Analysis

  • max time kernel
    102s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-04-2024 22:33

General

  • Target

    BadRabbit.exe

  • Size

    431KB

  • MD5

    fbbdc39af1139aebba4da004475e8839

  • SHA1

    de5c8d858e6e41da715dca1c019df0bfb92d32c0

  • SHA256

    630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

  • SHA512

    74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

  • SSDEEP

    12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe
    "C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Delete /F /TN rhaegal
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4772
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /F /TN rhaegal
          4⤵
            PID:1968
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3375477278 && exit"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3284
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3375477278 && exit"
            4⤵
            • Creates scheduled task(s)
            PID:4596
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 22:52:00
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2396
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 22:52:00
            4⤵
            • Creates scheduled task(s)
            PID:3940
        • C:\Windows\298C.tmp
          "C:\Windows\298C.tmp" \\.\pipe\{C02D8194-C5B7-4E25-ACE5-B11303D01A7F}
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5064
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3684 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3900
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3708
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3708.0.819051289\443474321" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {44aa0545-0211-4a93-beb4-c98b9b922625} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" 1980 283dc6ce258 gpu
            3⤵
              PID:2636
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3708.1.1143380381\977923383" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1fdf405-5000-4744-a047-c52db19641ec} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" 2364 283dc5fa258 socket
              3⤵
                PID:2992
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3708.2.1006105831\1795342001" -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 3080 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2187904-fb94-4ac8-bc87-75431576111f} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" 3096 283dc65d058 tab
                3⤵
                  PID:2096
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3708.3.648637474\168158973" -childID 2 -isForBrowser -prefsHandle 2500 -prefMapHandle 1264 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98ad3bd8-0222-4bca-8f72-994b3eb1777a} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" 3496 283c8a70a58 tab
                  3⤵
                    PID:1040
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3708.4.849581933\1230766127" -childID 3 -isForBrowser -prefsHandle 3724 -prefMapHandle 3736 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5119205-43d8-4430-84e7-843c30bb947d} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" 3868 283e0db0458 tab
                    3⤵
                      PID:3536
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3708.5.866113133\1730025558" -childID 4 -isForBrowser -prefsHandle 4976 -prefMapHandle 4968 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93ebdb08-44d0-449e-bb81-fb770d1c9e88} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" 4944 283e2962d58 tab
                      3⤵
                        PID:5528
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3708.6.1832563044\1443434384" -childID 5 -isForBrowser -prefsHandle 5116 -prefMapHandle 4936 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03c5632f-a96e-4723-b1f3-c6f391d286d5} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" 5108 283e2963358 tab
                        3⤵
                          PID:5536
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3708.7.944245893\551749431" -childID 6 -isForBrowser -prefsHandle 5304 -prefMapHandle 5200 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80ac1625-f8a0-4c7b-a18d-528de0e69c0f} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" 5316 283e29e8b58 tab
                          3⤵
                            PID:5568
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3708.8.165898562\1730751877" -childID 7 -isForBrowser -prefsHandle 5448 -prefMapHandle 1632 -prefsLen 26550 -prefMapSize 233444 -jsInitHandle 1384 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a3659f3-5563-4f4e-979f-08b8756740e8} 3708 "\\.\pipe\gecko-crash-server-pipe.3708" 5688 283c8a6cd58 tab
                            3⤵
                              PID:5836

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\DB26F9F8326AFE57AA6A9D2B51C69B6A2C954139

                          Filesize

                          207KB

                          MD5

                          270687217f62e59f94992abc26ba57b6

                          SHA1

                          e37c2d1c6e02ff650af72d81936e3c10717c350d

                          SHA256

                          95b2aae2065a6cbce2e4ce4310ff8afe0d0a5f58cbb421178cac42f6e6267b13

                          SHA512

                          ddd1e675c1a76f47337ba9cafe93fb09aa1d5e1160a8cffca628d395b2aaf8b6d77fb557fdeb0b38af00a3fe370fbbc32df7871a1d45598a036ca044b0791fb9

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

                          Filesize

                          2KB

                          MD5

                          aaf90527488152eef5f66a9e342b1a7f

                          SHA1

                          522c0231ef1f75af81d6563e230b60ad15635188

                          SHA256

                          ecc4185c0c57e80d0df33f4cf2f03611641e853754677c6b7a7a1dbdb63325b2

                          SHA512

                          84723846344bf13e3f4d687a85e3735f8e622b492cb5e1786860c7a102434afdf652f6dcff45809c7612cb75326268ce0872a06c39ac90bde1ac9c9e1f85202a

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\0a05573d-6a92-43f0-bb61-8251a3746583

                          Filesize

                          10KB

                          MD5

                          32decb3515e0d5751e61992dbf25d2df

                          SHA1

                          4dda91fe572e86b3d332c3a0d6af0ccd5cc43066

                          SHA256

                          f5fed8123c420082eecaf4dc82c110348f924bb2a4c1134b9a6bf0a2491c6d28

                          SHA512

                          ba24adf178b6c7691b623f9beda4319dbb20f0bde3aa89642f8e3455a94d557867f2ce1efbd0686ff8d3b7eb06e71eb2c9de1b61e12016200e85d09c9baf8f39

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\7506691a-58fd-4a4e-b59b-f22c1c344b06

                          Filesize

                          746B

                          MD5

                          2190a0f55073d292f90d9d4954481665

                          SHA1

                          b983d9f1ed7d7b079376abfc3e5298958f5aa4d1

                          SHA256

                          571ecfdd11a40f97e9602dff2105b24cbd13ad3b74c8c08dd8897b8f21fa008c

                          SHA512

                          92c780dba30b5d742ff4c5f6f19dc8e7c16287eaa4799696b16a60bb2a080eeee3917f72529c2aac74130bbe069fac89794b73d4215465060c2b19835fb7c74f

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

                          Filesize

                          6KB

                          MD5

                          58d1093cd8b41566844bc2f5a79b52bd

                          SHA1

                          bda60726c95df246fd305282f7418d674d64bfa0

                          SHA256

                          d55c345d8dfd90c923e4b96bfb59fcd3f7a205d226d7c152f130a5571bfeb9e4

                          SHA512

                          65950d74af8dff3f4ad357356d2383eaacaf1760756a3d9120d7ecd55c6ce99b5e5f9d152cc1b5ee3e3746b6ed3ceb1476e0729036cd153d405ca7bdd7d630b5

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

                          Filesize

                          6KB

                          MD5

                          9fa581ae53eb1ea4bfcdf1130b8230a4

                          SHA1

                          4ec5413951db14a698fda7a579f3db2a548b5a39

                          SHA256

                          c6e1b0b055973b3bffc3bf3842fc7f2448bea36be1d8fb676a301df98ba6a77d

                          SHA512

                          fe5a2dcdf915f0631e2d258be886a3de3eb4fbf722f84ee084327c2858e2fd79b829a4d0f34524e3361898c25cfa6108a84b5e86c11bf34003bc95fb49fed02f

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

                          Filesize

                          6KB

                          MD5

                          75538db0b525daffc20e99690b290f42

                          SHA1

                          5a52d37f5160017ae3c6122eff7e65ac26af187b

                          SHA256

                          2913010281b53404252ff4c3675f818fe11e9c4a9d00904ac884ff2589f78fbf

                          SHA512

                          2b8f287b33ea001d1740a4c48d24717991c1d58349866eab8a6af1821d94941e07fd988dd5e5ce9b91edec58025734f0db82d1e4776a9d8ce8e94f3ca5a6caf8

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

                          Filesize

                          1KB

                          MD5

                          659618adbd634a7d49acc55595f87c13

                          SHA1

                          67e52ca63b565331dfc053b8f51169f890bec9c4

                          SHA256

                          1d2b40d74399f18d545dee39d1c16300e957d1e5c178eade7b73135349c8c4a2

                          SHA512

                          1ddabf25d1df6399fed436c203f5f59f4c075ef149b07972cf67b8e6b963f8b8b46c3b159fd41d047f9eb926312efcfa9536af8e42d85174f2d76723ce434f00

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

                          Filesize

                          1KB

                          MD5

                          29589c9dd2adce146fab9687ac2082fa

                          SHA1

                          7db700f009eaa1209d190e9abc772c6ffaa14753

                          SHA256

                          a498ef05eac447a90e09f74af9922148dd0dd7a461272766dfed719e36f12f44

                          SHA512

                          6802cab0a12bc6e54b3501327da9ab144827b56fdab64c3d49896b672da63222667292d262936aaabf8583cf18792e92e1b082eb97979161908727ea935a65f6

                        • C:\Windows\298C.tmp

                          Filesize

                          60KB

                          MD5

                          347ac3b6b791054de3e5720a7144a977

                          SHA1

                          413eba3973a15c1a6429d9f170f3e8287f98c21c

                          SHA256

                          301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

                          SHA512

                          9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

                        • C:\Windows\infpub.dat

                          Filesize

                          401KB

                          MD5

                          1d724f95c61f1055f0d02c2154bbccd3

                          SHA1

                          79116fe99f2b421c52ef64097f0f39b815b20907

                          SHA256

                          579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

                          SHA512

                          f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

                        • memory/5032-14-0x0000000002E80000-0x0000000002EE8000-memory.dmp

                          Filesize

                          416KB

                        • memory/5032-11-0x0000000002E80000-0x0000000002EE8000-memory.dmp

                          Filesize

                          416KB

                        • memory/5032-3-0x0000000002E80000-0x0000000002EE8000-memory.dmp

                          Filesize

                          416KB