badrabbit | hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/ransomwares/BadRabbit[.]zip

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2023 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/BadRabbit.zip

Score

10^/10

badrabbit mimikatz ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 2 IoCs

resource	yara_rule
behavioral1/files/0x0003000000000735-257.dat	mimikatz
behavioral1/files/0x0003000000000735-260.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
3064	D4FE.tmp

Loads dropped DLL 3 IoCs

pid	Process
4744	rundll32.exe
764	rundll32.exe
4116	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\D4FE.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1616	schtasks.exe
4144	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2656	NOTEPAD.EXE
764	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
4128	msedge.exe
4128	msedge.exe
1640	msedge.exe
1640	msedge.exe
2816	identity_helper.exe
2816	identity_helper.exe
4132	msedge.exe
4132	msedge.exe
4744	rundll32.exe
4744	rundll32.exe
4744	rundll32.exe
4744	rundll32.exe
3064	D4FE.tmp
3064	D4FE.tmp
3064	D4FE.tmp
3064	D4FE.tmp
3064	D4FE.tmp
3064	D4FE.tmp
3064	D4FE.tmp
764	rundll32.exe
764	rundll32.exe
4116	rundll32.exe
4116	rundll32.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4744	rundll32.exe
Token: SeDebugPrivilege	4744	rundll32.exe
Token: SeTcbPrivilege	4744	rundll32.exe
Token: SeDebugPrivilege	3064	D4FE.tmp
Token: SeShutdownPrivilege	764	rundll32.exe
Token: SeDebugPrivilege	764	rundll32.exe
Token: SeTcbPrivilege	764	rundll32.exe
Token: SeShutdownPrivilege	4116	rundll32.exe
Token: SeDebugPrivilege	4116	rundll32.exe
Token: SeTcbPrivilege	4116	rundll32.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
2656	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2400	1640	msedge.exe	77
PID 1640 wrote to memory of 2400	1640	msedge.exe	77
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 744	1640	msedge.exe	84
PID 1640 wrote to memory of 4128	1640	msedge.exe	83
PID 1640 wrote to memory of 4128	1640	msedge.exe	83
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85
PID 1640 wrote to memory of 316	1640	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/BadRabbit.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ff8249546f8,0x7ff824954708,0x7ff824954718
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,6264271482352601072,6497038672228431894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,6264271482352601072,6497038672228431894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,6264271482352601072,6497038672228431894,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6264271482352601072,6497038672228431894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6264271482352601072,6497038672228431894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,6264271482352601072,6497038672228431894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,6264271482352601072,6497038672228431894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6264271482352601072,6497038672228431894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2216,6264271482352601072,6497038672228431894,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,6264271482352601072,6497038672228431894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6264271482352601072,6497038672228431894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6264271482352601072,6497038672228431894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6264271482352601072,6497038672228431894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6264271482352601072,6497038672228431894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,6264271482352601072,6497038672228431894,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4832 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3652

C:\Users\Admin\Desktop\BadRabbit\[email protected]
"C:\Users\Admin\Desktop\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
PID:4800
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:2576
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3474013693 && exit"
    3⤵
    PID:3460
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3474013693 && exit"
      4⤵
      Creates scheduled task(s)
      PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:28:00
    3⤵
    PID:896
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:28:00
      4⤵
      Creates scheduled task(s)
      PID:4144
- - C:\Windows\D4FE.tmp
    "C:\Windows\D4FE.tmp" \\.\pipe\{E2F5153F-F0CA-4B91-98A8-529CCA4FA753}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3064

C:\Users\Admin\Desktop\BadRabbit\[email protected]
"C:\Users\Admin\Desktop\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
PID:4800
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:764

C:\Users\Admin\Desktop\BadRabbit\[email protected]
"C:\Users\Admin\Desktop\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
PID:2876
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4116

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\dssaas.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2656

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\dssaas.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d25fc6e43a16159ebfd161f28e16ef7

SHA1
49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4

SHA256
cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5

SHA512
ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\719af8c6-4654-44f1-9f2f-95adf421db97.tmp

Filesize
24KB

MD5
d555d038867542dfb2fb0575a0d3174e

SHA1
1a5868d6df0b5de26cf3fc7310b628ce0a3726f0

SHA256
044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e

SHA512
d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
28e85ab89742d1814be7b6a49d5cbdfc

SHA1
7ba7a2b276e1871f7f5b6d67e7e9a6b280324c4b

SHA256
3e2ebc6fdd04b0c15ce0554cf11cd537f5f2fd5b565cecac50ed7626649a6946

SHA512
b5675f3e1d6040f2aac610b6ec6ed6d2a5b303a536e4777d19f5644e32abf6be57ccc01f807080500ad99f847a54576cbe1b5f67ac75196e145bb7740f1e3db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
492B

MD5
9a6ce27b8d0b8451401204291e83d579

SHA1
0a94eaae0e37289b3ab5c634d886579f01f8cbab

SHA256
475dd5afca6828b19833bdabdc3d287a2a147dd8d6e8abeb42f5927e3ed903af

SHA512
bcc5cb6b95208daf67402adbab62269fa29f6406d88c5759344887c109285ab59625f94f139fe92fa4dcea2151d7e3d2455484272ed6399370e4452724497785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
20d4e50e265fadc5d7a444e08ed843d6

SHA1
66dc7b5128899b7da2fa7aa7ba574d9e99cf4655

SHA256
79ed7ab203f364bca1662f7acec6af92878cd82ed4f7b8f1be652b8ec551fa8b

SHA512
3ea39a18998cb807f2b63ab1f83e4bda7383fa618c1ba38d960e10c8da92505fbb8b40b5f6ccf4a6422704d2309fdfc76960b0229a6b16a9e4041e5dae62050f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2a2283570a1528e255c7e35a69f705ee

SHA1
eff6067faf133cfdb07eb19d23be6566aef16a99

SHA256
3425388b80dcf0b4812a4314ee5fda168d8bb605cf2aab5d8dacca1da00740b5

SHA512
d0d567f95db9bef4f28c620812a3e697aa2b3fd83b0ac5e114ed8f6758891d081cf27f331b3f0f89c3c2ac2477d6dc447fb6bfe7745c045e4b89cefe6b0057ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c499027bfee6988f281478139d6bbab1

SHA1
9f411528f3f5cf7bef546bae7b8f0b8a03faf85d

SHA256
fab3abc47f72b8c6bfeb171b5904ed590728ef6ce548fbfa516314dd258fb83c

SHA512
710ccf005df584366c661eb99907e0a4e3139047916e8ae0e9289b27e92ce2357e8b4a138094bab0ec621e31397b6e6b85f6858f556d7a9c6455713db6843273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
1f839f1cc973dbd35e9d1cb6a591a11d

SHA1
0e1abce95c5308ec09bf0018cd08196477d99ed1

SHA256
873523b933f2ee68e4b5c37d7da92a2cd9140c3fe3f97666298601430f81e5be

SHA512
a7376b4b1e27795215829f5452cfb1bc12ac398b8bad00adce2089aa9373191933eb731eaf9d01dceab562fe71f83a2b0914ac05d5d3788dcfc09d4a7aab56bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580f4d.TMP

Filesize
874B

MD5
a336eec9c9578c69e920011d0456660e

SHA1
20ce16aa04881ebc70fbf684d832f219fb4f66a5

SHA256
0b3645ef91ff92cec92f1b8475d25c707267df2e3c099ecc31ed781b3c95cf8b

SHA512
78d6c551ab65b3f32cb7e8684123e252d69da8b8ae871a51829186a4af185e51bf3fb445b4e051d866ba6f8d6ea3a260a7142153fd2bc3279faee8f8955c7fe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f1fafc6c6b5494564955ec03f0faae57

SHA1
2e8c9d5fa6918ea2ffec9ff8146d35b9e0c6660f

SHA256
2db91ec51a70002e19a9d71bf09343981668ed99552513371addd7402ca1a53f

SHA512
f61bcc7925a6a73eede9370b8d77a06636b2e20d2aea15d4850aad9d5402b06ff172ddf04be9ae378f695d7dc3ee1ab158e414e3c238d597ab41555a080d17ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b504d7d5dee97dd703c52007db15bbeb

SHA1
aecebb27ae5405a262b771877c0e5bc1c9e9e991

SHA256
5cc16e6eabaf9585fede4599d03a4c50ad17dd52a6ba4e4f58286fc8da95e294

SHA512
a2b8a02d7ba81781d0e57c9e5a8a7ecbb7e6a593835fcb4b9368ab7d02c794ceabad2386960b65db82dc8fed0fff21c055fb588824367be63673cdfb54ad91b8

Download Submit
C:\Users\Admin\Desktop\BadRabbit.zip

Filesize
393KB

MD5
a72d560ea517e294d6594575714da76c

SHA1
3b8f106f0c841ca9b6e66812fa09ab7d3d81c583

SHA256
d46d85f1fd5bddca9b94298a778ef90e2243cb763d89b2bf573c0f768967a586

SHA512
1308caa6010f3e84a38b3f8895ee7f596268062f983531c9eaeff891648064b62b3867427ebc43b40455f1afc2b115c15c23b9595f39dbeb9cf18bdb61b7a02a

Download Submit
C:\Users\Admin\Desktop\dssaas.txt

Filesize
11B

MD5
2a9accfa7bd7af9824d05d38dab80f44

SHA1
d7541b41ca48cf3478300ad82be7f05957d401bd

SHA256
fd33c1d2105a6f2395fefba3935a07031b7511d4cdaf998cf785ec0f768f5824

SHA512
467948422aa151600b754c1c9d75bb25bee3191416238dc1efbd8ea650361eb5b2b04a23350b5ca0fefd3734fb0b1d60b7d201f94415d08d0fb983edc1d09739

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Windows\D4FE.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\D4FE.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/764-289-0x0000000000CF0000-0x0000000000D58000-memory.dmp

Filesize
416KB

Download
memory/764-297-0x0000000000CF0000-0x0000000000D58000-memory.dmp

Filesize
416KB

Download
memory/4116-301-0x0000000002940000-0x00000000029A8000-memory.dmp

Filesize
416KB

Download
memory/4116-309-0x0000000002940000-0x00000000029A8000-memory.dmp

Filesize
416KB

Download
memory/4744-251-0x0000000002420000-0x0000000002488000-memory.dmp

Filesize
416KB

Download
memory/4744-248-0x0000000002420000-0x0000000002488000-memory.dmp

Filesize
416KB

Download
memory/4744-240-0x0000000002420000-0x0000000002488000-memory.dmp

Filesize
416KB

Download