badrabbit | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/raw/master/Ransomware/BadRabbit[.]exe

Analysis

max time kernel
67s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2023 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/Ransomware/BadRabbit.exe

Score

10^/10

badrabbit mimikatz ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 2 IoCs

resource	yara_rule
behavioral1/files/0x00030000000230bd-220.dat	mimikatz
behavioral1/files/0x00030000000230bd-223.dat	mimikatz

Downloads MZ/PE file

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\GrantExpand.tiff	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateEnter.tiff	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
2788	BadRabbit.exe
4348	C27A.tmp

Loads dropped DLL 1 IoCs

pid	Process
4168	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\C27A.tmp	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1968	schtasks.exe
4680	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133327230927261361"	chrome.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe
4168	rundll32.exe
4168	rundll32.exe
4168	rundll32.exe
4168	rundll32.exe
4348	C27A.tmp
4348	C27A.tmp
4348	C27A.tmp
4348	C27A.tmp
4348	C27A.tmp
4348	C27A.tmp
4348	C27A.tmp
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	4168	rundll32.exe
Token: SeDebugPrivilege	4168	rundll32.exe
Token: SeTcbPrivilege	4168	rundll32.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeDebugPrivilege	4348	C27A.tmp
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeCreatePagefilePrivilege	2008	chrome.exe
Token: SeDebugPrivilege	4252	taskmgr.exe
Token: SeSystemProfilePrivilege	4252	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe
4252	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 4888	2008	chrome.exe	86
PID 2008 wrote to memory of 4888	2008	chrome.exe	86
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4260	2008	chrome.exe	88
PID 2008 wrote to memory of 4316	2008	chrome.exe	89
PID 2008 wrote to memory of 4316	2008	chrome.exe	89
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90
PID 2008 wrote to memory of 860	2008	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/Ransomware/BadRabbit.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff34269758,0x7fff34269768,0x7fff34269778
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1840,i,8867906821808677509,2298994481053037503,131072 /prefetch:2
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1840,i,8867906821808677509,2298994481053037503,131072 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1840,i,8867906821808677509,2298994481053037503,131072 /prefetch:8
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1840,i,8867906821808677509,2298994481053037503,131072 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1840,i,8867906821808677509,2298994481053037503,131072 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1840,i,8867906821808677509,2298994481053037503,131072 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5324 --field-trial-handle=1840,i,8867906821808677509,2298994481053037503,131072 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5176 --field-trial-handle=1840,i,8867906821808677509,2298994481053037503,131072 /prefetch:8
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1840,i,8867906821808677509,2298994481053037503,131072 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 --field-trial-handle=1840,i,8867906821808677509,2298994481053037503,131072 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1840,i,8867906821808677509,2298994481053037503,131072 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5032 --field-trial-handle=1840,i,8867906821808677509,2298994481053037503,131072 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4932 --field-trial-handle=1840,i,8867906821808677509,2298994481053037503,131072 /prefetch:8
  2⤵
  PID:4668
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2788
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Modifies extensions of user files
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4168
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      PID:4120
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        
        PID:4124
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2799649715 && exit"
      4⤵
      PID:4288
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2799649715 && exit"
        5⤵
        Creates scheduled task(s)
        
        PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 22:29:00
      4⤵
      PID:752
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 22:29:00
        5⤵
        Creates scheduled task(s)
        
        PID:4680
  - - C:\Windows\C27A.tmp
      "C:\Windows\C27A.tmp" \\.\pipe\{80075578-4CD4-471D-99F2-3440CF98741B}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4348

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1756

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
644cfcb15a2064d0bc1482e4a7a19429

SHA1
a0b8cb4ab45d447eac312f2c37734414be53449a

SHA256
fc168215a99a96e9cfb3b5a3b0448c6ddf1c96bfaaf636c0ffa30913a9d8e556

SHA512
659a44a7e7a55c40416193a31bfa2b439d2b0e72c3e46f63dc8cf8600920476f607973783fe56de2190e81443a488bcff13e4e287b2e4e43a23749f2ebf1c7be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
572146ada61831584f5cf1f13ea6da1f

SHA1
fd98c5524213912adff7593aae8875aaabb14b20

SHA256
4175bc654cba426a3577fd8002dca7eeffd1d2007def1b259b0e107a9ba75891

SHA512
f1be090977f79a2a6ed601cd79ef135a0f7686b26b00a1fa27d7590171b0dfb6cc5464ea9d2c0a28f50a5e7ad631656195f210781daef0660ddad89737742b79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
aa2b7ecd52e7abf3801789c4fd30c46c

SHA1
2e8a185cf600ec1c18ee173d6941e87f2a0b9a35

SHA256
5f12c434c6dc0b3ff87c1ce3bc3111a1d161decb7b68a7c7209b07b305c4a04e

SHA512
71823272405a24901741d148430c47237e828bfbb0c8b128f66d2f67645b88f65e0a070629fae6da1b4b374ab511df7a3b62b60a1c87e87bfde217319dfae9b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
707c3c7df282594defe205e8d04242e3

SHA1
681b6ce355a39d24d97fcd79e9416ebc0f9ee97f

SHA256
3d7e69261c05399a25d7f801ef4ba9b728c97105c63ddbb96676710ae969fe1b

SHA512
8c1f36e94bdd0423b04258c0bc3d9ce4d3e255940c82aa77cd7207fedcd76037301a16e4fa90bda57c71076b0336d611bb8da7efaa26297563b0f59f6126ad1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
172KB

MD5
ce8226060c55cd6379de01efebdc2492

SHA1
ae0d3ae10209ca16dd0b11f5206ae45bc4d5713d

SHA256
b4da213c7a1d57001b32f125c345f4d76bb3e70bcb7f50f2c7b754afccd932dc

SHA512
1966407a5abf7fb085eb2eb1670d58a13502f3fcc769ffdc34d9f1c08b7733885fb860da92c3e1ba4debb886c8a901194b67280262dd369b047d38a2fc352e01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Windows\C27A.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\C27A.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/4168-214-0x0000000002DF0000-0x0000000002E58000-memory.dmp

Filesize
416KB

Download
memory/4168-196-0x0000000002DF0000-0x0000000002E58000-memory.dmp

Filesize
416KB

Download
memory/4168-183-0x0000000002DF0000-0x0000000002E58000-memory.dmp

Filesize
416KB

Download
memory/4252-254-0x0000016F10210000-0x0000016F10211000-memory.dmp

Filesize
4KB

Download
memory/4252-252-0x0000016F10210000-0x0000016F10211000-memory.dmp

Filesize
4KB

Download
memory/4252-253-0x0000016F10210000-0x0000016F10211000-memory.dmp

Filesize
4KB

Download
memory/4252-258-0x0000016F10210000-0x0000016F10211000-memory.dmp

Filesize
4KB

Download
memory/4252-259-0x0000016F10210000-0x0000016F10211000-memory.dmp

Filesize
4KB

Download
memory/4252-261-0x0000016F10210000-0x0000016F10211000-memory.dmp

Filesize
4KB

Download
memory/4252-260-0x0000016F10210000-0x0000016F10211000-memory.dmp

Filesize
4KB

Download
memory/4252-262-0x0000016F10210000-0x0000016F10211000-memory.dmp

Filesize
4KB

Download
memory/4252-263-0x0000016F10210000-0x0000016F10211000-memory.dmp

Filesize
4KB

Download
memory/4252-264-0x0000016F10210000-0x0000016F10211000-memory.dmp

Filesize
4KB

Download