Resubmissions
19-12-2024 08:32
241219-kfqvbsxmgl 1019-12-2024 08:29
241219-kd1azswrh1 1019-12-2024 08:22
241219-j9qkzsxkhl 1019-12-2024 08:18
241219-j7clcaxkbl 619-12-2024 08:10
241219-j2wf9swmgz 719-12-2024 07:51
241219-jqbbyswnbq 819-12-2024 07:51
241219-jp8aaswnbm 319-12-2024 07:46
241219-jmcqlswmcm 319-12-2024 07:46
241219-jl6bjavrby 319-12-2024 07:46
241219-jlylpavray 3Analysis
-
max time kernel
997s -
max time network
997s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-03-2024 07:48
Static task
static1
Behavioral task
behavioral1
Sample
b28242123ed2cf6000f0aa036844bd29.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
b28242123ed2cf6000f0aa036844bd29.dll
Resource
win11-20240221-en
Errors
General
-
Target
b28242123ed2cf6000f0aa036844bd29.dll
-
Size
87KB
-
MD5
b28242123ed2cf6000f0aa036844bd29
-
SHA1
915f41a6c59ed743803ea0ddde08927ffd623586
-
SHA256
fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786
-
SHA512
08e5966ca90f08c18c582e6c67d71186a6f9c025fc9f78020e1ce202814de094171111b7f3623d81f7371acdf92206446f7c0425e08e8f5f5b6fd969007d9fca
-
SSDEEP
1536:0A1KsVHBnVJ0T1rFTQHUPx+nVP7ZSRILMZoXyqqEbzPCAdt6rFTc:0A1rVIrFTOUsnVP7sRILgAPCvrFTc
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Deletes NTFS Change Journal 2 TTPs 1 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 5004 fsutil.exe -
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Clears Windows event logs 1 TTPs 4 IoCs
pid Process 4052 wevtutil.exe 4988 wevtutil.exe 1448 wevtutil.exe 1328 wevtutil.exe -
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral2/files/0x000200000002a8db-531.dat mimikatz -
Blocklisted process makes network request 19 IoCs
flow pid Process 451 2796 rundll32.exe 499 2796 rundll32.exe 546 2796 rundll32.exe 564 2796 rundll32.exe 605 2796 rundll32.exe 652 2796 rundll32.exe 700 2796 rundll32.exe 748 2796 rundll32.exe 759 2796 rundll32.exe 806 2796 rundll32.exe 855 2796 rundll32.exe 903 2796 rundll32.exe 949 2796 rundll32.exe 961 2796 rundll32.exe 1009 2796 rundll32.exe 1057 2796 rundll32.exe 1104 2796 rundll32.exe 1127 2796 rundll32.exe 1163 2796 rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 896 D01C.tmp -
Loads dropped DLL 1 IoCs
pid Process 2796 rundll32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 39 raw.githubusercontent.com 1 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\D01C.tmp rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1128 4092 WerFault.exe 77 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2092 schtasks.exe 1328 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "187" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4280069375-290121026-380765049-1000\{86D27992-09C1-4E2E-ABA2-01C90551CFAC} msedge.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Annabelle Ransomware.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\BadRabbit Ransomware.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2128 msedge.exe 2128 msedge.exe 3648 msedge.exe 3648 msedge.exe 4948 msedge.exe 4948 msedge.exe 4908 msedge.exe 4908 msedge.exe 5076 identity_helper.exe 5076 identity_helper.exe 4868 msedge.exe 4868 msedge.exe 1828 msedge.exe 1828 msedge.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 896 D01C.tmp 896 D01C.tmp 896 D01C.tmp 896 D01C.tmp 896 D01C.tmp 896 D01C.tmp 896 D01C.tmp -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 2796 rundll32.exe Token: SeDebugPrivilege 2796 rundll32.exe Token: SeTcbPrivilege 2796 rundll32.exe Token: SeDebugPrivilege 896 D01C.tmp Token: SeSecurityPrivilege 4052 wevtutil.exe Token: SeBackupPrivilege 4052 wevtutil.exe Token: SeSecurityPrivilege 4988 wevtutil.exe Token: SeBackupPrivilege 4988 wevtutil.exe Token: SeSecurityPrivilege 1448 wevtutil.exe Token: SeBackupPrivilege 1448 wevtutil.exe Token: SeSecurityPrivilege 1328 wevtutil.exe Token: SeBackupPrivilege 1328 wevtutil.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
pid Process 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1132 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1528 wrote to memory of 4092 1528 regsvr32.exe 77 PID 1528 wrote to memory of 4092 1528 regsvr32.exe 77 PID 1528 wrote to memory of 4092 1528 regsvr32.exe 77 PID 3648 wrote to memory of 2936 3648 msedge.exe 84 PID 3648 wrote to memory of 2936 3648 msedge.exe 84 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2884 3648 msedge.exe 85 PID 3648 wrote to memory of 2128 3648 msedge.exe 86 PID 3648 wrote to memory of 2128 3648 msedge.exe 86 PID 3648 wrote to memory of 5088 3648 msedge.exe 87 PID 3648 wrote to memory of 5088 3648 msedge.exe 87 PID 3648 wrote to memory of 5088 3648 msedge.exe 87 PID 3648 wrote to memory of 5088 3648 msedge.exe 87 PID 3648 wrote to memory of 5088 3648 msedge.exe 87 PID 3648 wrote to memory of 5088 3648 msedge.exe 87 PID 3648 wrote to memory of 5088 3648 msedge.exe 87 PID 3648 wrote to memory of 5088 3648 msedge.exe 87 PID 3648 wrote to memory of 5088 3648 msedge.exe 87 PID 3648 wrote to memory of 5088 3648 msedge.exe 87 PID 3648 wrote to memory of 5088 3648 msedge.exe 87 PID 3648 wrote to memory of 5088 3648 msedge.exe 87 PID 3648 wrote to memory of 5088 3648 msedge.exe 87 PID 3648 wrote to memory of 5088 3648 msedge.exe 87 PID 3648 wrote to memory of 5088 3648 msedge.exe 87 PID 3648 wrote to memory of 5088 3648 msedge.exe 87 PID 3648 wrote to memory of 5088 3648 msedge.exe 87
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll2⤵PID:4092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 4603⤵
- Program crash
PID:1128
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4092 -ip 40921⤵PID:1564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe159e3cb8,0x7ffe159e3cc8,0x7ffe159e3cd82⤵PID:2936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:22⤵PID:2884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:82⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:5044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:12⤵PID:336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:12⤵PID:1456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵PID:2500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:12⤵PID:1392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5028 /prefetch:82⤵PID:4500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4740 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:1584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:12⤵PID:4380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:12⤵PID:1432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:12⤵PID:984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:12⤵PID:800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:12⤵PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:12⤵PID:2540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:12⤵PID:560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,12178579627835407734,4031768264842643310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1828
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2068
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1088
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit Ransomware.zip\BadRabbit.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit Ransomware.zip\BadRabbit.exe"1⤵
- Drops file in Windows directory
PID:984 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:4512
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:2400
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1822095468 && exit"3⤵PID:3872
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1822095468 && exit"4⤵
- Creates scheduled task(s)
PID:2092
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 08:08:003⤵PID:2908
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 08:08:004⤵
- Creates scheduled task(s)
PID:1328
-
-
-
C:\Windows\D01C.tmp"C:\Windows\D01C.tmp" \\.\pipe\{D6F5E55F-D8D2-4157-8E3D-6B8A4A1DF035}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:3⤵PID:2376
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl Setup4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl System4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl Security4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl Application4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Windows\SysWOW64\fsutil.exefsutil usn deletejournal /D C:4⤵
- Deletes NTFS Change Journal
PID:5004
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN drogon3⤵PID:4544
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN drogon4⤵PID:2972
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa398a055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ded21ddc295846e2b00e1fd766c807db
SHA1497eb7c9c09cb2a247b4a3663ce808869872b410
SHA25626025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305
SHA512ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD50b1afbb6d101e8b8e2c6c40d4293202e
SHA10be9916ac50ec4211954b29a7126c4210f535fdf
SHA25666a9ac2b6d320c35f001302ff1798f48dce5a7a00f7a582978da5d8edce81e61
SHA512adb52306e4028a3a80015ace977e0ae6dbf2fd097e38b909c2683c029aa51d8268616ca2012ccde41d8c3b8c44c88caf0023bc22146c5797528dc3b0fb0bb756
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
936B
MD59afa7b5062f48c0463fb130829932d77
SHA16b6fd29e61f248ce000e97cc4e283047c95ed145
SHA2569cca0c0e3004779e4808b3e7653273c8b3d4f66a518b64e04a277c11e42ddf3d
SHA512ef79c3c8b5541b6898567ca814f77ed1c82ef5d9c0ed6fa8ea0a44a5dc1cc065b051bb1f7d0875953b1f464f6b59c44c213ac0fbd6a185c9ebcb352aa5b62c3c
-
Filesize
5KB
MD5401a2c306a33d30b76966e05de1f7cd3
SHA19c8bebdf5a5b5f0248d39d2cc47e55563f97aaac
SHA25688325b9110391409d21d64f1e94615c6e5744aa67c62697b43a4e0808280279a
SHA5122d4a3935e58c208d4bee1c80e0a6453af7a09daab7009ad405ea421084956417f377952d22d14089d07d0ea5d981078b495125696167d0b11c6f1aa19ce775d4
-
Filesize
7KB
MD564230201ef68cd2c39ce6b4a5592576a
SHA176844ccb91ae85a871d56d252059ccd6fa3e8135
SHA256d44ca1c58679f4923b6e91b12c40376ed78e677624ec101442c3e357d5034983
SHA5123cc86a9481dd67378868514c85f50b8d846d554bfb8580bb9704c67f69b8702c4518dce5c8904dbeb8926d43256b8107d9b4d10c285ff2418e69701abbb89208
-
Filesize
6KB
MD5a89965a709e507547fe1e9be68aab4c6
SHA1129e1f04252698f9a88f6dd040632e95e61d45d7
SHA25685b27aaf5a2f23c8f9717701a786a44265f0c9b0f0cc505b6289f19f7749844d
SHA5122ef0b72d61f6321a4ed9da04e6357f4302544f54fb8f67fd55820abe124999d114e5f3ad78ac0ac5c715114f8f0a40d3c79273056615a213b9a16095db24e1ac
-
Filesize
6KB
MD553734d0d1e77824e8de4dbaa13bd4040
SHA177d8483d81ad03dda49e7fe72135f7fcaa1e689c
SHA256fe2aef3a97a7dabac7ea3ed283648c8d2ad9bc58b604e303156aeda2155ce4d9
SHA512911eb4781508f31ab9174c5ded71d0c3b4411862455328678ceec0eb6f3e01fb20b3b4d425fdd422dff2c936270904a0753a1a15dde065e6beefb12770159a0e
-
Filesize
6KB
MD5820dc9b7537979821316de56e0c2641a
SHA128364b0d31b8da7443d75978148d6c6264a0a1db
SHA256d75f9f43409758b233e7a0668f39ee55d8626feaa6b12cea306838b8fc03c2bc
SHA512cd4671aae387f9e1b2461ab3e6545380a6f08dabfd67c51946c4af437a4eec363cf2ccfe204c234c49d5337b05679e31a620142cd7876243b52ed0336b2c4ca3
-
Filesize
1KB
MD5fb944b11525e33085da509ea16cb6c73
SHA14e46df91e563cb16d4629fa011f52b8f41ada988
SHA256d160b1b527c7d3e6ba498f141c381a5422570b2abb09898269f06aae8044e088
SHA512c5d85c0d43c0accd29d559d7723e27065ec5e150ff3af109ab5c50ea27a3699df90b95fbc8d3daadd26dae1d2a78c425e3b5131119952c2c0918ba7a8d1cabc5
-
Filesize
1KB
MD5f95998081fe41bd56088a38278702d86
SHA137c88ef2d3b7da86579f970773adc755a9a4813e
SHA256913e59cc7989d3519543626f549f21bdab6e6027e0b486da460b14db84e94a0c
SHA512b7ec1efeee8721e7dff5f74d0ca026ee22c9fc1d0811517a70ee8522bbbf57d60241c5686a63ab303688b1c085c6b26202582755bf93fd2a12d3bb6e908a63fd
-
Filesize
871B
MD510973cb567e3e2f3f41d8cc2b4ea4f7b
SHA16848a5bbcb05894cc29e67f48f3d4f06fa61c8f1
SHA256386109715a0852b1f592549ad1f00d9fdcd99bed9d2acf58f9864a03e127c478
SHA512128da3432a5acd866312e5746a8a7d88a4ea8b070b5cae51e7f70c9674376d80e7f9853476c7d3d3300e61f526bdf884fdc56cfd4b0b6a4aff1977f3925ee86b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5eb50b4934089a0b91f77edaebe4fb54c
SHA19d27bcf0b0bba2a5ea3c9dbb2d53a058baa69603
SHA256ebb0333de596c6050c52166d454d29bf7ed986d4d80024d34957afc522ae2623
SHA5120e54e4177bd6651125cd2dfa147f7005ee5612f189504658dbc29aebbef8bb31bb7b42a30f359a93e4cfdb1d7d2f1e70be7daa729a5fefe3b0fcf6729d4735bd
-
Filesize
12KB
MD5e7a109333a50ca67e6b935507db39ddc
SHA192add9842f2c795d6e4d2af52c1282ec48a62421
SHA256a3ad95f16044e3a60b1852653c73b6c9d3dcff08e784af94ec77c45cb4e18113
SHA5126c38006fa5af96e0dc1d15aa2f2dfb5bebb68c1801bd2b1d02872ca62f01d6bb2e295c2fa7faa311ea0faed9a2519e60313e20d3728c144eea1ee7a349996f28
-
Filesize
12KB
MD5d81bf07036788e79fd85042297805f38
SHA1c6cab7411a401f9eadd0e7a8650bac8d0c5e4b27
SHA2565a55bc63ccb86a5969c15e9e2384c510706a2ad3944715a4951dc77f4dcd581d
SHA512090d241e99e04b069b47163a3d98cfa4933838e804aa376027250cdcf1c09d3d9c31f913a18574f9671ea447dbfa6f490f3e41b8b97cbabf832fbd88860df6d6
-
Filesize
15.6MB
MD512b368c03d5126e918127b27c7d16086
SHA193ccceec02435a7ac6a6a2d242278b80e2c67f7f
SHA2566854b5f66a016c933c2978086d85cd4f207e5c35ee554422a3cdd9a88a5ffecd
SHA51268ea8889c93196ff4f82ca8dbd1d7e79b4bffc42b878b969da4e80e9eec874706016c361299a5f9f717edc70854ee269ee17b39edbbc042af86889900c164aa5
-
Filesize
15.6MB
MD5f31606408d91b8c60a4fa4a0bd1224c5
SHA1aa550207bad8158abbc9b0fe67c1db416a63c39e
SHA25699b1ba6116cc1de4c7af8ff70447babc1db3f42ab21cad78bc25eca85caa73e1
SHA5126ec9a9f7905c7c074f2840fc17c742813ef299bf08a8b46214815cf627172a2474379059822eb6a6dca53ff1090a6ebb989d02c95a3ecbf78ba5acb9d9e1e10a
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
395KB
MD5b303526df291ef092a7650af3d4d63f8
SHA197c6532d1df35b3e5c352c29006985468eb7abc5
SHA2567da4698bb24746aa5349e9e0b3645a7fab8a977308e06c90f5282dbb5ea7d00f
SHA512603ff899d40df62203cb1d945bb625f10d6eeb439ae5588175fb04c9d850b07517f2b82d2a02f8b8f8a493660cc2a8b592875fcee2376bb6e7fd322398a0ce66
-
Filesize
280B
MD58e74dbfad0f70a6d0f352d98d54d7e66
SHA13a896bf3d55b2859fd27b428a88dc94360b53574
SHA256a4c48a6b62993e84b1ee4d7e4f11703057a3e0de858eecf665909e1aaa05559f
SHA5128c30e428dfb73ab49c3d9d59eba5fa6aa88ace651fcd81ebea857c8606211e4e0f88c63e0c010f511ac9e50b3c77d668ca3fea621a6b33acf3caa7ad8a4ca6f3
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113