badrabbit | 022728f678d8dcc6cba20147595ed4099e9c98be0582c0f67518d5664e3b8523

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-uk
resource tags

arch:x64arch:x86image:win10v2004-20240226-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
03-03-2024 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/BadRabbit.exe
Size

431KB
MD5

fbbdc39af1139aebba4da004475e8839
SHA1

de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512

74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
SSDEEP

12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score

10^/10

badrabbit mimikatz ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
C:\Windows\471B.tmp	mimikatz

Executes dropped EXE 1 IoCs

Processes:

471B.tmp

pid process

3740 471B.tmp
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3620 rundll32.exe

pid	process
3740	471B.tmp

pid	process
3620	rundll32.exe

Drops file in Windows directory 5 IoCs

Processes:

rundll32.exeBadRabbit.exe

description	ioc	process
File opened for modification	C:\Windows\471B.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1964 schtasks.exe
248 schtasks.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

rundll32.exe471B.tmp

pid process

3620 rundll32.exe
3620 rundll32.exe
3620 rundll32.exe
3620 rundll32.exe
3740 471B.tmp
3740 471B.tmp
3740 471B.tmp
3740 471B.tmp
3740 471B.tmp
3740 471B.tmp

pid	process
1964	schtasks.exe
248	schtasks.exe

pid	process
3620	rundll32.exe
3620	rundll32.exe
3620	rundll32.exe
3620	rundll32.exe
3740	471B.tmp
3740	471B.tmp
3740	471B.tmp
3740	471B.tmp
3740	471B.tmp
3740	471B.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exe471B.tmp

description	pid	process
Token: SeShutdownPrivilege	3620	rundll32.exe
Token: SeDebugPrivilege	3620	rundll32.exe
Token: SeTcbPrivilege	3620	rundll32.exe
Token: SeDebugPrivilege	3740	471B.tmp

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

BadRabbit.exerundll32.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3184 wrote to memory of 3620	3184	BadRabbit.exe	rundll32.exe
PID 3184 wrote to memory of 3620	3184	BadRabbit.exe	rundll32.exe
PID 3184 wrote to memory of 3620	3184	BadRabbit.exe	rundll32.exe
PID 3620 wrote to memory of 772	3620	rundll32.exe	cmd.exe
PID 3620 wrote to memory of 772	3620	rundll32.exe	cmd.exe
PID 3620 wrote to memory of 772	3620	rundll32.exe	cmd.exe
PID 772 wrote to memory of 1980	772	cmd.exe	schtasks.exe
PID 772 wrote to memory of 1980	772	cmd.exe	schtasks.exe
PID 772 wrote to memory of 1980	772	cmd.exe	schtasks.exe
PID 3620 wrote to memory of 4044	3620	rundll32.exe	cmd.exe
PID 3620 wrote to memory of 4044	3620	rundll32.exe	cmd.exe
PID 3620 wrote to memory of 4044	3620	rundll32.exe	cmd.exe
PID 3620 wrote to memory of 2876	3620	rundll32.exe	cmd.exe
PID 3620 wrote to memory of 2876	3620	rundll32.exe	cmd.exe
PID 3620 wrote to memory of 2876	3620	rundll32.exe	cmd.exe
PID 4044 wrote to memory of 1964	4044	cmd.exe	schtasks.exe
PID 4044 wrote to memory of 1964	4044	cmd.exe	schtasks.exe
PID 4044 wrote to memory of 1964	4044	cmd.exe	schtasks.exe
PID 3620 wrote to memory of 3740	3620	rundll32.exe	471B.tmp
PID 3620 wrote to memory of 3740	3620	rundll32.exe	471B.tmp
PID 2876 wrote to memory of 248	2876	cmd.exe	schtasks.exe
PID 2876 wrote to memory of 248	2876	cmd.exe	schtasks.exe
PID 2876 wrote to memory of 248	2876	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Ransomware\BadRabbit.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\BadRabbit.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
3⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
4⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1416508467 && exit"
3⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1416508467 && exit"
4⤵
- Creates scheduled task(s)
PID:1964

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:13:00
3⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:13:00
4⤵
- Creates scheduled task(s)
PID:248

C:\Windows\471B.tmp
"C:\Windows\471B.tmp" \\.\pipe\{643E2DF7-2DC4-4677-BABE-493F2479E11A}
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\471B.tmp
Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat
Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/3620-3-0x0000000002D70000-0x0000000002DD8000-memory.dmp

Filesize
416KB

Download
memory/3620-11-0x0000000002D70000-0x0000000002DD8000-memory.dmp

Filesize
416KB

Download
memory/3620-14-0x0000000002D70000-0x0000000002DD8000-memory.dmp

Filesize
416KB

Download