badrabbit | hxxp://google[.]com

Resubmissions

22-04-2024 17:54

240422-wg7d9aec4y 10

22-04-2024 17:51

240422-we5gwaeb26 10

Analysis

max time kernel
115s
max time network
116s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-04-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

badrabbit mimikatz ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000400000001a175-506.dat	mimikatz

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe	[email protected]

Executes dropped EXE 1 IoCs

pid	Process
1792	7615.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
75	camo.githubusercontent.com
76	camo.githubusercontent.com
98	raw.githubusercontent.com
99	raw.githubusercontent.com

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\7615.tmp	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2372	schtasks.exe
4644	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133582818797652706"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
2944	rundll32.exe
2944	rundll32.exe
2944	rundll32.exe
2944	rundll32.exe
1792	7615.tmp
1792	7615.tmp
1792	7615.tmp
1792	7615.tmp
1792	7615.tmp
1792	7615.tmp
1792	7615.tmp
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]
4348	[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe
Token: SeShutdownPrivilege	4196	chrome.exe
Token: SeCreatePagefilePrivilege	4196	chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe
4196	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 3780	4196	chrome.exe	72
PID 4196 wrote to memory of 3780	4196	chrome.exe	72
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 5096	4196	chrome.exe	74
PID 4196 wrote to memory of 688	4196	chrome.exe	75
PID 4196 wrote to memory of 688	4196	chrome.exe	75
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76
PID 4196 wrote to memory of 876	4196	chrome.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffadd09758,0x7fffadd09768,0x7fffadd09778
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:2
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:8
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:8
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2648 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2656 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4384 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4880 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5312 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:8
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:8
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1860,i,17081936650184320146,2873199292835731388,131072 /prefetch:8
  2⤵
  PID:2948

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"
1⤵
- Drops file in Windows directory
PID:1672
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:3824
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:4676
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1196367132 && exit"
    3⤵
    PID:4408
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1196367132 && exit"
      4⤵
      Creates scheduled task(s)
      PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:10:00
    3⤵
    PID:4140
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:10:00
      4⤵
      Creates scheduled task(s)
      PID:4644
- - C:\Windows\7615.tmp
    "C:\Windows\7615.tmp" \\.\pipe\{D5C59BA0-C159-4EBF-8B80-15C3D1D1E32B}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1792

C:\Users\Admin\AppData\Local\Temp\Temp1_DeriaLock.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_DeriaLock.zip\[email protected]"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
PID:4348

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8716bc7af1f954e218ccb2d0784565ca

SHA1
5cd6d2c7331acae0997e668dc074e0a8a7f616cf

SHA256
f5aaaf3246dc7324e5547def781bbc2f63750c85476a41ef4690e36b013411a4

SHA512
ad5f5970ae6a08caedec0124b09d0c3b369c7f8bab47b8a225e9906926d2f6a7e2245804eafb2344a21da0203c8e60a32ef58b40e7fc1bce349c766bc4c8b12f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\493eb758-a5f4-4628-b73b-af19d0e49234.tmp

Filesize
1KB

MD5
11de5c1c5462376a5cb00e776ea58665

SHA1
9a62a0cb6b1c9e18fd1a0ce76eca9829c37c690a

SHA256
c218453d554b729f309fb7f4160bd61af618b69754b0694e3116ebd767f7bd90

SHA512
3440d81924cb0b178b244ec10faef69b1892deef12b04836cfab477ff63cb13d2ad7eccad0e490da7c03ca707df9ad3329db3267e565646d09ea7517dc003f1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
f7652168b472b7834ba72817e9a608aa

SHA1
4b3442031fe215330b060270b8f34b0dec94ffac

SHA256
6e389b767c704662128552762773fae66568b60c27202511a6a97f2330dd81a0

SHA512
88b850c6bb1a177af74201834c35d83cb9be808ae36047ffeeeef95994be87de9aab8ed6f80ae0d8516ce0bb277ca195f5d3e786083d62354b9d51332d668c16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
97068ea0b665a56acc2a7db94b186427

SHA1
dd4cb067baafad41bbf1d59cdefe4f0b58db72f3

SHA256
992e0fe9e7ba4e7d016f5e6a10c69185afa426610ae411a64ac81ba04d2d6cc3

SHA512
5a983fe0d5f1862e3acd97d48d60f6161220fe3ce1448aacd59caf85aacaca145513309ca52ff86626d24859443790e76d898f8fde0cffdf87e7398c56bbdbef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
46bc73523978509d90a6adb34a8b4c73

SHA1
d51345b62365bd21d1c2e18007ecffd82dbbaf8e

SHA256
72dea918376b095fcea9397a5afe07d18167fcfc639ccc1da85b6df85b60b46a

SHA512
eaf4c65742c616a2ee7b76b1c15117891ca06660db97d9a9d96f113cdbd3c85bd8825c691d267475aea6d09afad4f79aaffe957eb0015c073dca197f0b1268f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
631c35abe81dbca8b32ee29792e720f5

SHA1
c803c387564d89ed0d81c566d1c6bb57cef57be6

SHA256
2f337891eb40201a4aa0912863f941528f1f1621cd6ec9a563376d3d3973b41f

SHA512
c9505e07cbf3df6cdc005b925c8e79c4a664dd18d3cc7203daa977c5bf831c74f56347aaa907c5a39df333fd89c88aad5ea27cff7de886d1064aaab8665d44da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
1a59ce2cdffba702f17805ab7fe011a7

SHA1
6d09ad97dbd0ab48509c3b5c476001abbad88257

SHA256
4ea763ee430c7fa195c206f41ecfed375764aac2d7a36484d09e0dafa10a6150

SHA512
5024de5969dbb42bfb06a20aa84c1aa72085ad5bd0372308008eca601d189d48f25d13a5d914d17be6f7908e5b13555fa22ce3f01e7138706a2864d3c8ff6029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a2f7af13a6ba978266ce14f6c751838e

SHA1
5750e602441c0a0179e62e0681d7da6e30135029

SHA256
a8b2ceb22090e4278c2780c974c79b1ffd67d54cd4f086aedc5a46227932813f

SHA512
3989c41985007e72055529f9f77318a76329f1087787ff49bbf114e3152f6aae63ed9cdace0a314a1f766a6748380a6002ec3871637fc12483e95b7da4bb6f2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6d2b5bd54fd2cff8cbc55e7ae6d31bf5

SHA1
b2041764a852f9f1371d0baff2e11ea888234396

SHA256
46c34bc72d4b8b4e249ee6ec7bf4b09755cb37782205594e7d616d2ba527604b

SHA512
6f11081a40d486d972d9fc62a4150795b22c71af4fa07cfcdfa66562b979f4a0ce992a4bfcf659b25932312e86989e44e0fd94631ab1da88881de1c33a53930a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
66ab04585deb9bda4f048b18acfb4b79

SHA1
8145379ef0a0226e0b5b1d8777b2bd6c1958e6da

SHA256
6a112f3bd5ed12b0d0bb29be1c8ed3d4565fe6f9c2e21257af1c963a2c5540ed

SHA512
c61a23e53e54ae016e21d22f383f15aa40c8e40f533caf1db7dd94a92109b6bf5c3eae855fb09fb27c095ee789865ec2ea809fca01628d68c03223f9308f1159

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
87c24b6e4f40e2014244499674d814bb

SHA1
11551a31c9350be33b67bec19747ea2cd67ad8f6

SHA256
bbecb46a4d85fe9c0d20ebf49b312f6f25a3502680a333f5084665109bd267dc

SHA512
4ad8a7ca84116a5c23859fe3b1f0e0d9aba089f31025c56f2432148f380f65263e1ccd25dea4e5a53bad62c0d575e3b37b64511343783a19e94ada334639b928

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57b8f0.TMP

Filesize
120B

MD5
ae1d5421bba5d14a0ea8441c40eba0a5

SHA1
8ac617b563198590c789a67f1fe7c6e567d871c1

SHA256
85eff1f0489751dba864a37254ac7fc06b798b8a83a77b358ca6be5d307543ff

SHA512
ca01fe2d5899f383cd16feffa0c1500654b95ac18dacaf5d3628ee3ef4727f989437bf9b94de415b4d04fd2ed03a64f4aab24cebe1ded7984a262ac4b39a66ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
5cc610d0c830dda04503a1748ddf80b7

SHA1
3436f3201d85ae980670b3a048561743d2222d51

SHA256
513a369af8f3c4591431cbf9c59d0f60c28809fb5d03bb058c431aba3f79d3d9

SHA512
269f2b3f6715541eebfb9b8136c3baf0409e6fb8cc3a1f1b02d32de18ffbc005a31b3a7ca112e78c6cb16331d7bb5c922dd61cccc3d95f8912e9d0cb644bac14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
e8df300d60ac91def8f63b0bb56a8c58

SHA1
62a7dbdac8d2c8f82e1bf102a8998708d93655ad

SHA256
fd892d6e833bd35f48d5b5a87f6bceb2975aa5b1bece34de88dd9f62484a8d90

SHA512
9b1e39638a31706aeabd5597526bd70cf0fa25cb78120f63da0f46f37facb35ec458235472db3baeca3e75236d602039335176caa4ed8759c55577c891c51638

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
27d0e4a83bd0cfe7e360cbf6eb285340

SHA1
07c421d809a855bba57bf0667839862fbd255d42

SHA256
8728afdc4bc7beab1dac5e59c2a68868bd6e112aa9272b2adc9d0339280358fd

SHA512
f8cd3edd0a80724038a9de5fcdad1c4d1306f122504cfcde06eaef7fe8149a7e2a7c1a5f6ec62f3aa1527dcfbf43957a51ae84b83419b1191914db1992e5e8e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
8366ae8b974981c6b5d154a994bed173

SHA1
a353a3d4f56f77a5e2fd1d4c26a68e38ae7f9676

SHA256
3c43ff11c7c21654faf1b0029ac310382d0e8a6dd1bb3c302f552b569a2f0f4e

SHA512
0ebb40321917124d7a8ce99c6d7c580a464b5e2e3c927db5a720f09925d5175ca1496eeb594705a232729eb6ccf9b59cc74842bfda6ae68394b659ad7bd89c1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
bf9d1131f24914e6bfbcb986e491e5de

SHA1
61a0733b9cfbad5de16180c6451aa42478cb471d

SHA256
29ce1450add6bfb78a2a9426a1720045edb25ce81bea01c8e85818c2a4ceda07

SHA512
bae5411d22157642601bd3f1bac10e537efd8c41da36482490df08fafd5cbdc48476b35aa78869d72eace4a81ea08738f69003495234bd2b326673587adfb321

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
b9d1e3824075ca193721fb3f5cdbe803

SHA1
7f6537e5ff28e506dd87d0fc104a99ea4be7bbb0

SHA256
9bf2848ebe6ad436ef0bcacee414816fa159900d9000bcd618abe304a342b5e8

SHA512
6947243777ac927f8ee3ebb5727c426e2f723065b805ea483de0aebb3664b1c54f4e3ff9a27f076c016d20dc9b1aeee861e3b9fa643b185a394411cf194f40f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57df25.TMP

Filesize
93KB

MD5
ba9bb930fa81654c21d5738eee3dc2ed

SHA1
cdcdfe8a946f9de420645495685aa49d8d8b6715

SHA256
25af9ba4382d6ebe52898555be2aa764749b63799e46dde6bc6a2d0ffa00dcb4

SHA512
15682e61adbf4141ba170727bd7c3eb6382cae373d69278952059fea3342057987b4f64d6ff98ff50ea996bd34e0c22cd38d190f9c3f7e82e8ddd3b18f9d2a5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\BadRabbit (1).zip

Filesize
393KB

MD5
67b1da54aa375d173bf069650bc7c8c5

SHA1
18e0731250b9a8cef897e6c1b0cf92b428f135bf

SHA256
8019b2ea7dde601a15f968d39ae60559d3935c3db9a0f7544e92447dcddecc92

SHA512
98e9de74b2a5b4f157b54cf9e74062f7cdfb8f3e890275d238c039baaf3bf47738d7f54bacc87e810b40c4d95ada94deba681e6233fd7bb43d10175c21d627e0

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
dbd30409b27ebfcd2be020c03515654b

SHA1
34cf95420c264cd83bc02ba6946a3b465ffe521e

SHA256
6f8617f58ef98c19731ce070615a92efe45642113fefc2f8fd9fbcf4be02427e

SHA512
c7005977b806c52ca65f97135ebfc6d4f922ca181bec97e47c9326233b72b79cc1f7f8f0fa4de306a7a23248a92b83b12405297c5e196dc3b9a2db2f7003511f

Download Submit
C:\Users\Admin\Downloads\DeriaLock.zip

Filesize
210KB

MD5
016d1ca76d387ec75a64c6eb3dac9dd9

SHA1
b0a2b2d4d639c6bcc5b114b3fcbb56d7c7ddbcbe

SHA256
8037a333dfeca754a46e284b8c4b250127daef6d728834bf39497df03006e177

SHA512
f08653184d7caf48e971635699b17b9502addb33fb91cc6e0a563e6a000aeb57ac0a2edd5a9e21ef99a4770c0dbb65899150fa5842b0326976a299382f6be86e

Download Submit
C:\Windows\7615.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/2944-500-0x0000000004600000-0x0000000004668000-memory.dmp

Filesize
416KB

Download
memory/2944-471-0x0000000004600000-0x0000000004668000-memory.dmp

Filesize
416KB

Download
memory/2944-479-0x0000000004600000-0x0000000004668000-memory.dmp

Filesize
416KB

Download
memory/4348-581-0x0000000000350000-0x00000000003D2000-memory.dmp

Filesize
520KB

Download
memory/4348-582-0x0000000073670000-0x0000000073D5E000-memory.dmp

Filesize
6.9MB

Download
memory/4348-583-0x0000000004C50000-0x0000000004CEC000-memory.dmp

Filesize
624KB

Download
memory/4348-584-0x00000000051F0000-0x00000000056EE000-memory.dmp

Filesize
5.0MB

Download
memory/4348-585-0x0000000004CF0000-0x0000000004D82000-memory.dmp

Filesize
584KB

Download
memory/4348-586-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/4348-587-0x0000000004C20000-0x0000000004C2A000-memory.dmp

Filesize
40KB

Download
memory/4348-588-0x0000000004F00000-0x0000000004F56000-memory.dmp

Filesize
344KB

Download
memory/4348-589-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download