Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-02-2024 09:05
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-01_5d5ae8c9b7a2af62fcdf385a203bf7b5_bad-rabbit.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-01_5d5ae8c9b7a2af62fcdf385a203bf7b5_bad-rabbit.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-01_5d5ae8c9b7a2af62fcdf385a203bf7b5_bad-rabbit.exe
-
Size
431KB
-
MD5
5d5ae8c9b7a2af62fcdf385a203bf7b5
-
SHA1
b1863b977696682532ac3c3f4345ee52888558fa
-
SHA256
3b04f8d10e7847cffa2e610e299733af239ea28e8709659a992965dce1e8b9c4
-
SHA512
1e50c9101739ddd95ed28bc3946da1e5a720f20a83a6267eff2cc12d2032a3f1728b9ec93a89ef44b0bd12090884d3fbf702b2324f89b8988c25dcea3b5d93a7
-
SSDEEP
12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR6V:vT56NbqWRwZaEr3yt2O3XR6V
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 4 IoCs
resource yara_rule behavioral1/files/0x0007000000012281-1.dat INDICATOR_SUSPICIOUS_USNDeleteJournal behavioral1/memory/2712-10-0x0000000000950000-0x00000000009B8000-memory.dmp INDICATOR_SUSPICIOUS_USNDeleteJournal behavioral1/memory/2712-2-0x0000000000950000-0x00000000009B8000-memory.dmp INDICATOR_SUSPICIOUS_USNDeleteJournal behavioral1/memory/2712-13-0x0000000000950000-0x00000000009B8000-memory.dmp INDICATOR_SUSPICIOUS_USNDeleteJournal -
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016d6c-23.dat mimikatz -
Executes dropped EXE 1 IoCs
pid Process 2688 6DEF.tmp -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\6DEF.tmp rundll32.exe File created C:\Windows\infpub.dat 2024-02-01_5d5ae8c9b7a2af62fcdf385a203bf7b5_bad-rabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2532 schtasks.exe 2660 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2712 rundll32.exe 2712 rundll32.exe 2688 6DEF.tmp 2688 6DEF.tmp 2688 6DEF.tmp 2688 6DEF.tmp 2688 6DEF.tmp -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 2712 rundll32.exe Token: SeDebugPrivilege 2712 rundll32.exe Token: SeTcbPrivilege 2712 rundll32.exe Token: SeDebugPrivilege 2688 6DEF.tmp -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2712 2060 2024-02-01_5d5ae8c9b7a2af62fcdf385a203bf7b5_bad-rabbit.exe 29 PID 2060 wrote to memory of 2712 2060 2024-02-01_5d5ae8c9b7a2af62fcdf385a203bf7b5_bad-rabbit.exe 29 PID 2060 wrote to memory of 2712 2060 2024-02-01_5d5ae8c9b7a2af62fcdf385a203bf7b5_bad-rabbit.exe 29 PID 2060 wrote to memory of 2712 2060 2024-02-01_5d5ae8c9b7a2af62fcdf385a203bf7b5_bad-rabbit.exe 29 PID 2060 wrote to memory of 2712 2060 2024-02-01_5d5ae8c9b7a2af62fcdf385a203bf7b5_bad-rabbit.exe 29 PID 2060 wrote to memory of 2712 2060 2024-02-01_5d5ae8c9b7a2af62fcdf385a203bf7b5_bad-rabbit.exe 29 PID 2060 wrote to memory of 2712 2060 2024-02-01_5d5ae8c9b7a2af62fcdf385a203bf7b5_bad-rabbit.exe 29 PID 2712 wrote to memory of 2652 2712 rundll32.exe 31 PID 2712 wrote to memory of 2652 2712 rundll32.exe 31 PID 2712 wrote to memory of 2652 2712 rundll32.exe 31 PID 2712 wrote to memory of 2652 2712 rundll32.exe 31 PID 2652 wrote to memory of 2736 2652 cmd.exe 32 PID 2652 wrote to memory of 2736 2652 cmd.exe 32 PID 2652 wrote to memory of 2736 2652 cmd.exe 32 PID 2652 wrote to memory of 2736 2652 cmd.exe 32 PID 2712 wrote to memory of 2656 2712 rundll32.exe 33 PID 2712 wrote to memory of 2656 2712 rundll32.exe 33 PID 2712 wrote to memory of 2656 2712 rundll32.exe 33 PID 2712 wrote to memory of 2656 2712 rundll32.exe 33 PID 2656 wrote to memory of 2532 2656 cmd.exe 35 PID 2656 wrote to memory of 2532 2656 cmd.exe 35 PID 2656 wrote to memory of 2532 2656 cmd.exe 35 PID 2656 wrote to memory of 2532 2656 cmd.exe 35 PID 2712 wrote to memory of 2708 2712 rundll32.exe 36 PID 2712 wrote to memory of 2708 2712 rundll32.exe 36 PID 2712 wrote to memory of 2708 2712 rundll32.exe 36 PID 2712 wrote to memory of 2708 2712 rundll32.exe 36 PID 2708 wrote to memory of 2660 2708 cmd.exe 38 PID 2708 wrote to memory of 2660 2708 cmd.exe 38 PID 2708 wrote to memory of 2660 2708 cmd.exe 38 PID 2708 wrote to memory of 2660 2708 cmd.exe 38 PID 2712 wrote to memory of 2688 2712 rundll32.exe 39 PID 2712 wrote to memory of 2688 2712 rundll32.exe 39 PID 2712 wrote to memory of 2688 2712 rundll32.exe 39 PID 2712 wrote to memory of 2688 2712 rundll32.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-01_5d5ae8c9b7a2af62fcdf385a203bf7b5_bad-rabbit.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-01_5d5ae8c9b7a2af62fcdf385a203bf7b5_bad-rabbit.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:2736
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 339712932 && exit"3⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 339712932 && exit"4⤵
- Creates scheduled task(s)
PID:2532
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:23:003⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:23:004⤵
- Creates scheduled task(s)
PID:2660
-
-
-
C:\Windows\6DEF.tmp"C:\Windows\6DEF.tmp" \\.\pipe\{8E210380-CD6B-4813-8313-1A07BEB48210}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
161KB
MD5fed44fc8aaa8966207cd255ba0256069
SHA142eeff70f18bb1ef043215d7b852b138c7518f78
SHA256e23a6a1edfa712506eea36ca8d4a48900ef2c9dd0e9f7a2d8a136539e5d2c6a1
SHA51261be29125b6677afe8616c240b8c3678d0f4fc28a1ae04b5318eea2e74eabb5625461adcad5bbfb2edcaf8e7c2cb9bcf58c20eac49d6c0e306e1bf9fc0206694