Overview

overview

10

Static

static

URLScan

urlscan

1

https://drive.google...

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1u-QY29jwsxXFxY5OOF4jWT1owIH4dgXw

  • Sample

    221125-aem2yacb9y

Score
10/10
badrabbitdiscoveryevasionpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Readme.txt

Ransom Note
Oops! Your files have been encrypted. If you see this text, your files are no longer accessible. You might have been looking for a way to recover your files. Don't waste your time. No one will be able to recover them without our decryption service. We guarantee that you can recover all your files safely. All you need to do is submit the payment and get the decryption password. Visit our web service at caforssztxqzf2nm.onion Your personal installation key#2: Zl3y2Sw8lh7JMlrs46/rCAz88bLbsfOmt0g8i60aT3TuRvTV6xaLErs5DbSJRJio Yj2BtCpqrgF0cbxjOHixj7Yy8Sd2b545VDLDeS1HwKbCsXrHSGH7hDZ1vfCqAQB3 bEUoFJt8avferKiNDaejSjbyWULWlqK3VWZ3OyViVZx8kiAz3loHfkOwUkcWbscf Oujo+zzxIpIoNZf1+EXIaT1T8Y5rp6wAr1J0u+0pIEC/3jF1ylwuN2jsivRw7fd1 r/vIcT7gJQxiZi9WDU5tN9MENxOfwWTMUmqx6+aNlodfNZibbHieWpfkSuymJVao f1EhiSniN7I2s4S0mRTQ5fOQqairCHxFGA==
URLs

http://caforssztxqzf2nm.onion

Targets

    • Target

      https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1u-QY29jwsxXFxY5OOF4jWT1owIH4dgXw

    Score
    10/10
    badrabbitdiscoveryevasionpersistenceransomwarespywarestealertrojan

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

      ransomwarebadrabbit

    • Modifies WinLogon for persistence

      persistence

    • Modifies visibility of file extensions in Explorer

      evasion

    • UAC bypass

      evasiontrojan

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks