Analysis

  • max time kernel
    138s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-04-2024 17:05

General

  • Target

    FileCrypter.exe

  • Size

    1.0MB

  • MD5

    6f1f60d754943d430fc0972d80250baa

  • SHA1

    adf06a5a69d5baf86e78f43e239ad4e0e8f25315

  • SHA256

    768e033c269b8035a23a73c3b31be5d659daa626daa08c17a3b302cc07fe2348

  • SHA512

    bd4e2ce0cf5a86d538e815efce24062155b6026ffa2b03564a001f0eaccf39c02b2b17a6fe5676b338bb6ac8e73df160a9e9e2af80cdb6821aba72764386e522

  • SSDEEP

    24576:TR+cl7X1BRnI6hmebOe1gmx2Jg+DTcTugiIwsQhlRv9x/9K4CfFiEr0CJ:l+clb1BRntmeSKHStRv9xFK1gEr0E

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 6 IoCs
  • Modifies Control Panel 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FileCrypter.exe
    "C:\Users\Admin\AppData\Local\Temp\FileCrypter.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe
      "C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\586C.tmp\586D.tmp\586E.bat C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"
        3⤵
        • Enumerates connected drives
        • Suspicious use of WriteProcessMemory
        PID:752
        • C:\Windows\system32\mode.com
          MODE CON: COLS=100 LINES=25
          4⤵
            PID:2440
          • C:\Windows\system32\mode.com
            MODE CON: COLS=100 LINES=25
            4⤵
              PID:2416
            • C:\Windows\system32\certutil.exe
              certutil -decode "Image.bin" "Encrypted.jpeg"
              4⤵
                PID:1344
              • C:\Windows\system32\timeout.exe
                timeout /t 3
                4⤵
                • Delays execution with timeout.exe
                PID:2728
              • C:\Windows\system32\timeout.exe
                timeout /t 3
                4⤵
                • Delays execution with timeout.exe
                PID:1084
              • C:\Windows\system32\timeout.exe
                timeout /t 3
                4⤵
                • Delays execution with timeout.exe
                PID:1256
              • C:\Windows\system32\timeout.exe
                timeout /t 5
                4⤵
                • Delays execution with timeout.exe
                PID:2100
              • C:\Windows\system32\timeout.exe
                timeout /t 5
                4⤵
                • Delays execution with timeout.exe
                PID:3024
              • C:\Windows\system32\wscript.exe
                wscript "0.vbs"
                4⤵
                • Sets desktop wallpaper using registry
                • Modifies Control Panel
                PID:1748
                • C:\Windows\System32\RUNDLL32.EXE
                  "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                  5⤵
                    PID:2056
                • C:\Windows\system32\wscript.exe
                  wscript "0.vbs"
                  4⤵
                  • Sets desktop wallpaper using registry
                  • Modifies Control Panel
                  PID:2152
                  • C:\Windows\System32\RUNDLL32.EXE
                    "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                    5⤵
                      PID:112
                  • C:\Windows\system32\wscript.exe
                    wscript "0.vbs"
                    4⤵
                    • Sets desktop wallpaper using registry
                    • Modifies Control Panel
                    PID:2620
                    • C:\Windows\System32\RUNDLL32.EXE
                      "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                      5⤵
                        PID:3052
                    • C:\Windows\system32\wscript.exe
                      wscript "0.vbs"
                      4⤵
                      • Sets desktop wallpaper using registry
                      • Modifies Control Panel
                      PID:3004
                      • C:\Windows\System32\RUNDLL32.EXE
                        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                        5⤵
                          PID:1040
                      • C:\Windows\system32\wscript.exe
                        wscript "0.vbs"
                        4⤵
                        • Sets desktop wallpaper using registry
                        • Modifies Control Panel
                        PID:1896
                        • C:\Windows\System32\RUNDLL32.EXE
                          "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
                          5⤵
                            PID:1936
                        • C:\Windows\system32\timeout.exe
                          timeout /t 4
                          4⤵
                          • Delays execution with timeout.exe
                          PID:1912
                        • C:\Windows\system32\wscript.exe
                          wscript "m.vbs"
                          4⤵
                            PID:1972
                      • C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe
                        "C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"
                        2⤵
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of WriteProcessMemory
                        PID:2592
                        • C:\Windows\SysWOW64\rundll32.exe
                          C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                          3⤵
                          • Drops file in Windows directory
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:1784
                          • C:\Windows\SysWOW64\cmd.exe
                            /c schtasks /Delete /F /TN rhaegal
                            4⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2612
                            • C:\Windows\SysWOW64\schtasks.exe
                              schtasks /Delete /F /TN rhaegal
                              5⤵
                                PID:1388
                            • C:\Windows\SysWOW64\cmd.exe
                              /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4167566118 && exit"
                              4⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2480
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4167566118 && exit"
                                5⤵
                                • Creates scheduled task(s)
                                PID:2188
                            • C:\Windows\SysWOW64\cmd.exe
                              /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:23:00
                              4⤵
                                PID:1700
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:23:00
                                  5⤵
                                  • Creates scheduled task(s)
                                  PID:2412
                              • C:\Windows\643F.tmp
                                "C:\Windows\643F.tmp" \\.\pipe\{FA23FFA9-EAAB-41B2-8D73-D1B4A44EF2DE}
                                4⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:784
                          • C:\Users\Admin\AppData\Local\Temp\FMLN.exe
                            "C:\Users\Admin\AppData\Local\Temp\FMLN.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:2756
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\58CA.tmp\58CB.tmp\58CC.bat C:\Users\Admin\AppData\Local\Temp\FMLN.exe"
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2456
                              • C:\Windows\SysWOW64\mode.com
                                mode con: cols=170 lines=45
                                4⤵
                                  PID:2492

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\0.vbs

                            Filesize

                            383B

                            MD5

                            e8ac1f187bb02b76ff45f3a3977c6669

                            SHA1

                            a6246d99d7f0347e246399576342e7e118d6cb2a

                            SHA256

                            8b163a7e7bc1048d74b3b0298b85bc453cf349c9adb53d76adf391ef0491db26

                            SHA512

                            f7f67854fdd19718a5fe8aaf99cf722ffb73a8151c8d3f214e89b44b0c4cba24c5fbfd390246e9cb2423919d0b4f694117c09b7697853168156d77efbb83397b

                          • C:\Users\Admin\AppData\Local\Temp\32069_21995.bat

                            Filesize

                            127B

                            MD5

                            71f2ece5d6de26f528ff0e1c9382f1c9

                            SHA1

                            12b4fe9e4f1d4e0ea494393282baeb58f5991c8e

                            SHA256

                            648b31ac461f2539e111298e9d5f8e154ed8852a4f8c57cceec17504da8cdb01

                            SHA512

                            0236aa82c44f9cdc7230d2b46c910c794820202e697031c893ed8502883f310bc202beee7d4a502f5508c8f6c320f9479e48be30f24f344624a0224a1f549c56

                          • C:\Users\Admin\AppData\Local\Temp\586C.tmp\586D.tmp\586E.bat

                            Filesize

                            33KB

                            MD5

                            4b42191175209ea23203acc526307c00

                            SHA1

                            a77abea54f5b2a0084fd1574a1c5b6e1df1df054

                            SHA256

                            4ce518699c3f97015eb2f81b09325c8f67213d0efaec73bbf924a5bdf3d5152c

                            SHA512

                            fb35705095153a587a253160a92268c8e03605f87ecbb45dd3a0c4ca59e255046188cb9476d99f8164458506d2e5057e6127f0e0fe7997471e7381cc4a08ec42

                          • C:\Users\Admin\AppData\Local\Temp\58CA.tmp\58CB.tmp\58CC.bat

                            Filesize

                            54KB

                            MD5

                            93841169c4264ce13735e8b116d06226

                            SHA1

                            1ceac2fe01f6bdb37bdeb73ba13cd7ed99d0f608

                            SHA256

                            82bf8fbb4b79fdd9a21518373ddd57fc2d6c53599458a055f64e20d40dc85f2b

                            SHA512

                            ce98cac504828ac676d1069f6d0cedc55ff68bf51d2b01df0108ec632bdc0aa1f809ef6ddb000fa1c59ea66723c903cf37412d98f59ff7032777a45b2c72e871

                          • C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe

                            Filesize

                            122KB

                            MD5

                            d6e36f6b145a4601a84835b7e8a0bbc2

                            SHA1

                            3c7e26433f5f42fe69fbe4b3c2e6d9d7b196697c

                            SHA256

                            46038db7643482e1d25939e6c7be35a7e7529fd716570e25e4137f6a79a1c316

                            SHA512

                            e10acbaa6e1cd5cc4350dc789841e2638fb50b152aebc65bee2c07ad94f7e6ae1ce6bd51c5f5f6952f970ee364f2515417608e872c3b97b0cf749bb86fa0b72e

                          • C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe

                            Filesize

                            431KB

                            MD5

                            fbbdc39af1139aebba4da004475e8839

                            SHA1

                            de5c8d858e6e41da715dca1c019df0bfb92d32c0

                            SHA256

                            630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

                            SHA512

                            74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

                          • C:\Users\Admin\AppData\Local\Temp\Encrypted.jpeg

                            Filesize

                            15KB

                            MD5

                            20aba01130e85571476712c784af05b0

                            SHA1

                            54c9002381bafbfa648dd3f5c77b1830efc1dc85

                            SHA256

                            72bdac2468fa4e19f8915817f380ceeb96ff94a64a3e29e64ac79b65bed2f6ac

                            SHA512

                            c84a603b359d3e7097229161d22a69c574a582cbbd21c8343fa06986b5058125763196b8d4e2f7bf51400ffaba63e9c565e42c32759b973439f46e5a9f84b19f

                          • C:\Users\Admin\AppData\Local\Temp\FMLN.exe

                            Filesize

                            258KB

                            MD5

                            c87988e35ec34779191f42b6213fdec1

                            SHA1

                            81036dcf6ea331243f2d512b8ac9611a95a18ea1

                            SHA256

                            96f3ce153153f922fb18e4722b0348aee2c76022bcdee75fadab97023003fe10

                            SHA512

                            ba32f9bc18fb187fa4dc03bb1db903255c16af62dc903521ddd8fb120e5599bbccb4fa12255f0195a5e51b6a99ee5228bc0515f299c0ebb1b1a5134e61aab9e4

                          • C:\Users\Admin\AppData\Local\Temp\Image.bin

                            Filesize

                            21KB

                            MD5

                            f6f72da7cd731682ff5442ba541457e2

                            SHA1

                            60bddfc609fad2f80c0688905e795e51003d9433

                            SHA256

                            00a5048d9f74271e4cd5c36cf1434c789a8c16206ff5fca1c785156e01693bc1

                            SHA512

                            2a09df3df3d89ec413f31f7a20254513db6323e7c7e5e041161f55dfefcc80d22870c512f71aad77e7e9ef775b635a707ddf60b0bb4ef458bff6e15f1e425e5d

                          • C:\Users\Admin\AppData\Local\Temp\m.vbs

                            Filesize

                            71B

                            MD5

                            cbaa7c6cb3c383b11dd691b316f2a91b

                            SHA1

                            0f2d66cea7cc24e0dda9972e05a7b236a9bcbc9e

                            SHA256

                            5f1ffcde4ee668c3350fdd9730df67adc35c704342ac2224924069c9bae2be95

                            SHA512

                            fe74a8ccd7875e7bf9588d386fd886810dc0edd01216bf5a886add985fcbb813296a606ec83028a90d30b4df348125827300a98f2ec6081a5d981d09316a44f9

                          • C:\Windows\643F.tmp

                            Filesize

                            60KB

                            MD5

                            347ac3b6b791054de3e5720a7144a977

                            SHA1

                            413eba3973a15c1a6429d9f170f3e8287f98c21c

                            SHA256

                            301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

                            SHA512

                            9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

                          • C:\Windows\infpub.dat

                            Filesize

                            401KB

                            MD5

                            1d724f95c61f1055f0d02c2154bbccd3

                            SHA1

                            79116fe99f2b421c52ef64097f0f39b815b20907

                            SHA256

                            579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

                            SHA512

                            f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

                          • memory/1184-40-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

                            Filesize

                            4KB

                          • memory/1784-83-0x00000000007A0000-0x0000000000808000-memory.dmp

                            Filesize

                            416KB

                          • memory/1784-73-0x00000000007A0000-0x0000000000808000-memory.dmp

                            Filesize

                            416KB

                          • memory/1784-62-0x00000000007A0000-0x0000000000808000-memory.dmp

                            Filesize

                            416KB