Analysis
-
max time kernel
611s -
max time network
625s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-03-2024 22:34
Static task
static1
Behavioral task
behavioral1
Sample
BadRabbit.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
BadRabbit.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
BadRabbit.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
BadRabbit.exe
Resource
win11-20240221-en
General
-
Target
BadRabbit.exe
-
Size
431KB
-
MD5
fbbdc39af1139aebba4da004475e8839
-
SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0
-
SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
-
SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
SSDEEP
12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral3/files/0x0007000000023326-21.dat mimikatz -
Blocklisted process makes network request 7 IoCs
flow pid Process 370 4408 rundll32.exe 412 4408 rundll32.exe 455 4408 rundll32.exe 487 4408 rundll32.exe 510 4408 rundll32.exe 550 4408 rundll32.exe 592 4408 rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 3168 B882.tmp -
Loads dropped DLL 1 IoCs
pid Process 4408 rundll32.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\B882.tmp rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5096 schtasks.exe 1084 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4408 rundll32.exe 4408 rundll32.exe 4408 rundll32.exe 4408 rundll32.exe 3168 B882.tmp 3168 B882.tmp 3168 B882.tmp 3168 B882.tmp 3168 B882.tmp 3168 B882.tmp 3168 B882.tmp -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 4408 rundll32.exe Token: SeDebugPrivilege 4408 rundll32.exe Token: SeTcbPrivilege 4408 rundll32.exe Token: SeDebugPrivilege 3168 B882.tmp -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4852 wrote to memory of 4408 4852 BadRabbit.exe 96 PID 4852 wrote to memory of 4408 4852 BadRabbit.exe 96 PID 4852 wrote to memory of 4408 4852 BadRabbit.exe 96 PID 4408 wrote to memory of 3888 4408 rundll32.exe 99 PID 4408 wrote to memory of 3888 4408 rundll32.exe 99 PID 4408 wrote to memory of 3888 4408 rundll32.exe 99 PID 3888 wrote to memory of 1944 3888 cmd.exe 101 PID 3888 wrote to memory of 1944 3888 cmd.exe 101 PID 3888 wrote to memory of 1944 3888 cmd.exe 101 PID 4408 wrote to memory of 1904 4408 rundll32.exe 103 PID 4408 wrote to memory of 1904 4408 rundll32.exe 103 PID 4408 wrote to memory of 1904 4408 rundll32.exe 103 PID 1904 wrote to memory of 5096 1904 cmd.exe 106 PID 1904 wrote to memory of 5096 1904 cmd.exe 106 PID 1904 wrote to memory of 5096 1904 cmd.exe 106 PID 4408 wrote to memory of 728 4408 rundll32.exe 107 PID 4408 wrote to memory of 728 4408 rundll32.exe 107 PID 4408 wrote to memory of 728 4408 rundll32.exe 107 PID 4408 wrote to memory of 3168 4408 rundll32.exe 109 PID 4408 wrote to memory of 3168 4408 rundll32.exe 109 PID 728 wrote to memory of 1084 728 cmd.exe 111 PID 728 wrote to memory of 1084 728 cmd.exe 111 PID 728 wrote to memory of 1084 728 cmd.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:1944
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1993620050 && exit"3⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1993620050 && exit"4⤵
- Creates scheduled task(s)
PID:5096
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:24:003⤵
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:24:004⤵
- Creates scheduled task(s)
PID:1084
-
-
-
C:\Windows\B882.tmp"C:\Windows\B882.tmp" \\.\pipe\{4EF166BF-1407-4E49-AD1A-A8C545F02D62}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4228 --field-trial-handle=2264,i,7010714054498059916,1862725710331979271,262144 --variations-seed-version /prefetch:81⤵PID:5012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2264,i,7010714054498059916,1862725710331979271,262144 --variations-seed-version /prefetch:81⤵PID:3548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113