Resubmissions
18-03-2024 22:36
240318-2h9hwsba88 10Analysis
-
max time kernel
907s -
max time network
912s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
18-03-2024 22:36
Errors
General
-
Target
Ransomware/BadRabbit.exe
-
Size
431KB
-
MD5
fbbdc39af1139aebba4da004475e8839
-
SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0
-
SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
-
SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
SSDEEP
12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Deletes NTFS Change Journal 2 TTPs 1 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Clears Windows event logs 1 TTPs 4 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
-
Blocklisted process makes network request 10 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in Windows directory 5 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\BadRabbit.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3134311576 && exit"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3134311576 && exit"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:01:003⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:01:004⤵
- Creates scheduled task(s)
-
C:\Windows\57A5.tmp"C:\Windows\57A5.tmp" \\.\pipe\{9C219611-910E-4DEB-9F24-EE9D0019B2B3}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl Setup4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl System4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl Security4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl Application4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\fsutil.exefsutil usn deletejournal /D C:4⤵
- Deletes NTFS Change Journal
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN drogon3⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3884055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\57A5.tmpFilesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
C:\Windows\infpub.datFilesize
265KB
MD51b52b1a0384ee1b58f10ee72493a546b
SHA11d28bc09698ff54ce33b7cf306b0578acea6c22c
SHA25699a0e2e3d09dcb6ca97813dcfa5b8c84edfc5c9323345e022e3004cafbd3b34f
SHA51228fb7e5ff75f4fec99de48807e7f4d2edc248acd3441db65d434587c318326b5e18de4d64157d984b06b73fe7e58d0b4d4a6f1bb907876c4613951f86c69f63f
-
C:\Windows\infpub.datFilesize
64KB
MD51d12b78268144bc10cb270fd514c7a71
SHA150e1c0574cf417527111f0d01a3b93fd2c3e0a28
SHA256392f1bf830cb12f3e8d49cee2f94ee7c0defa785bf04b06794223e058e1a0535
SHA51259b04f5721fd895207e3bed8f01ded02dea7c4d15752791e434c695615dab0273bcb8362d4470682c7c6098d17917f0ba547fa1d6801a6aca7f5b9e00b9a381f
-
memory/2008-3-0x0000000002990000-0x00000000029F8000-memory.dmpFilesize
416KB
-
memory/2008-11-0x0000000002990000-0x00000000029F8000-memory.dmpFilesize
416KB
-
memory/2008-14-0x0000000002990000-0x00000000029F8000-memory.dmpFilesize
416KB