badrabbit | 0b432f20d54647f077811ecb1df4dbc64fb17fbd6a9e0cce4ac9437d5f7891fb

Resubmissions

18-03-2024 22:36

240318-2h9hwsba88 10

Analysis

max time kernel
907s
max time network
912s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2024 22:36

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Ransomware/BadRabbit.exe
Size

431KB
MD5

fbbdc39af1139aebba4da004475e8839
SHA1

de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512

74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
SSDEEP

12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score

10^/10

badrabbit mimikatz evasion ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit

Deletes NTFS Change Journal 2 TTPs 1 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
1260	fsutil.exe

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Clears Windows event logs 1 TTPs 4 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
3024	wevtutil.exe
4860	wevtutil.exe
4368	wevtutil.exe
1860	wevtutil.exe

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral4/files/0x000700000002322c-21.dat	mimikatz

Blocklisted process makes network request 10 IoCs

flow	pid	Process
371	2008	rundll32.exe
392	2008	rundll32.exe
470	2008	rundll32.exe
512	2008	rundll32.exe
544	2008	rundll32.exe
572	2008	rundll32.exe
608	2008	rundll32.exe
651	2008	rundll32.exe
691	2008	rundll32.exe
726	2008	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
4516	57A5.tmp

Loads dropped DLL 1 IoCs

pid	Process
2008	rundll32.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\57A5.tmp	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3064	schtasks.exe
4468	schtasks.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2008	rundll32.exe
2008	rundll32.exe
2008	rundll32.exe
2008	rundll32.exe
4516	57A5.tmp
4516	57A5.tmp
4516	57A5.tmp
4516	57A5.tmp
4516	57A5.tmp
4516	57A5.tmp
4516	57A5.tmp

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2008	rundll32.exe
Token: SeDebugPrivilege	2008	rundll32.exe
Token: SeTcbPrivilege	2008	rundll32.exe
Token: SeDebugPrivilege	4516	57A5.tmp
Token: SeSecurityPrivilege	3024	wevtutil.exe
Token: SeBackupPrivilege	3024	wevtutil.exe
Token: SeSecurityPrivilege	4860	wevtutil.exe
Token: SeBackupPrivilege	4860	wevtutil.exe
Token: SeSecurityPrivilege	4368	wevtutil.exe
Token: SeBackupPrivilege	4368	wevtutil.exe
Token: SeSecurityPrivilege	1860	wevtutil.exe
Token: SeBackupPrivilege	1860	wevtutil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4384	LogonUI.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 2008	3300	BadRabbit.exe	89
PID 3300 wrote to memory of 2008	3300	BadRabbit.exe	89
PID 3300 wrote to memory of 2008	3300	BadRabbit.exe	89
PID 2008 wrote to memory of 2468	2008	rundll32.exe	90
PID 2008 wrote to memory of 2468	2008	rundll32.exe	90
PID 2008 wrote to memory of 2468	2008	rundll32.exe	90
PID 2468 wrote to memory of 4420	2468	cmd.exe	92
PID 2468 wrote to memory of 4420	2468	cmd.exe	92
PID 2468 wrote to memory of 4420	2468	cmd.exe	92
PID 2008 wrote to memory of 2052	2008	rundll32.exe	96
PID 2008 wrote to memory of 2052	2008	rundll32.exe	96
PID 2008 wrote to memory of 2052	2008	rundll32.exe	96
PID 2008 wrote to memory of 4476	2008	rundll32.exe	98
PID 2008 wrote to memory of 4476	2008	rundll32.exe	98
PID 2008 wrote to memory of 4476	2008	rundll32.exe	98
PID 2052 wrote to memory of 3064	2052	cmd.exe	99
PID 2052 wrote to memory of 3064	2052	cmd.exe	99
PID 2052 wrote to memory of 3064	2052	cmd.exe	99
PID 2008 wrote to memory of 4516	2008	rundll32.exe	101
PID 2008 wrote to memory of 4516	2008	rundll32.exe	101
PID 4476 wrote to memory of 4468	4476	cmd.exe	103
PID 4476 wrote to memory of 4468	4476	cmd.exe	103
PID 4476 wrote to memory of 4468	4476	cmd.exe	103
PID 2008 wrote to memory of 4968	2008	rundll32.exe	128
PID 2008 wrote to memory of 4968	2008	rundll32.exe	128
PID 2008 wrote to memory of 4968	2008	rundll32.exe	128
PID 4968 wrote to memory of 3024	4968	cmd.exe	130
PID 4968 wrote to memory of 3024	4968	cmd.exe	130
PID 4968 wrote to memory of 3024	4968	cmd.exe	130
PID 4968 wrote to memory of 4860	4968	cmd.exe	131
PID 4968 wrote to memory of 4860	4968	cmd.exe	131
PID 4968 wrote to memory of 4860	4968	cmd.exe	131
PID 4968 wrote to memory of 4368	4968	cmd.exe	132
PID 4968 wrote to memory of 4368	4968	cmd.exe	132
PID 4968 wrote to memory of 4368	4968	cmd.exe	132
PID 4968 wrote to memory of 1860	4968	cmd.exe	133
PID 4968 wrote to memory of 1860	4968	cmd.exe	133
PID 4968 wrote to memory of 1860	4968	cmd.exe	133
PID 4968 wrote to memory of 1260	4968	cmd.exe	134
PID 4968 wrote to memory of 1260	4968	cmd.exe	134
PID 4968 wrote to memory of 1260	4968	cmd.exe	134
PID 2008 wrote to memory of 2576	2008	rundll32.exe	135
PID 2008 wrote to memory of 2576	2008	rundll32.exe	135
PID 2008 wrote to memory of 2576	2008	rundll32.exe	135

C:\Users\Admin\AppData\Local\Temp\Ransomware\BadRabbit.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\BadRabbit.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:4420
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3134311576 && exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3134311576 && exit"
      4⤵
      Creates scheduled task(s)
      PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:01:00
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:01:00
      4⤵
      Creates scheduled task(s)
      PID:4468
- - C:\Windows\57A5.tmp
    "C:\Windows\57A5.tmp" \\.\pipe\{9C219611-910E-4DEB-9F24-EE9D0019B2B3}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil cl Setup
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:3024
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil cl System
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:4860
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil cl Security
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:4368
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil cl Application
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1860
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil usn deletejournal /D C:
      4⤵
      Deletes NTFS Change Journal
      PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN drogon
    3⤵
    PID:2576

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3884055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\57A5.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
265KB

MD5
1b52b1a0384ee1b58f10ee72493a546b

SHA1
1d28bc09698ff54ce33b7cf306b0578acea6c22c

SHA256
99a0e2e3d09dcb6ca97813dcfa5b8c84edfc5c9323345e022e3004cafbd3b34f

SHA512
28fb7e5ff75f4fec99de48807e7f4d2edc248acd3441db65d434587c318326b5e18de4d64157d984b06b73fe7e58d0b4d4a6f1bb907876c4613951f86c69f63f

Download Submit
C:\Windows\infpub.dat

Filesize
64KB

MD5
1d12b78268144bc10cb270fd514c7a71

SHA1
50e1c0574cf417527111f0d01a3b93fd2c3e0a28

SHA256
392f1bf830cb12f3e8d49cee2f94ee7c0defa785bf04b06794223e058e1a0535

SHA512
59b04f5721fd895207e3bed8f01ded02dea7c4d15752791e434c695615dab0273bcb8362d4470682c7c6098d17917f0ba547fa1d6801a6aca7f5b9e00b9a381f

Download Submit
memory/2008-3-0x0000000002990000-0x00000000029F8000-memory.dmp

Filesize
416KB

Download
memory/2008-11-0x0000000002990000-0x00000000029F8000-memory.dmp

Filesize
416KB

Download
memory/2008-14-0x0000000002990000-0x00000000029F8000-memory.dmp

Filesize
416KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads