badrabbit | 8e4e9f9ee9f568e2e5307b8a878ffce824478c5c9f1b023b3b92a87060a2d6b5

General

Target

Ransomware.BadRabbit.exe
Size

431KB
MD5

fbbdc39af1139aebba4da004475e8839
SHA1

de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512

74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
SSDEEP

12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score

10^/10

badrabbit mimikatz ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022e49-148.dat	mimikatz
behavioral2/files/0x0006000000022e49-150.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
3364	81E2.tmp

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CloseEnable.tiff	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2132	rundll32.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\81E2.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	Ransomware.BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1312	schtasks.exe
3064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2132	rundll32.exe
2132	rundll32.exe
2132	rundll32.exe
2132	rundll32.exe
3364	81E2.tmp
3364	81E2.tmp
3364	81E2.tmp
3364	81E2.tmp
3364	81E2.tmp
3364	81E2.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2132	rundll32.exe
Token: SeDebugPrivilege	2132	rundll32.exe
Token: SeTcbPrivilege	2132	rundll32.exe
Token: SeDebugPrivilege	3364	81E2.tmp

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 2132	372	Ransomware.BadRabbit.exe	86
PID 372 wrote to memory of 2132	372	Ransomware.BadRabbit.exe	86
PID 372 wrote to memory of 2132	372	Ransomware.BadRabbit.exe	86
PID 2132 wrote to memory of 4320	2132	rundll32.exe	87
PID 2132 wrote to memory of 4320	2132	rundll32.exe	87
PID 2132 wrote to memory of 4320	2132	rundll32.exe	87
PID 4320 wrote to memory of 3392	4320	cmd.exe	89
PID 4320 wrote to memory of 3392	4320	cmd.exe	89
PID 4320 wrote to memory of 3392	4320	cmd.exe	89
PID 2132 wrote to memory of 4928	2132	rundll32.exe	90
PID 2132 wrote to memory of 4928	2132	rundll32.exe	90
PID 2132 wrote to memory of 4928	2132	rundll32.exe	90
PID 4928 wrote to memory of 1312	4928	cmd.exe	92
PID 4928 wrote to memory of 1312	4928	cmd.exe	92
PID 4928 wrote to memory of 1312	4928	cmd.exe	92
PID 2132 wrote to memory of 2628	2132	rundll32.exe	93
PID 2132 wrote to memory of 2628	2132	rundll32.exe	93
PID 2132 wrote to memory of 2628	2132	rundll32.exe	93
PID 2132 wrote to memory of 3364	2132	rundll32.exe	95
PID 2132 wrote to memory of 3364	2132	rundll32.exe	95
PID 2628 wrote to memory of 3064	2628	cmd.exe	97
PID 2628 wrote to memory of 3064	2628	cmd.exe	97
PID 2628 wrote to memory of 3064	2628	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\Ransomware.BadRabbit.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware.BadRabbit.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Modifies extensions of user files
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:3392
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2962921978 && exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2962921978 && exit"
      4⤵
      Creates scheduled task(s)
      PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:58:00
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:58:00
      4⤵
      Creates scheduled task(s)
      PID:3064
- - C:\Windows\81E2.tmp
    "C:\Windows\81E2.tmp" \\.\pipe\{DA7A5EFF-4BBA-4E96-A892-321E855722AF}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\81E2.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\81E2.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/2132-135-0x0000000000AF0000-0x0000000000B58000-memory.dmp

Filesize
416KB

Download
memory/2132-141-0x0000000000AF0000-0x0000000000B58000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads