Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-04-2024 17:05
Static task
static1
Behavioral task
behavioral1
Sample
FileCrypter.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FileCrypter.exe
Resource
win10v2004-20240412-en
General
-
Target
FileCrypter.exe
-
Size
1.0MB
-
MD5
6f1f60d754943d430fc0972d80250baa
-
SHA1
adf06a5a69d5baf86e78f43e239ad4e0e8f25315
-
SHA256
768e033c269b8035a23a73c3b31be5d659daa626daa08c17a3b302cc07fe2348
-
SHA512
bd4e2ce0cf5a86d538e815efce24062155b6026ffa2b03564a001f0eaccf39c02b2b17a6fe5676b338bb6ac8e73df160a9e9e2af80cdb6821aba72764386e522
-
SSDEEP
24576:TR+cl7X1BRnI6hmebOe1gmx2Jg+DTcTugiIwsQhlRv9x/9K4CfFiEr0CJ:l+clb1BRntmeSKHStRv9xFK1gEr0E
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x000400000001946b-91.dat mimikatz -
Executes dropped EXE 4 IoCs
pid Process 2564 A2-Cryptor.exe 2592 BadRabbit.exe 2756 FMLN.exe 784 643F.tmp -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: cmd.exe File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\A: cmd.exe -
Sets desktop wallpaper using registry 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg" wscript.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\643F.tmp rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2188 schtasks.exe 2412 schtasks.exe -
Delays execution with timeout.exe 6 IoCs
pid Process 2728 timeout.exe 1084 timeout.exe 1256 timeout.exe 2100 timeout.exe 3024 timeout.exe 1912 timeout.exe -
Modifies Control Panel 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\Desktop wscript.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1784 rundll32.exe 1784 rundll32.exe 784 643F.tmp 784 643F.tmp 784 643F.tmp 784 643F.tmp 784 643F.tmp -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 1784 rundll32.exe Token: SeDebugPrivilege 1784 rundll32.exe Token: SeTcbPrivilege 1784 rundll32.exe Token: SeDebugPrivilege 784 643F.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1184 wrote to memory of 2564 1184 FileCrypter.exe 28 PID 1184 wrote to memory of 2564 1184 FileCrypter.exe 28 PID 1184 wrote to memory of 2564 1184 FileCrypter.exe 28 PID 1184 wrote to memory of 2564 1184 FileCrypter.exe 28 PID 1184 wrote to memory of 2592 1184 FileCrypter.exe 30 PID 1184 wrote to memory of 2592 1184 FileCrypter.exe 30 PID 1184 wrote to memory of 2592 1184 FileCrypter.exe 30 PID 1184 wrote to memory of 2592 1184 FileCrypter.exe 30 PID 1184 wrote to memory of 2592 1184 FileCrypter.exe 30 PID 1184 wrote to memory of 2592 1184 FileCrypter.exe 30 PID 1184 wrote to memory of 2592 1184 FileCrypter.exe 30 PID 1184 wrote to memory of 2756 1184 FileCrypter.exe 32 PID 1184 wrote to memory of 2756 1184 FileCrypter.exe 32 PID 1184 wrote to memory of 2756 1184 FileCrypter.exe 32 PID 1184 wrote to memory of 2756 1184 FileCrypter.exe 32 PID 2564 wrote to memory of 752 2564 A2-Cryptor.exe 35 PID 2564 wrote to memory of 752 2564 A2-Cryptor.exe 35 PID 2564 wrote to memory of 752 2564 A2-Cryptor.exe 35 PID 2564 wrote to memory of 752 2564 A2-Cryptor.exe 35 PID 2592 wrote to memory of 1784 2592 BadRabbit.exe 33 PID 2592 wrote to memory of 1784 2592 BadRabbit.exe 33 PID 2592 wrote to memory of 1784 2592 BadRabbit.exe 33 PID 2592 wrote to memory of 1784 2592 BadRabbit.exe 33 PID 2592 wrote to memory of 1784 2592 BadRabbit.exe 33 PID 2592 wrote to memory of 1784 2592 BadRabbit.exe 33 PID 2592 wrote to memory of 1784 2592 BadRabbit.exe 33 PID 752 wrote to memory of 2440 752 cmd.exe 36 PID 752 wrote to memory of 2440 752 cmd.exe 36 PID 752 wrote to memory of 2440 752 cmd.exe 36 PID 2756 wrote to memory of 2456 2756 FMLN.exe 37 PID 2756 wrote to memory of 2456 2756 FMLN.exe 37 PID 2756 wrote to memory of 2456 2756 FMLN.exe 37 PID 2756 wrote to memory of 2456 2756 FMLN.exe 37 PID 752 wrote to memory of 2416 752 cmd.exe 38 PID 752 wrote to memory of 2416 752 cmd.exe 38 PID 752 wrote to memory of 2416 752 cmd.exe 38 PID 2456 wrote to memory of 2492 2456 cmd.exe 39 PID 2456 wrote to memory of 2492 2456 cmd.exe 39 PID 2456 wrote to memory of 2492 2456 cmd.exe 39 PID 2456 wrote to memory of 2492 2456 cmd.exe 39 PID 752 wrote to memory of 1344 752 cmd.exe 40 PID 752 wrote to memory of 1344 752 cmd.exe 40 PID 752 wrote to memory of 1344 752 cmd.exe 40 PID 752 wrote to memory of 2728 752 cmd.exe 41 PID 752 wrote to memory of 2728 752 cmd.exe 41 PID 752 wrote to memory of 2728 752 cmd.exe 41 PID 1784 wrote to memory of 2612 1784 rundll32.exe 42 PID 1784 wrote to memory of 2612 1784 rundll32.exe 42 PID 1784 wrote to memory of 2612 1784 rundll32.exe 42 PID 1784 wrote to memory of 2612 1784 rundll32.exe 42 PID 2612 wrote to memory of 1388 2612 cmd.exe 44 PID 2612 wrote to memory of 1388 2612 cmd.exe 44 PID 2612 wrote to memory of 1388 2612 cmd.exe 44 PID 2612 wrote to memory of 1388 2612 cmd.exe 44 PID 1784 wrote to memory of 2480 1784 rundll32.exe 45 PID 1784 wrote to memory of 2480 1784 rundll32.exe 45 PID 1784 wrote to memory of 2480 1784 rundll32.exe 45 PID 1784 wrote to memory of 2480 1784 rundll32.exe 45 PID 2480 wrote to memory of 2188 2480 cmd.exe 47 PID 2480 wrote to memory of 2188 2480 cmd.exe 47 PID 2480 wrote to memory of 2188 2480 cmd.exe 47 PID 2480 wrote to memory of 2188 2480 cmd.exe 47 PID 752 wrote to memory of 1084 752 cmd.exe 48 PID 752 wrote to memory of 1084 752 cmd.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\FileCrypter.exe"C:\Users\Admin\AppData\Local\Temp\FileCrypter.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\586C.tmp\586D.tmp\586E.bat C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"3⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\system32\mode.comMODE CON: COLS=100 LINES=254⤵PID:2440
-
-
C:\Windows\system32\mode.comMODE CON: COLS=100 LINES=254⤵PID:2416
-
-
C:\Windows\system32\certutil.execertutil -decode "Image.bin" "Encrypted.jpeg"4⤵PID:1344
-
-
C:\Windows\system32\timeout.exetimeout /t 34⤵
- Delays execution with timeout.exe
PID:2728
-
-
C:\Windows\system32\timeout.exetimeout /t 34⤵
- Delays execution with timeout.exe
PID:1084
-
-
C:\Windows\system32\timeout.exetimeout /t 34⤵
- Delays execution with timeout.exe
PID:1256
-
-
C:\Windows\system32\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
PID:2100
-
-
C:\Windows\system32\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
PID:3024
-
-
C:\Windows\system32\wscript.exewscript "0.vbs"4⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:1748 -
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters5⤵PID:2056
-
-
-
C:\Windows\system32\wscript.exewscript "0.vbs"4⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:2152 -
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters5⤵PID:112
-
-
-
C:\Windows\system32\wscript.exewscript "0.vbs"4⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:2620 -
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters5⤵PID:3052
-
-
-
C:\Windows\system32\wscript.exewscript "0.vbs"4⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:3004 -
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters5⤵PID:1040
-
-
-
C:\Windows\system32\wscript.exewscript "0.vbs"4⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:1896 -
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters5⤵PID:1936
-
-
-
C:\Windows\system32\timeout.exetimeout /t 44⤵
- Delays execution with timeout.exe
PID:1912
-
-
C:\Windows\system32\wscript.exewscript "m.vbs"4⤵PID:1972
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal5⤵PID:1388
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4167566118 && exit"4⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4167566118 && exit"5⤵
- Creates scheduled task(s)
PID:2188
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:23:004⤵PID:1700
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:23:005⤵
- Creates scheduled task(s)
PID:2412
-
-
-
C:\Windows\643F.tmp"C:\Windows\643F.tmp" \\.\pipe\{FA23FFA9-EAAB-41B2-8D73-D1B4A44EF2DE}4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FMLN.exe"C:\Users\Admin\AppData\Local\Temp\FMLN.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\58CA.tmp\58CB.tmp\58CC.bat C:\Users\Admin\AppData\Local\Temp\FMLN.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\mode.commode con: cols=170 lines=454⤵PID:2492
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
383B
MD5e8ac1f187bb02b76ff45f3a3977c6669
SHA1a6246d99d7f0347e246399576342e7e118d6cb2a
SHA2568b163a7e7bc1048d74b3b0298b85bc453cf349c9adb53d76adf391ef0491db26
SHA512f7f67854fdd19718a5fe8aaf99cf722ffb73a8151c8d3f214e89b44b0c4cba24c5fbfd390246e9cb2423919d0b4f694117c09b7697853168156d77efbb83397b
-
Filesize
127B
MD571f2ece5d6de26f528ff0e1c9382f1c9
SHA112b4fe9e4f1d4e0ea494393282baeb58f5991c8e
SHA256648b31ac461f2539e111298e9d5f8e154ed8852a4f8c57cceec17504da8cdb01
SHA5120236aa82c44f9cdc7230d2b46c910c794820202e697031c893ed8502883f310bc202beee7d4a502f5508c8f6c320f9479e48be30f24f344624a0224a1f549c56
-
Filesize
33KB
MD54b42191175209ea23203acc526307c00
SHA1a77abea54f5b2a0084fd1574a1c5b6e1df1df054
SHA2564ce518699c3f97015eb2f81b09325c8f67213d0efaec73bbf924a5bdf3d5152c
SHA512fb35705095153a587a253160a92268c8e03605f87ecbb45dd3a0c4ca59e255046188cb9476d99f8164458506d2e5057e6127f0e0fe7997471e7381cc4a08ec42
-
Filesize
54KB
MD593841169c4264ce13735e8b116d06226
SHA11ceac2fe01f6bdb37bdeb73ba13cd7ed99d0f608
SHA25682bf8fbb4b79fdd9a21518373ddd57fc2d6c53599458a055f64e20d40dc85f2b
SHA512ce98cac504828ac676d1069f6d0cedc55ff68bf51d2b01df0108ec632bdc0aa1f809ef6ddb000fa1c59ea66723c903cf37412d98f59ff7032777a45b2c72e871
-
Filesize
122KB
MD5d6e36f6b145a4601a84835b7e8a0bbc2
SHA13c7e26433f5f42fe69fbe4b3c2e6d9d7b196697c
SHA25646038db7643482e1d25939e6c7be35a7e7529fd716570e25e4137f6a79a1c316
SHA512e10acbaa6e1cd5cc4350dc789841e2638fb50b152aebc65bee2c07ad94f7e6ae1ce6bd51c5f5f6952f970ee364f2515417608e872c3b97b0cf749bb86fa0b72e
-
Filesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
Filesize
15KB
MD520aba01130e85571476712c784af05b0
SHA154c9002381bafbfa648dd3f5c77b1830efc1dc85
SHA25672bdac2468fa4e19f8915817f380ceeb96ff94a64a3e29e64ac79b65bed2f6ac
SHA512c84a603b359d3e7097229161d22a69c574a582cbbd21c8343fa06986b5058125763196b8d4e2f7bf51400ffaba63e9c565e42c32759b973439f46e5a9f84b19f
-
Filesize
258KB
MD5c87988e35ec34779191f42b6213fdec1
SHA181036dcf6ea331243f2d512b8ac9611a95a18ea1
SHA25696f3ce153153f922fb18e4722b0348aee2c76022bcdee75fadab97023003fe10
SHA512ba32f9bc18fb187fa4dc03bb1db903255c16af62dc903521ddd8fb120e5599bbccb4fa12255f0195a5e51b6a99ee5228bc0515f299c0ebb1b1a5134e61aab9e4
-
Filesize
21KB
MD5f6f72da7cd731682ff5442ba541457e2
SHA160bddfc609fad2f80c0688905e795e51003d9433
SHA25600a5048d9f74271e4cd5c36cf1434c789a8c16206ff5fca1c785156e01693bc1
SHA5122a09df3df3d89ec413f31f7a20254513db6323e7c7e5e041161f55dfefcc80d22870c512f71aad77e7e9ef775b635a707ddf60b0bb4ef458bff6e15f1e425e5d
-
Filesize
71B
MD5cbaa7c6cb3c383b11dd691b316f2a91b
SHA10f2d66cea7cc24e0dda9972e05a7b236a9bcbc9e
SHA2565f1ffcde4ee668c3350fdd9730df67adc35c704342ac2224924069c9bae2be95
SHA512fe74a8ccd7875e7bf9588d386fd886810dc0edd01216bf5a886add985fcbb813296a606ec83028a90d30b4df348125827300a98f2ec6081a5d981d09316a44f9
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113