badrabbit | hxxps://github[.]com/acastillorobles77/MalwareDatabase/raw/master/BadRabbit%20Ransomware[.]zip

Analysis

max time kernel
350s
max time network
351s
platform
windows7_x64
resource
win7-en-20211104
submitted
13-11-2021 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/acastillorobles77/MalwareDatabase/raw/master/BadRabbit%20Ransomware.zip

Score

10^/10

badrabbit mimikatz ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x00050000000125cd-77.dat	mimikatz

Executes dropped EXE 6 IoCs

pid	Process
2032	BadRabbit.exe
1596	425D.tmp
1576	BadRabbit.exe
1816	BadRabbit.exe
516	BadRabbit.exe
456	BadRabbit.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\SkipStep.tiff	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\425D.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\cscc.dat	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
996	schtasks.exe
1776	schtasks.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 3083ce2eb2d8d701	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D02EFB11-44A5-11EC-83DC-76478824B5E2} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb601b266500a1439caac4cd216a44ab000000000200000000001066000000010000200000004dc1a5ddfab8822ac013528e58e755066eb767df39b73c10469a707f7db8de91000000000e800000000200002000000006e75edd9d9b5f03fc8bcc429c957e28bd942b15a9550e39cd649cb3cd7a762c200000004fea68f6ae76fa5f77529c403aafaf6dc488a422b97631119c28808d9dd78de2400000008c9f1ffc4e892873d3fe60041254ecd68881271e9c339c943c1b3efad831737eb2564bf718209712f6a2c164ed3278fe460ead9c7709b6f2b522dbe4b26548bc	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{659AA601-44A5-11EC-83DC-76478824B5E2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "343588746"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb601b266500a1439caac4cd216a44ab00000000020000000000106600000001000020000000260b4a874d259e58f2a3c2571729c8c500f7a210e3515c0f554b167fbe7f1124000000000e8000000002000020000000b28367e54a790f934416655b48c172f06ea5974b2c3c234829c6c0bc980bebbd90000000bcb48f6d037b9a40db12e01a23f52ecd5b52d745e0ec6ed9579fb9f05b1cde067056d27920a14789f16a680e5bfc9fb242714a0ba6b58019f4872ddba0df7e69042990938fc45ac5ed0023e13a00c9556c51d664a6f3f79655f74be0e0aca73bb93abf6803064f9fb7b68f07554026cc0ece5cb260b8bdf8b24739f19d1bea217601783785c073d06edc03e33d4a808a40000000811e470c525feccb409799e367b2c7333209e143df3d599f471a3f97a48f35eca3d854ddee2a2a9c609b1b66dc701729395059e15d02ff5caa34b51cdc200e07	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a08db5b2b2d8d701	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
996	NOTEPAD.EXE
1724	notepad.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1768	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
1012	rundll32.exe
1012	rundll32.exe
1596	425D.tmp
1596	425D.tmp
1596	425D.tmp
1596	425D.tmp
1596	425D.tmp
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1020	rundll32.exe
1972	rundll32.exe
1796	rundll32.exe
1064	rundll32.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1424	taskmgr.exe
1068	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeRestorePrivilege	1820	7zG.exe
Token: 35	1820	7zG.exe
Token: SeSecurityPrivilege	1820	7zG.exe
Token: SeSecurityPrivilege	1820	7zG.exe
Token: 33	892	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	892	AUDIODG.EXE
Token: 33	892	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	892	AUDIODG.EXE
Token: SeShutdownPrivilege	1012	rundll32.exe
Token: SeDebugPrivilege	1012	rundll32.exe
Token: SeTcbPrivilege	1012	rundll32.exe
Token: SeDebugPrivilege	1596	425D.tmp
Token: SeDebugPrivilege	1424	taskmgr.exe
Token: SeShutdownPrivilege	1020	rundll32.exe
Token: SeDebugPrivilege	1020	rundll32.exe
Token: SeTcbPrivilege	1020	rundll32.exe
Token: SeShutdownPrivilege	1972	rundll32.exe
Token: SeDebugPrivilege	1972	rundll32.exe
Token: SeTcbPrivilege	1972	rundll32.exe
Token: SeShutdownPrivilege	1796	rundll32.exe
Token: SeDebugPrivilege	1796	rundll32.exe
Token: SeTcbPrivilege	1796	rundll32.exe
Token: SeShutdownPrivilege	1064	rundll32.exe
Token: SeDebugPrivilege	1064	rundll32.exe
