Overview
overview
10Static
static
7Ransomware...er.exe
windows10-2004-x64
8Ransomware/7ev3n.exe
windows10-2004-x64
Ransomware...le.exe
windows10-2004-x64
Ransomware...it.exe
windows10-2004-x64
10Ransomware/Birele.exe
windows10-2004-x64
10Ransomware...r5.exe
windows10-2004-x64
8Ransomware...us.exe
windows10-2004-x64
10Ransomware...er.exe
windows10-2004-x64
10Ransomware...ll.exe
windows10-2004-x64
7Ransomware...ck.exe
windows10-2004-x64
7Ransomware/Dharma.exe
windows10-2004-x64
9Ransomware/Fantom.exe
windows10-2004-x64
10Ransomware...ab.exe
windows10-2004-x64
7Ransomware...ye.exe
windows10-2004-x64
10Ransomware...Eye.js
windows10-2004-x64
10Ransomware...pt.exe
windows10-2004-x64
10Ransomware...en.exe
windows10-2004-x64
8Ransomware...AZ.dll
windows10-2004-x64
3Ransomware...om.exe
windows10-2004-x64
10Ransomware...ya.exe
windows10-2004-x64
10Ransomware...ap.exe
windows10-2004-x64
1Ransomware....A.exe
windows10-2004-x64
6Ransomware...om.exe
windows10-2004-x64
10Ransomware...nt.exe
windows10-2004-x64
Ransomware...ot.exe
windows10-2004-x64
Ransomware/RedEye.exe
windows10-2004-x64
Ransomware...re.exe
windows10-2004-x64
7Ransomware/Rokku.exe
windows10-2004-x64
10Ransomware/Satana.exe
windows10-2004-x64
5Ransomware/Seftad.exe
windows10-2004-x64
6Ransomware...re.exe
windows10-2004-x64
10Ransomware/UIWIX.dll
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-uk -
resource tags
arch:x64arch:x86image:win10v2004-20240226-uklocale:uk-uaos:windows10-2004-x64systemwindows -
submitted
03-03-2024 13:53
Behavioral task
behavioral1
Sample
Ransomware/$uckyLocker.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral2
Sample
Ransomware/7ev3n.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral3
Sample
Ransomware/Annabelle.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral4
Sample
Ransomware/BadRabbit.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral5
Sample
Ransomware/Birele.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral6
Sample
Ransomware/Cerber5.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral7
Sample
Ransomware/CoronaVirus.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral8
Sample
Ransomware/CryptoLocker.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral9
Sample
Ransomware/CryptoWall.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral10
Sample
Ransomware/DeriaLock.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral11
Sample
Ransomware/Dharma.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral12
Sample
Ransomware/Fantom.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral13
Sample
Ransomware/GandCrab.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral14
Sample
Ransomware/GoldenEye/GoldenEye.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral15
Sample
Ransomware/GoldenEye/GoldenEye.js
Resource
win10v2004-20240226-uk
Behavioral task
behavioral16
Sample
Ransomware/InfinityCrypt.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral17
Sample
Ransomware/Krotten.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral18
Sample
Ransomware/Locky.AZ.dll
Resource
win10v2004-20240226-uk
Behavioral task
behavioral19
Sample
Ransomware/NoMoreRansom.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral20
Sample
Ransomware/NotPetya.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral21
Sample
Ransomware/PetrWrap.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral22
Sample
Ransomware/Petya.A.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral23
Sample
Ransomware/PolyRansom.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral24
Sample
Ransomware/PowerPoint.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral25
Sample
Ransomware/RedBoot.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral26
Sample
Ransomware/RedEye.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral27
Sample
Ransomware/Rensenware.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral28
Sample
Ransomware/Rokku.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral29
Sample
Ransomware/Satana.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral30
Sample
Ransomware/Seftad.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral31
Sample
Ransomware/SporaRansomware.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral32
Sample
Ransomware/UIWIX.dll
Resource
win10v2004-20240226-uk
General
-
Target
Ransomware/BadRabbit.exe
-
Size
431KB
-
MD5
fbbdc39af1139aebba4da004475e8839
-
SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0
-
SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
-
SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
SSDEEP
12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral4/files/0x000b00000002320b-20.dat mimikatz -
Executes dropped EXE 1 IoCs
pid Process 3740 471B.tmp -
Loads dropped DLL 1 IoCs
pid Process 3620 rundll32.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\471B.tmp rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1964 schtasks.exe 248 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3620 rundll32.exe 3620 rundll32.exe 3620 rundll32.exe 3620 rundll32.exe 3740 471B.tmp 3740 471B.tmp 3740 471B.tmp 3740 471B.tmp 3740 471B.tmp 3740 471B.tmp -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3620 rundll32.exe Token: SeDebugPrivilege 3620 rundll32.exe Token: SeTcbPrivilege 3620 rundll32.exe Token: SeDebugPrivilege 3740 471B.tmp -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3184 wrote to memory of 3620 3184 BadRabbit.exe 88 PID 3184 wrote to memory of 3620 3184 BadRabbit.exe 88 PID 3184 wrote to memory of 3620 3184 BadRabbit.exe 88 PID 3620 wrote to memory of 772 3620 rundll32.exe 89 PID 3620 wrote to memory of 772 3620 rundll32.exe 89 PID 3620 wrote to memory of 772 3620 rundll32.exe 89 PID 772 wrote to memory of 1980 772 cmd.exe 92 PID 772 wrote to memory of 1980 772 cmd.exe 92 PID 772 wrote to memory of 1980 772 cmd.exe 92 PID 3620 wrote to memory of 4044 3620 rundll32.exe 93 PID 3620 wrote to memory of 4044 3620 rundll32.exe 93 PID 3620 wrote to memory of 4044 3620 rundll32.exe 93 PID 3620 wrote to memory of 2876 3620 rundll32.exe 95 PID 3620 wrote to memory of 2876 3620 rundll32.exe 95 PID 3620 wrote to memory of 2876 3620 rundll32.exe 95 PID 4044 wrote to memory of 1964 4044 cmd.exe 96 PID 4044 wrote to memory of 1964 4044 cmd.exe 96 PID 4044 wrote to memory of 1964 4044 cmd.exe 96 PID 3620 wrote to memory of 3740 3620 rundll32.exe 98 PID 3620 wrote to memory of 3740 3620 rundll32.exe 98 PID 2876 wrote to memory of 248 2876 cmd.exe 100 PID 2876 wrote to memory of 248 2876 cmd.exe 100 PID 2876 wrote to memory of 248 2876 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\BadRabbit.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:1980
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1416508467 && exit"3⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1416508467 && exit"4⤵
- Creates scheduled task(s)
PID:1964
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:13:003⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:13:004⤵
- Creates scheduled task(s)
PID:248
-
-
-
C:\Windows\471B.tmp"C:\Windows\471B.tmp" \\.\pipe\{643E2DF7-2DC4-4677-BABE-493F2479E11A}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.a-0001.a-msedge.netg-bing-com.a-0001.a-msedge.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=baaa89ba9b97474abe610e427bf20e32&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=baaa89ba9b97474abe610e427bf20e32&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=39D2E54A02036A272812F17D03E36BE9; domain=.bing.com; expires=Fri, 28-Mar-2025 13:55:39 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7D7C73AEF50F424E8520F3FF6D1909E5 Ref B: LON04EDGE1012 Ref C: 2024-03-03T13:55:39Z
date: Sun, 03 Mar 2024 13:55:38 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=baaa89ba9b97474abe610e427bf20e32&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=baaa89ba9b97474abe610e427bf20e32&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=39D2E54A02036A272812F17D03E36BE9
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=l4hpk_DU4Y_Fz_T0lmNtvYohngi2T4wWQUMQsriHAiY; domain=.bing.com; expires=Fri, 28-Mar-2025 13:55:39 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1DB41EBC37E340FA86D980A84D7EE9B9 Ref B: LON04EDGE1012 Ref C: 2024-03-03T13:55:39Z
date: Sun, 03 Mar 2024 13:55:38 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=baaa89ba9b97474abe610e427bf20e32&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=baaa89ba9b97474abe610e427bf20e32&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=39D2E54A02036A272812F17D03E36BE9; MSPTC=l4hpk_DU4Y_Fz_T0lmNtvYohngi2T4wWQUMQsriHAiY
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 078492F5E5634B5F9031FC46C2991F11 Ref B: LON04EDGE1012 Ref C: 2024-03-03T13:55:39Z
date: Sun, 03 Mar 2024 13:55:38 GMT
-
Remote address:8.8.8.8:53Request4.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request134.71.91.104.in-addr.arpaIN PTRResponse134.71.91.104.in-addr.arpaIN PTRa104-91-71-134deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9.173.189.20.in-addr.arpaIN PTRResponse
-
204.79.197.200:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=baaa89ba9b97474abe610e427bf20e32&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid=tls, http22.0kB 9.2kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=baaa89ba9b97474abe610e427bf20e32&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=baaa89ba9b97474abe610e427bf20e32&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=baaa89ba9b97474abe610e427bf20e32&localId=w:B10FE29E-1693-3A9A-DEA4-AA0A4C8C3099&deviceId=6825825924576770&anid=HTTP Response
204 -
104 B 2
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
56 B 158 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.20013.107.21.200
-
71 B 157 B 1 1
DNS Request
4.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
73 B 106 B 1 1
DNS Request
200.197.79.204.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
134.71.91.104.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
9.173.189.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113