badrabbit | d82719707e7358acaeb6380bbbe03379b8db2b6fce41febf4165f61539560d35 | Triage

Submit
Reports

Overview

overview

Static

static

1

ADZP 20 Clean.bat

windows7-x64

1

ADZP 20 Clean.bat

windows10-2004-x64

Sharing

General

Target

ADZP 20 Clean.bat
Size

13KB
Sample

230622-3ry9ysbg8y
MD5

c2c54b38738da1e8d48faf2e84594a99
SHA1

2f7dcd0e047f0e293bb4f66c3f9839248d0bb194
SHA256

d82719707e7358acaeb6380bbbe03379b8db2b6fce41febf4165f61539560d35
SHA512

854f703d4fe92d47ce77b0818a23e449a16b09e42e7da03b8fd67db2f50c12c7731ea12dbf52767f6a59d7733fa8326415fb72ea2135d9bad3626c23b7bfae93
SSDEEP

192:T6hhThhDhJhqmh0WxEuSEMRc1ojxwxpEutJWap3ahzbEuJp+U/JWap3ahzgMRcPj:RMEuSET6cEutJWo3yzbEu6U/JWo3yzg5

Score

10^/10

badrabbit bootkit evasion persistence ransomware

Static task

static1

Behavioral task

behavioral1

Sample

ADZP 20 Clean.bat

Resource

win7-20230621-en

windows7-x64

0 signatures

1800 seconds

Behavioral task

behavioral2

Sample

ADZP 20 Clean.bat

Resource

win10v2004-20230621-en

badrabbit bootkit evasion persistence ransomware

windows10-2004-x64

29 signatures

1800 seconds

Malware Config

Targets

- Target
  
  ADZP 20 Clean.bat
- Size
  
  13KB
- MD5
  
  c2c54b38738da1e8d48faf2e84594a99
- SHA1
  
  2f7dcd0e047f0e293bb4f66c3f9839248d0bb194
- SHA256
  
  d82719707e7358acaeb6380bbbe03379b8db2b6fce41febf4165f61539560d35
- SHA512
  
  854f703d4fe92d47ce77b0818a23e449a16b09e42e7da03b8fd67db2f50c12c7731ea12dbf52767f6a59d7733fa8326415fb72ea2135d9bad3626c23b7bfae93
- SSDEEP
  
  192:T6hhThhDhJhqmh0WxEuSEMRc1ojxwxpEutJWap3ahzbEuJp+U/JWap3ahzgMRcPj:RMEuSET6cEutJWo3yzbEu6U/JWo3yzg5
Score

10^/10

badrabbit bootkit evasion persistence ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Disables Task Manager via registry modification
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

Execution

Scheduled Task

Persistence

Bootkit

Hidden Files and Directories

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

behavioral2

badrabbitbootkitevasionpersistenceransomware

© 2018-2025

Terms | Privacy