Overview

overview

10

Static

static

GiftCardsG...or.exe

windows7_x64

10

GiftCardsG...or.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    16-05-2021 00:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GiftCardsGenerator.exe

  • Size

    431KB

  • MD5

    fbbdc39af1139aebba4da004475e8839

  • SHA1

    de5c8d858e6e41da715dca1c019df0bfb92d32c0

  • SHA256

    630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

  • SHA512

    74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Score
10/10
badrabbitransomware

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops file in Windows directory 5 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 12 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 55 IoCs
  • Suspicious use of SendNotifyMessage 54 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GiftCardsGenerator.exe
    "C:\Users\Admin\AppData\Local\Temp\GiftCardsGenerator.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:500
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
      2⤵
      • Modifies extensions of user files
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Delete /F /TN rhaegal
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2432
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /F /TN rhaegal
          4⤵
            PID:3664
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 423076137 && exit"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3860
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 423076137 && exit"
            4⤵
            • Creates scheduled task(s)
            PID:1908
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:41:00
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3712
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:41:00
            4⤵
            • Creates scheduled task(s)
            PID:3636
        • C:\Windows\25AE.tmp
          "C:\Windows\25AE.tmp" \\.\pipe\{7A93BF75-2EC8-4F88-AB17-1119A8671D95}
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3308
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3944
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\WatchFormat.jfif" /ForceBootstrapPaint3D
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3656
    • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
      "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3688
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 3688 -s 4320
        2⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4336
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4620

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1428-121-0x0000000004020000-0x0000000004088000-memory.dmp

        Filesize

        416KB

        Download

      • memory/1428-116-0x0000000004020000-0x0000000004088000-memory.dmp

        Filesize

        416KB

        Download