Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01-02-2024 09:05

General

  • Target

    2024-02-01_5d5ae8c9b7a2af62fcdf385a203bf7b5_bad-rabbit.exe

  • Size

    431KB

  • MD5

    5d5ae8c9b7a2af62fcdf385a203bf7b5

  • SHA1

    b1863b977696682532ac3c3f4345ee52888558fa

  • SHA256

    3b04f8d10e7847cffa2e610e299733af239ea28e8709659a992965dce1e8b9c4

  • SHA512

    1e50c9101739ddd95ed28bc3946da1e5a720f20a83a6267eff2cc12d2032a3f1728b9ec93a89ef44b0bd12090884d3fbf702b2324f89b8988c25dcea3b5d93a7

  • SSDEEP

    12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR6V:vT56NbqWRwZaEr3yt2O3XR6V

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

  • Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 4 IoCs
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-01_5d5ae8c9b7a2af62fcdf385a203bf7b5_bad-rabbit.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-01_5d5ae8c9b7a2af62fcdf385a203bf7b5_bad-rabbit.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Delete /F /TN rhaegal
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /F /TN rhaegal
          4⤵
            PID:2736
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 339712932 && exit"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2656
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 339712932 && exit"
            4⤵
            • Creates scheduled task(s)
            PID:2532
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:23:00
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:23:00
            4⤵
            • Creates scheduled task(s)
            PID:2660
        • C:\Windows\6DEF.tmp
          "C:\Windows\6DEF.tmp" \\.\pipe\{8E210380-CD6B-4813-8313-1A07BEB48210}
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2688

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\6DEF.tmp

      Filesize

      60KB

      MD5

      347ac3b6b791054de3e5720a7144a977

      SHA1

      413eba3973a15c1a6429d9f170f3e8287f98c21c

      SHA256

      301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

      SHA512

      9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

    • C:\Windows\infpub.dat

      Filesize

      161KB

      MD5

      fed44fc8aaa8966207cd255ba0256069

      SHA1

      42eeff70f18bb1ef043215d7b852b138c7518f78

      SHA256

      e23a6a1edfa712506eea36ca8d4a48900ef2c9dd0e9f7a2d8a136539e5d2c6a1

      SHA512

      61be29125b6677afe8616c240b8c3678d0f4fc28a1ae04b5318eea2e74eabb5625461adcad5bbfb2edcaf8e7c2cb9bcf58c20eac49d6c0e306e1bf9fc0206694

    • memory/2712-10-0x0000000000950000-0x00000000009B8000-memory.dmp

      Filesize

      416KB

    • memory/2712-2-0x0000000000950000-0x00000000009B8000-memory.dmp

      Filesize

      416KB

    • memory/2712-13-0x0000000000950000-0x00000000009B8000-memory.dmp

      Filesize

      416KB