Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2022, 15:38
Static task
static1
Behavioral task
behavioral1
Sample
Ransomware.BadRabbit.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Ransomware.BadRabbit.exe
Resource
win10v2004-20220812-en
General
-
Target
Ransomware.BadRabbit.exe
-
Size
431KB
-
MD5
fbbdc39af1139aebba4da004475e8839
-
SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0
-
SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
-
SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
SSDEEP
12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 2 IoCs
resource yara_rule behavioral2/files/0x0006000000022e49-148.dat mimikatz behavioral2/files/0x0006000000022e49-150.dat mimikatz -
Executes dropped EXE 1 IoCs
pid Process 3364 81E2.tmp -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\CloseEnable.tiff rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 2132 rundll32.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\81E2.tmp rundll32.exe File created C:\Windows\infpub.dat Ransomware.BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1312 schtasks.exe 3064 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2132 rundll32.exe 2132 rundll32.exe 2132 rundll32.exe 2132 rundll32.exe 3364 81E2.tmp 3364 81E2.tmp 3364 81E2.tmp 3364 81E2.tmp 3364 81E2.tmp 3364 81E2.tmp -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 2132 rundll32.exe Token: SeDebugPrivilege 2132 rundll32.exe Token: SeTcbPrivilege 2132 rundll32.exe Token: SeDebugPrivilege 3364 81E2.tmp -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 372 wrote to memory of 2132 372 Ransomware.BadRabbit.exe 86 PID 372 wrote to memory of 2132 372 Ransomware.BadRabbit.exe 86 PID 372 wrote to memory of 2132 372 Ransomware.BadRabbit.exe 86 PID 2132 wrote to memory of 4320 2132 rundll32.exe 87 PID 2132 wrote to memory of 4320 2132 rundll32.exe 87 PID 2132 wrote to memory of 4320 2132 rundll32.exe 87 PID 4320 wrote to memory of 3392 4320 cmd.exe 89 PID 4320 wrote to memory of 3392 4320 cmd.exe 89 PID 4320 wrote to memory of 3392 4320 cmd.exe 89 PID 2132 wrote to memory of 4928 2132 rundll32.exe 90 PID 2132 wrote to memory of 4928 2132 rundll32.exe 90 PID 2132 wrote to memory of 4928 2132 rundll32.exe 90 PID 4928 wrote to memory of 1312 4928 cmd.exe 92 PID 4928 wrote to memory of 1312 4928 cmd.exe 92 PID 4928 wrote to memory of 1312 4928 cmd.exe 92 PID 2132 wrote to memory of 2628 2132 rundll32.exe 93 PID 2132 wrote to memory of 2628 2132 rundll32.exe 93 PID 2132 wrote to memory of 2628 2132 rundll32.exe 93 PID 2132 wrote to memory of 3364 2132 rundll32.exe 95 PID 2132 wrote to memory of 3364 2132 rundll32.exe 95 PID 2628 wrote to memory of 3064 2628 cmd.exe 97 PID 2628 wrote to memory of 3064 2628 cmd.exe 97 PID 2628 wrote to memory of 3064 2628 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware.BadRabbit.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware.BadRabbit.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Modifies extensions of user files
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:3392
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2962921978 && exit"3⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2962921978 && exit"4⤵
- Creates scheduled task(s)
PID:1312
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:58:003⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:58:004⤵
- Creates scheduled task(s)
PID:3064
-
-
-
C:\Windows\81E2.tmp"C:\Windows\81E2.tmp" \\.\pipe\{DA7A5EFF-4BBA-4E96-A892-321E855722AF}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3364
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113