wrote to memory of 3408	200	rundll32.exe	88
PID 200 wrote to memory of 3408	200	rundll32.exe	88
PID 200 wrote to memory of 1948	200	rundll32.exe	90
PID 200 wrote to memory of 1948	200	rundll32.exe	90
PID 200 wrote to memory of 1948	200	rundll32.exe	90
PID 200 wrote to memory of 1692	200	rundll32.exe	91
PID 200 wrote to memory of 1692	200	rundll32.exe	91
PID 3408 wrote to memory of 2724	3408	cmd.exe	94
PID 3408 wrote to memory of 2724	3408	cmd.exe	94
PID 3408 wrote to memory of 2724	3408	cmd.exe	94
PID 1948 wrote to memory of 2740	1948	cmd.exe	95
PID 1948 wrote to memory of 2740	1948	cmd.exe	95
PID 1948 wrote to memory of 2740	1948	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\0642a552c182937af9875f855b94fe3b3e355f239c21a57d33fe070188b1a3c3.exe
"C:\Users\Admin\AppData\Local\Temp\0642a552c182937af9875f855b94fe3b3e355f239c21a57d33fe070188b1a3c3.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\aoskgxnns\csrss.exe
  C:\Windows\system32\\aoskgxnns\csrss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 >nul&del/f/s/q "C:\Users\Admin\AppData\Local\Temp\0642a552c182937af9875f855b94fe3b3e355f239c21a57d33fe070188b1a3c3.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:1948

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
1⤵
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:200
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1830464917 && exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1830464917 && exit"
      4⤵
      Creates scheduled task(s)
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:42:00
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:42:00
      4⤵
      Creates scheduled task(s)
      PID:2740
- - C:\Windows\4701.tmp
    "C:\Windows\4701.tmp" \\.\pipe\{9E4AE399-5175-4C06-8DAC-05AC5EB8356D}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/200-120-0x0000000003810000-0x0000000003878000-memory.dmp

Filesize
416KB

Download
memory/200-125-0x0000000003810000-0x0000000003878000-memory.dmp

Filesize
416KB

Download