General

  • Target

    Agreement.pdf.exe

  • Size

    61.9MB

  • Sample

    230913-ttk1nsde2v

  • MD5

    978508efcdf53658ebe6d1bcf5068136

  • SHA1

    01fb4896d41e36fd556ff60bd1edda68187c1c75

  • SHA256

    f179f20f9a2d68c90b15a04d41df43569be87de91e177901d886a25a54b027dd

  • SHA512

    56db783890179ae6ec5d930c522691f329eee13987f039c7d9b3a4b6e76533cbc4580ee80741a3b3e1bda8e81ef24b945431b2209d8ab6e4bd895aab0662e2dd

  • SSDEEP

    1572864:fORQvq3E+k1xXCGkufMkscPdZKsUB/ayrxr12GaGfF11A9o1NCQCje6q:fOKvq361dCGtM6d8LayrxpVzRF1Cje6q

Malware Config

Targets

    • Target

      Agreement.pdf.exe

    • Size

      61.9MB

    • MD5

      978508efcdf53658ebe6d1bcf5068136

    • SHA1

      01fb4896d41e36fd556ff60bd1edda68187c1c75

    • SHA256

      f179f20f9a2d68c90b15a04d41df43569be87de91e177901d886a25a54b027dd

    • SHA512

      56db783890179ae6ec5d930c522691f329eee13987f039c7d9b3a4b6e76533cbc4580ee80741a3b3e1bda8e81ef24b945431b2209d8ab6e4bd895aab0662e2dd

    • SSDEEP

      1572864:fORQvq3E+k1xXCGkufMkscPdZKsUB/ayrxr12GaGfF11A9o1NCQCje6q:fOKvq361dCGtM6d8LayrxpVzRF1Cje6q

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks