badrabbit | hxxps://github[.]com/Endermanch/MalwareDatabase/raw/master/ransomwares/BadRabbit[.]zip

Resubmissions

26-05-2023 15:41

230526-s4x8bagf7z 10

26-05-2023 15:37

230526-s2nk4agf6t 10

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26-05-2023 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/BadRabbit.zip

Score

10^/10

badrabbit mimikatz ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000000b46e-125.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
1296	F4AC.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\F4AC.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
804	schtasks.exe
272	schtasks.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 807acccaf88fd901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FF9F9C11-FBEB-11ED-9682-E6255E64A624} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_Classes\Local Settings	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe230000100090e24d373f126545916439c4925e467b00000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
596	rundll32.exe
596	rundll32.exe
1296	F4AC.tmp
1296	F4AC.tmp
1296	F4AC.tmp
1296	F4AC.tmp
1296	F4AC.tmp
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1328	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	596	rundll32.exe
Token: SeDebugPrivilege	596	rundll32.exe
Token: SeTcbPrivilege	596	rundll32.exe
Token: SeDebugPrivilege	1296	F4AC.tmp
Token: SeDebugPrivilege	1328	taskmgr.exe
Token: 33	1724	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1724	AUDIODG.EXE
Token: 33	1724	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1724	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1704	iexplore.exe
1704	iexplore.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe
1328	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1704	iexplore.exe
1704	iexplore.exe
1296	IEXPLORE.EXE
1296	IEXPLORE.EXE
1704	iexplore.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1296	1704	iexplore.exe	29
PID 1704 wrote to memory of 1296	1704	iexplore.exe	29
PID 1704 wrote to memory of 1296	1704	iexplore.exe	29
PID 1704 wrote to memory of 1296	1704	iexplore.exe	29
PID 1040 wrote to memory of 596	1040	[email protected]	35
PID 1040 wrote to memory of 596	1040	[email protected]	35
PID 1040 wrote to memory of 596	1040	[email protected]	35
PID 1040 wrote to memory of 596	1040	[email protected]	35
PID 1040 wrote to memory of 596	1040	[email protected]	35
PID 1040 wrote to memory of 596	1040	[email protected]	35
PID 1040 wrote to memory of 596	1040	[email protected]	35
PID 596 wrote to memory of 1496	596	rundll32.exe	36
PID 596 wrote to memory of 1496	596	rundll32.exe	36
PID 596 wrote to memory of 1496	596	rundll32.exe	36
PID 596 wrote to memory of 1496	596	rundll32.exe	36
PID 1496 wrote to memory of 1344	1496	cmd.exe	38
PID 1496 wrote to memory of 1344	1496	cmd.exe	38
PID 1496 wrote to memory of 1344	1496	cmd.exe	38
PID 1496 wrote to memory of 1344	1496	cmd.exe	38
PID 596 wrote to memory of 1180	596	rundll32.exe	39
PID 596 wrote to memory of 1180	596	rundll32.exe	39
PID 596 wrote to memory of 1180	596	rundll32.exe	39
PID 596 wrote to memory of 1180	596	rundll32.exe	39
PID 1180 wrote to memory of 804	1180	cmd.exe	41
PID 1180 wrote to memory of 804	1180	cmd.exe	41
PID 1180 wrote to memory of 804	1180	cmd.exe	41
PID 1180 wrote to memory of 804	1180	cmd.exe	41
PID 596 wrote to memory of 1760	596	rundll32.exe	42
PID 596 wrote to memory of 1760	596	rundll32.exe	42
PID 596 wrote to memory of 1760	596	rundll32.exe	42
PID 596 wrote to memory of 1760	596	rundll32.exe	42
PID 1760 wrote to memory of 272	1760	cmd.exe	44
PID 1760 wrote to memory of 272	1760	cmd.exe	44
PID 1760 wrote to memory of 272	1760	cmd.exe	44
PID 1760 wrote to memory of 272	1760	cmd.exe	44
PID 596 wrote to memory of 1296	596	rundll32.exe	45
PID 596 wrote to memory of 1296	596	rundll32.exe	45
PID 596 wrote to memory of 1296	596	rundll32.exe	45
PID 596 wrote to memory of 1296	596	rundll32.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/BadRabbit.zip
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1296

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1182674467 && exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1182674467 && exit"
      4⤵
      Creates scheduled task(s)
      PID:804
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:56:00
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:56:00
      4⤵
      Creates scheduled task(s)
      PID:272
- - C:\Windows\F4AC.tmp
    "C:\Windows\F4AC.tmp" \\.\pipe\{A62B0F2B-F550-4B5A-BD6C-57E650A42058}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1296

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1328

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:928

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACT9UUKV\BadRabbit[1].zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab20FA.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\Desktop\BadRabbit.zip.1zhv6z1.partial

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Windows\F4AC.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/596-104-0x0000000001E00000-0x0000000001E68000-memory.dmp

Filesize
416KB

Download
memory/596-112-0x0000000001E00000-0x0000000001E68000-memory.dmp

Filesize
416KB

Download
memory/596-115-0x0000000001E00000-0x0000000001E68000-memory.dmp

Filesize
416KB

Download
memory/1328-139-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1328-140-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1328-141-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download