Token: SeTcbPrivilege	1064	rundll32.exe
Token: SeDebugPrivilege	1068	taskmgr.exe
Token: SeShutdownPrivilege	1532	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
768	iexplore.exe
768	iexplore.exe
1820	7zG.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1424	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe
1068	taskmgr.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
768	iexplore.exe
768	iexplore.exe
1168	IEXPLORE.EXE
1168	IEXPLORE.EXE
1152	IEXPLORE.EXE
1152	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
272	AcroRd32.exe
272	AcroRd32.exe
992	IEXPLORE.EXE
992	IEXPLORE.EXE
1768	POWERPNT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 1168	768	iexplore.exe	29
PID 768 wrote to memory of 1168	768	iexplore.exe	29
PID 768 wrote to memory of 1168	768	iexplore.exe	29
PID 768 wrote to memory of 1168	768	iexplore.exe	29
PID 2032 wrote to memory of 1012	2032	BadRabbit.exe	37
PID 2032 wrote to memory of 1012	2032	BadRabbit.exe	37
PID 2032 wrote to memory of 1012	2032	BadRabbit.exe	37
PID 2032 wrote to memory of 1012	2032	BadRabbit.exe	37
PID 2032 wrote to memory of 1012	2032	BadRabbit.exe	37
PID 2032 wrote to memory of 1012	2032	BadRabbit.exe	37
PID 2032 wrote to memory of 1012	2032	BadRabbit.exe	37
PID 1012 wrote to memory of 1392	1012	rundll32.exe	38
PID 1012 wrote to memory of 1392	1012	rundll32.exe	38
PID 1012 wrote to memory of 1392	1012	rundll32.exe	38
PID 1012 wrote to memory of 1392	1012	rundll32.exe	38
PID 1392 wrote to memory of 1052	1392	cmd.exe	40
PID 1392 wrote to memory of 1052	1392	cmd.exe	40
PID 1392 wrote to memory of 1052	1392	cmd.exe	40
PID 1392 wrote to memory of 1052	1392	cmd.exe	40
PID 1012 wrote to memory of 1552	1012	rundll32.exe	41
PID 1012 wrote to memory of 1552	1012	rundll32.exe	41
PID 1012 wrote to memory of 1552	1012	rundll32.exe	41
PID 1012 wrote to memory of 1552	1012	rundll32.exe	41
PID 1552 wrote to memory of 996	1552	cmd.exe	43
PID 1552 wrote to memory of 996	1552	cmd.exe	43
PID 1552 wrote to memory of 996	1552	cmd.exe	43
PID 1552 wrote to memory of 996	1552	cmd.exe	43
PID 1012 wrote to memory of 1756	1012	rundll32.exe	44
PID 1012 wrote to memory of 1756	1012	rundll32.exe	44
PID 1012 wrote to memory of 1756	1012	rundll32.exe	44
PID 1012 wrote to memory of 1756	1012	rundll32.exe	44
PID 1012 wrote to memory of 1596	1012	rundll32.exe	46
PID 1012 wrote to memory of 1596	1012	rundll32.exe	46
PID 1012 wrote to memory of 1596	1012	rundll32.exe	46
PID 1012 wrote to memory of 1596	1012	rundll32.exe	46
PID 1756 wrote to memory of 1776	1756	cmd.exe	47
PID 1756 wrote to memory of 1776	1756	cmd.exe	47
PID 1756 wrote to memory of 1776	1756	cmd.exe	47
PID 1756 wrote to memory of 1776	1756	cmd.exe	47
PID 1576 wrote to memory of 1020	1576	BadRabbit.exe	53
PID 1576 wrote to memory of 1020	1576	BadRabbit.exe	53
PID 1576 wrote to memory of 1020	1576	BadRabbit.exe	53
PID 1576 wrote to memory of 1020	1576	BadRabbit.exe	53
PID 1576 wrote to memory of 1020	1576	BadRabbit.exe	53
PID 1576 wrote to memory of 1020	1576	BadRabbit.exe	53
PID 1576 wrote to memory of 1020	1576	BadRabbit.exe	53
PID 1816 wrote to memory of 1972	1816	BadRabbit.exe	56
PID 1816 wrote to memory of 1972	1816	BadRabbit.exe	56
PID 1816 wrote to memory of 1972	1816	BadRabbit.exe	56
PID 1816 wrote to memory of 1972	1816	BadRabbit.exe	56
PID 1816 wrote to memory of 1972	1816	BadRabbit.exe	56
PID 1816 wrote to memory of 1972	1816	BadRabbit.exe	56
PID 1816 wrote to memory of 1972	1816	BadRabbit.exe	56
PID 516 wrote to memory of 1796	516	BadRabbit.exe	59
PID 516 wrote to memory of 1796	516	BadRabbit.exe	59
PID 516 wrote to memory of 1796	516	BadRabbit.exe	59
PID 516 wrote to memory of 1796	516	BadRabbit.exe	59
PID 516 wrote to memory of 1796	516	BadRabbit.exe	59
PID 516 wrote to memory of 1796	516	BadRabbit.exe	59
PID 516 wrote to memory of 1796	516	BadRabbit.exe	59
PID 456 wrote to memory of 1064	456	BadRabbit.exe	62
PID 456 wrote to memory of 1064	456	BadRabbit.exe	62
PID 456 wrote to memory of 1064	456	BadRabbit.exe	62
PID 456 wrote to memory of 1064	456	BadRabbit.exe	62

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/acastillorobles77/MalwareDatabase/raw/master/BadRabbit%20Ransomware.zip
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:768 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1168

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BadRabbit Ransomware\" -spe -an -ai#7zMap22360:102:7zEvent6437
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x528
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Modifies extensions of user files
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4126421655 && exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4126421655 && exit"
      4⤵
      Creates scheduled task(s)
      PID:996
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:34:00
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:34:00
      4⤵
      Creates scheduled task(s)
      PID:1776
- - C:\Windows\425D.tmp
    "C:\Windows\425D.tmp" \\.\pipe\{15A5AF7A-C280-4A93-98E3-AEF598BFA237}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1596

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1424

C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1020

C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972

C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796

C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1068

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
1⤵
PID:1268
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1152
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1532
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:865296 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:992

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\ImportHide.pdf"
1⤵
- Suspicious use of SetWindowsHookEx
PID:272

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\BackupDisconnect.css
1⤵
- Opens file in notepad (likely ransom note)
PID:996

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\ReceiveOpen.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:1724

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\Desktop\RestoreGrant.ppt"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1768
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/768-56-0x0000000003D80000-0x0000000003D81000-memory.dmp

Filesize
4KB

Download
memory/1012-70-0x0000000000210000-0x0000000000278000-memory.dmp

Filesize
416KB

Download
memory/1012-65-0x0000000000210000-0x0000000000278000-memory.dmp

Filesize
416KB

Download
memory/1020-87-0x0000000000920000-0x0000000000988000-memory.dmp

Filesize
416KB

Download
memory/1020-92-0x0000000000920000-0x0000000000988000-memory.dmp

Filesize
416KB

Download
memory/1064-125-0x0000000000120000-0x0000000000188000-memory.dmp

Filesize
416KB

Download
memory/1064-120-0x0000000000120000-0x0000000000188000-memory.dmp

Filesize
416KB

Download
memory/1768-135-0x0000000070E51000-0x0000000070E53000-memory.dmp

Filesize
8KB

Download
memory/1768-140-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1768-136-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1768-134-0x0000000074521000-0x0000000074525000-memory.dmp

Filesize
16KB

Download
memory/1796-109-0x0000000000A60000-0x0000000000AC8000-memory.dmp

Filesize
416KB

Download
memory/1796-114-0x0000000000A60000-0x0000000000AC8000-memory.dmp

Filesize
416KB

Download
memory/1820-58-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

Filesize
8KB

Download
memory/1972-98-0x0000000000890000-0x00000000008F8000-memory.dmp

Filesize
416KB

Download
memory/1972-103-0x0000000000890000-0x00000000008F8000-memory.dmp

Filesize
416KB

Download
memory/2032-60-0x0000000075A01000-0x0000000075A03000-memory.dmp

Filesize
8KB

Download