Analysis
-
max time kernel
988s -
max time network
990s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-04-2024 19:01
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Endermanch/MalwareDatabase
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
https://github.com/Endermanch/MalwareDatabase
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
https://github.com/Endermanch/MalwareDatabase
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
https://github.com/Endermanch/MalwareDatabase
Resource
win11-20240221-en
Errors
General
-
Target
https://github.com/Endermanch/MalwareDatabase
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Deletes NTFS Change Journal 2 TTPs 1 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 1056 fsutil.exe -
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Clears Windows event logs 1 TTPs 4 IoCs
pid Process 3544 wevtutil.exe 1572 wevtutil.exe 3608 wevtutil.exe 2708 wevtutil.exe -
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral4/files/0x000600000000f4ab-345.dat mimikatz -
Blocklisted process makes network request 10 IoCs
flow pid Process 408 2416 rundll32.exe 456 2416 rundll32.exe 503 2416 rundll32.exe 551 2416 rundll32.exe 563 2416 rundll32.exe 611 2416 rundll32.exe 658 2416 rundll32.exe 706 2416 rundll32.exe 733 2416 rundll32.exe 765 2416 rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 4668 8A78.tmp -
Loads dropped DLL 1 IoCs
pid Process 2416 rundll32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 2 camo.githubusercontent.com 18 raw.githubusercontent.com 39 raw.githubusercontent.com -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\8A78.tmp rundll32.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3160 schtasks.exe 3848 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "187" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2200 vlc.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 4164 msedge.exe 4164 msedge.exe 4588 msedge.exe 4588 msedge.exe 4060 msedge.exe 4060 msedge.exe 5012 identity_helper.exe 5012 identity_helper.exe 1684 msedge.exe 1684 msedge.exe 2416 rundll32.exe 2416 rundll32.exe 2416 rundll32.exe 2416 rundll32.exe 4668 8A78.tmp 4668 8A78.tmp 4668 8A78.tmp 4668 8A78.tmp 4668 8A78.tmp 4668 8A78.tmp 4668 8A78.tmp 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2200 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 2416 rundll32.exe Token: SeDebugPrivilege 2416 rundll32.exe Token: SeTcbPrivilege 2416 rundll32.exe Token: SeDebugPrivilege 4668 8A78.tmp Token: SeSecurityPrivilege 3544 wevtutil.exe Token: SeBackupPrivilege 3544 wevtutil.exe Token: SeSecurityPrivilege 1572 wevtutil.exe Token: SeBackupPrivilege 1572 wevtutil.exe Token: SeSecurityPrivilege 3608 wevtutil.exe Token: SeBackupPrivilege 3608 wevtutil.exe Token: SeSecurityPrivilege 2708 wevtutil.exe Token: SeBackupPrivilege 2708 wevtutil.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 2200 vlc.exe 2200 vlc.exe 2200 vlc.exe 2200 vlc.exe 2200 vlc.exe 2200 vlc.exe 2200 vlc.exe 2200 vlc.exe 2200 vlc.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 2200 vlc.exe 2200 vlc.exe 2200 vlc.exe 2200 vlc.exe 2200 vlc.exe 2200 vlc.exe 2200 vlc.exe 2200 vlc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3316 MiniSearchHost.exe 2200 vlc.exe 1532 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4588 wrote to memory of 3744 4588 msedge.exe 77 PID 4588 wrote to memory of 3744 4588 msedge.exe 77 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 3712 4588 msedge.exe 78 PID 4588 wrote to memory of 4164 4588 msedge.exe 79 PID 4588 wrote to memory of 4164 4588 msedge.exe 79 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80 PID 4588 wrote to memory of 1372 4588 msedge.exe 80
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeda913cb8,0x7ffeda913cc8,0x7ffeda913cd82⤵PID:3744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,13599459844668391094,12821724076535176583,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:22⤵PID:3712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,13599459844668391094,12821724076535176583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,13599459844668391094,12821724076535176583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1408 /prefetch:82⤵PID:1372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13599459844668391094,12821724076535176583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13599459844668391094,12821724076535176583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:2960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13599459844668391094,12821724076535176583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:12⤵PID:3248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13599459844668391094,12821724076535176583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:12⤵PID:4444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13599459844668391094,12821724076535176583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵PID:4068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13599459844668391094,12821724076535176583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:12⤵PID:2780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,13599459844668391094,12821724076535176583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,13599459844668391094,12821724076535176583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13599459844668391094,12821724076535176583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1284 /prefetch:12⤵PID:1568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,13599459844668391094,12821724076535176583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,13599459844668391094,12821724076535176583,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4784 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13599459844668391094,12821724076535176583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵PID:476
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2400
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:904
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3316
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"1⤵
- Drops file in Windows directory
PID:4996 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:1960
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:3720
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3619096487 && exit"3⤵PID:3600
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3619096487 && exit"4⤵
- Creates scheduled task(s)
PID:3160
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 19:21:003⤵PID:236
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 19:21:004⤵
- Creates scheduled task(s)
PID:3848
-
-
-
C:\Windows\8A78.tmp"C:\Windows\8A78.tmp" \\.\pipe\{5DD7520A-BC6F-4003-A4EC-51FC6B994B67}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:3⤵PID:3956
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl Setup4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl System4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl Security4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3608
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl Application4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\SysWOW64\fsutil.exefsutil usn deletejournal /D C:4⤵
- Deletes NTFS Change Journal
PID:1056
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN drogon3⤵PID:4504
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN drogon4⤵PID:2344
-
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PingCompare.m1v"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2200
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39fa855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a0407c5de270b9ae0ceee6cb9b61bbf1
SHA1fb2bb8184c1b8e680bf873e5537e1260f057751e
SHA256a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd
SHA51265162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136
-
Filesize
152B
MD5ded21ddc295846e2b00e1fd766c807db
SHA1497eb7c9c09cb2a247b4a3663ce808869872b410
SHA25626025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305
SHA512ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5770309d074eb17d079d34647270155cd
SHA1f49e596056141068e4840b92de37174a7bab985b
SHA256da945f9bef6d3c1bddd5219b1b54d9f249dfc2b632894d7328978df903f74455
SHA512fab24d831a0c2c70544c8181c3c9d6517b5daf693b9f999a771ace949369ffa75fbb6d063e6cbbd97902b0f6440ddea26cfe2b4a7a0b10caef4183862858038d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD50c95c7627f19fe2c072a217c1b777b11
SHA1c6a2480ce77c4c04633cebe6953a1f9f19aa3703
SHA256a1a5fc59a1b2dbfa192a3a7b945deaf62c42d399999896e80a66d936a477cee4
SHA51206bfb9ec9dd0a23bd8deecdedb04b3565b84c6d69c1190e8733305ecea355d19826da0e6fe50234219af9b68f3b86ef60c30e0634a53a55835b03b199b7d679b
-
Filesize
579B
MD5d9b2e26a92e865ac8e7282dc021ea098
SHA12e5d5a77b516b51a0102af085eeed51c6f73adff
SHA25685c959ae71e198d7b53171156fa3d2699a42dbe23f80cf3a17bed7b8b13a933c
SHA51258ede42069b2e2600c0c9b7e07fc2519c99561561283df7ff5f330a97dbdee0be0c1f44b3553a0d962a60832be95d4efff8914f28abc3fe59872d91d3263f465
-
Filesize
5KB
MD5d44e51d98e1b1aaef6a6ae62686b9558
SHA1964c80e244b80d2f2eb92775c75e89b97ea4b6a5
SHA256604090a702d6471cdc65e759cde885bc6666901a9e66c56d6caa4d371d442cd4
SHA512b13f6d357540df947b41c51bd8cadc7885f6c156267cef318a27340053dccaf84549973b59dd3d787d1824551548136f3896647652dd9f57fbed1fe4c8c80882
-
Filesize
6KB
MD5364931f43d3de508c2e5fdc2b94c3722
SHA1879bde95cab6c113e6f70c8ea49dc9fd2c8b8bc4
SHA25607df3a6a114b358b7938ef006609a3dafd0bdc791c8934fcb299344ff5784021
SHA512eb85fe9ab27c02b1720ec8cab847bd88d0d02ea9920a021416a12af378845cb578d36b5c009d8c18cb30a640e0a19fee4a949a74363e6efccd941c4e4d3c7b92
-
Filesize
6KB
MD55ca458a2b0e83f4b186d2f83ac7c71d0
SHA1013ee16e86c7795260008c812a8a3ffbc61c98c4
SHA2560aaa9e101360359352d7ae3368431c2b914302a7bc362e2b5d1d3a61a110b511
SHA512dbbbbb54e90a536154513c37d7cf61df6cc74a429ce7bd467aaf3831a2a371212f4e68691e34ccdd5f386214a093bed2e9083bbfe70b9916b3ae296d8a506570
-
Filesize
1KB
MD52f071d62ad139be7cf84655c97e29eb0
SHA1e78c6bcf7400c7073b72ea666cbdf026ccb2da05
SHA2564898a557d76b2700f91e24c41da7c62e7c5d721f79e556b89b853388ed4cddfb
SHA512a098f5ea20c23929d40770ff47369338f1816a5567018269b056524c2621c2e78dd6c1198cd0ee797d606ce5208fa8a4b7c0f9c0391a296d507b849191c1fc9a
-
Filesize
1KB
MD5039c931a33e24f4649b1c454dc13864c
SHA1f0bb64b7d1d15aca3119b859b117a4c40521ac1a
SHA256c0c4a3fedcf164a48f44d023bb3a604ee3d525a982a5589eff6d8b7b0bbc42d5
SHA512a4cee45af7d03052e140d8bb4d3f6d8ea219d62c5fd643c4fc4146818663f49ad45b7cfcc06f2d90bbdbc3084c3ba439e832268835c61114e5e3ae3fa1b2c890
-
Filesize
1KB
MD5e10ea74704aa7758ae2c69f9fcfbc4f4
SHA1b8663322cf3853eb03dc0b269d31b0cb47c24052
SHA256792a001b2914620c14292ed46ca6164080c734705ad9b233d8f174f0b887bfd3
SHA512f7d3d0643894328b30e1a7fab65059b7abe62a61681a3b11573d30e0a379615f480e40199099c83d9d771380e67d49743bf56b68ed2e41a1cc293f2ac3b0c6ea
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5f12dcda183c0fd7c72f4d1e1e5566d38
SHA1114a91805e914449e5dbe7f081cb5ece85606195
SHA256aecf70389e09dcd8fcf7bd2a4dc186aca82ca5dfe7696dd5844fb9e8183e3855
SHA5122c1c768052a14f17cb3a2c26ccefffe3db72e1c302b4cf1ee52b626fbc67d396344744de7d900a207af3f046e5dcb41af80e832259b4f1e202dfefa1d56d6b1c
-
Filesize
11KB
MD56b893fca8fb825f54a7b9507c69da7f9
SHA136bfa80820fda7940fc0409c263fe59084207dda
SHA25669ac4f7a5387fa78afb75049c5fb4c8bf54d1ec3a4b9f367b05061b30740fdad
SHA512081f88b8b5efac8c9613ce56eff480b1bf08c05fc6a31e5ee3d8fe22c12393cb0ff95ad4c82681e494d041ad91956d429685382a0f6241f9f5dad80027586e02
-
Filesize
11KB
MD516a88d0c2bbb66e722305ccdff033a50
SHA17f064a3e83d176a470f10bf6fbca093b10027795
SHA2562504fac0c5a1e337bf544dea2f898525e404a97883bad96da9d5ae39c465b018
SHA512b1163db6338703e6ac348534a7cef05f23c8fc5b5a13f6ad367b50f789f64a422f508468b669b18a63fbc364ebad6c6ffe03a347b521b350f74a5f438fd0fa45
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize11KB
MD5f2de638a4259125fdc63c3e174803714
SHA1c2dc76d32dbc368e8b576a5dd9e0a2a7a5d6fa66
SHA256c76921cb128864fa1ede8f5f96285a688474149a4d0ef6f15ae131250649a297
SHA512625a76f433d1b50172950eea73425706e5be7547d589f0b660d7ffab6440f9f1542acc1944d20d64ba493c15c420593b12b53e6ad8fe181c0134001581aa7b19
-
Filesize
393KB
MD561da9939db42e2c3007ece3f163e2d06
SHA14bd7e9098de61adecc1bdbd1a01490994d1905fb
SHA256ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa
SHA51214d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113