Analysis
-
max time kernel
607s -
max time network
609s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 13:19
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Endermanch/MalwareDatabase
Resource
win10v2004-20240419-en
General
-
Target
https://github.com/Endermanch/MalwareDatabase
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x0008000000023de6-413.dat mimikatz -
Executes dropped EXE 1 IoCs
pid Process 1252 5C04.tmp -
Loads dropped DLL 1 IoCs
pid Process 4404 rundll32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 24 camo.githubusercontent.com -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\5C04.tmp rundll32.exe File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3720 schtasks.exe 3576 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 2740 msedge.exe 2740 msedge.exe 880 msedge.exe 880 msedge.exe 4184 identity_helper.exe 4184 identity_helper.exe 2232 msedge.exe 2232 msedge.exe 2232 msedge.exe 2232 msedge.exe 4584 msedge.exe 4584 msedge.exe 4404 rundll32.exe 4404 rundll32.exe 4404 rundll32.exe 4404 rundll32.exe 1252 5C04.tmp 1252 5C04.tmp 1252 5C04.tmp 1252 5C04.tmp 1252 5C04.tmp 1252 5C04.tmp 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeRestorePrivilege 3104 7zG.exe Token: 35 3104 7zG.exe Token: SeSecurityPrivilege 3104 7zG.exe Token: SeSecurityPrivilege 3104 7zG.exe Token: SeShutdownPrivilege 4404 rundll32.exe Token: SeDebugPrivilege 4404 rundll32.exe Token: SeTcbPrivilege 4404 rundll32.exe Token: SeDebugPrivilege 1252 5C04.tmp Token: SeDebugPrivilege 4452 taskmgr.exe Token: SeSystemProfilePrivilege 4452 taskmgr.exe Token: SeCreateGlobalPrivilege 4452 taskmgr.exe Token: 33 4452 taskmgr.exe Token: SeIncBasePriorityPrivilege 4452 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe 4452 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 880 wrote to memory of 2540 880 msedge.exe 83 PID 880 wrote to memory of 2540 880 msedge.exe 83 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 1616 880 msedge.exe 84 PID 880 wrote to memory of 2740 880 msedge.exe 85 PID 880 wrote to memory of 2740 880 msedge.exe 85 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86 PID 880 wrote to memory of 3520 880 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcdbec46f8,0x7ffcdbec4708,0x7ffcdbec47182⤵PID:2540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵PID:1616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:1164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:3560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:82⤵PID:2312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵PID:2100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:12⤵PID:3240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:3844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:12⤵PID:4220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4020 /prefetch:82⤵PID:6076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:12⤵PID:6084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1360 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3188 /prefetch:22⤵PID:4992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,1786043645554707611,874405128478926285,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:82⤵PID:440
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2960
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:692
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1444
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\WannaCrypt0r\Endermanch@WannaCrypt0r\" -ad -an -ai#7zMap27208:250:7zEvent241741⤵
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\BadRabbit\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\BadRabbit\[email protected]"1⤵
- Drops file in Windows directory
PID:2856 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:5252
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:1328
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4025025081 && exit"3⤵PID:2880
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4025025081 && exit"4⤵
- Creates scheduled task(s)
PID:3720
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:46:003⤵PID:2752
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:46:004⤵
- Creates scheduled task(s)
PID:3576
-
-
-
C:\Windows\5C04.tmp"C:\Windows\5C04.tmp" \\.\pipe\{099A025B-5BFC-4D2C-9531-FB791ED156C0}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54e96ed67859d0bafd47d805a71041f49
SHA17806c54ae29a6c8d01dcbc78e5525ddde321b16b
SHA256bd13ddab4dc4bbf01ed50341953c9638f6d71faf92bc79fbfe93687432c2292d
SHA512432201c3119779d91d13da55a26d4ff4ce4a9529e00b44ec1738029f92610d4e6e25c05694adf949c3e9c70fbbbbea723f63c29287906729f5e88a046a2edcb7
-
Filesize
152B
MD51cbd0e9a14155b7f5d4f542d09a83153
SHA127a442a921921d69743a8e4b76ff0b66016c4b76
SHA256243d05d6af19bfe3e06b1f7507342ead88f9d87b84e239ad1d144e9e454b548c
SHA51217e5217d5bf67571afb0e7ef30ac21c11ea6553f89457548d96ee4461011f641a7872a37257239fa5f25702f027afb85d5bd9faf2f2f183992b8879407e56a0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5f2999fbfda05c9a7f1c91014b94588e1
SHA1b14c2c0608374013dfdacd4901dc719a8d3681d2
SHA2568c9913e848021c673cde633bfedf659ac619a4fc61a2407c42bfb4348bc4942a
SHA512b0b298832503b3469bc67ca6596206e5680e36b3d25a7f961080ce3d81e66ba3d93f2589fcb7b85bfba4fb19c8b9f24eac4e85a51e095c8d7e4dfb249ac2130b
-
Filesize
573B
MD537baf21f6884d62dd3fae3bcac0e3f54
SHA186387f81e0e639f4b89ac148a2611dbe17c692e5
SHA256fd6b196dedb818f06d7e045bc0ca39921765ba16deeb416261c8605de41aa1be
SHA51213d36ff793b191e5036fad9a998d653eba70f27900f205c8eb1e2b336837f6a6b9977e0129b0645844b6d40a08883ccbc71b132e22f5577c5db8b44ad4f74461
-
Filesize
496B
MD534a72154ed9746a609b29d25ad8d6469
SHA1ee1fc6413972b90af4973bc1c158c47011e757b5
SHA256629a1e55ae58d7e9e13caf2aabc58ad73415b514df679a5e15ac561b1b549f10
SHA5122789dcc6843a73666ed06d51a7bfb8e92dd7c0a82062dc0d252d883e4c943fc229932fdb1410e9d40d7a7dd965623f3df582640a0952adf7feb7e05a68e37d5c
-
Filesize
573B
MD50028a1a5c441a3cd5a60c34da771564f
SHA1e15d27a8322b435564ebcd36467b997d0fa8ef32
SHA2568dc36283781a25af9e2ae76d255ae311b2715396f710ff0e9850b0e64525759d
SHA512e26efd2be3114e733acdc00fb54150790872b10c88a7c4d3a19a16383bf58897ad89f14b3255a984f836666b98bafc099d8988532d03acda0dee7a7a7da3f40e
-
Filesize
6KB
MD58303a972512cb71fcd1bbca38c3aaba5
SHA1dcc028f405d90155ec1397678eb3d6664c3ebc79
SHA25613a026f5095e34f186cd07b5704b9f9abb3a472be4f0c3fb73bd493c8569f884
SHA5126f279866f789a9d11f80e8192b1891d1c5ea15688e88dba45224a4cd85850e3dafed86700f026e4dbf0670df63f63acedcc4cd49b474e5647664b945651f1e6c
-
Filesize
7KB
MD57140bfcd8a8929641e6ba3138e97676d
SHA1e74ba7bbdfc5858f8a6bb88359093d9128d7cfb0
SHA256d41100f319c5933db81e269974225eaf96f49c67927941234ecc63f4149a004a
SHA5126cc533bade3800051ebafa9c26bd6a4512d0d8dfdabce3189dfbaeb08f1323e1fe5611bbb9c262b2526d7b15ab3f8f03f14cebd0ef20cd7f88b542e41db417cd
-
Filesize
6KB
MD52cbbf76896b99ca6aed30abd10c3567f
SHA1c62791291e31b7ad9dbccbc4030df1a268e0473a
SHA256a5a9a943d1d33a5164588094262b7063dafa8be76fe9fe3973b3ceb1110e23a0
SHA512f6a1be6ebad337d4c3b5fc249b51114446580f977ea79ba8b70e1625f6e18d352a8762e74657e79f0b41584bbec653a122f3dfac3c6ffc40e46880a49c0df570
-
Filesize
5KB
MD56b8071a29139e4b4da107c662cd1442c
SHA16fb02bd4715b84446a1b467e0550ea9290132ee9
SHA256d1aba8296e7e34fa274ba1caf6af328671bcd4049fc5111fdbf776b10a44c274
SHA5122504f2b8eb407b3a1dd032861e6b30d99554d0b2ca9400710575e99d2777d7b8b2c4c3b93a9af29e94f8bcca4a5ff11335a58f2c9e7c64da0bd0484da3797e34
-
Filesize
6KB
MD5f5fcbe69549aa81ac4c954e1fea611fc
SHA120a56f571dd456fc89935c5f38f9d2a68ea40662
SHA25673b2ab84b07d69c90ab5a37d2ff671c6386baf3f352afcef0932b8dd4c055d26
SHA51205962fc632e80f61d537284bf4929a02e9f0ef0b9ccd21eaf46094c716f54ec3b112bf7c554db70450b2207c06c644f2d2bdb2b98b3fbfd02c7d53cac4863524
-
Filesize
1KB
MD58003343ab95a8c43920c89c2dc9b0bbb
SHA12e62a7086dc84575be76f9a4a6b92b4877598250
SHA256d954892905fbdf1fb8ef41cbea8b8041831d896e31234b2a66e0a4ab7f135355
SHA512b358c0acd718b315ffe28dc4dfc5806f688fc51c050a479e85c1a13b7f6084340c3108c2856c7bf419ff43bf081eef50c4eb38b0795e958adf935e7214a7f264
-
Filesize
1KB
MD5325906e7f69574df3104e325dfe8e40c
SHA1f7b2a6c7cc483a385d86a79cccde08e4b51b37c5
SHA2563b01ef934dd098e6d8a6d6240d6d93bb0599ff02dd75044e3b4b33505a97cded
SHA512feb131a09b825e4892417aa9d4c2b675c132587126db2eca2af1a83299801d53e46fd8013dacb0a1423a03525d2a0a83fe73ddf0aa9d59cc27da2e879e766243
-
Filesize
1KB
MD5cf1e614d6a5ed5627e208c3f2700d94d
SHA160af8818eb5ba89c9b2e1d64f597de9a213b936d
SHA256826bbb8acea68431228634892f24e87a1136c45b03d8fae2a1ff641870cd1a4d
SHA512cd1d16253d08bbf1460332f8cbf090e1917d9fb5ae9f0478475751815014fb2239a5ae9b21926532512d7a4aebff7d062c7eea515000b8bb4fda287b2143a1fc
-
Filesize
1KB
MD53fa2b4b5c4eb717eacf181c34005a639
SHA163de65da3dd4bd1c23ac09b7bdc23288f747dfc8
SHA2566d9decf841b10c7e1739d42e4c0787b02bf3b1976fd17fbe04a9a60de67e28e8
SHA5122bdba0af0e8d20cf6b48448f1550b78c01fad91cc7d4e831aa66a941d43480ec21d90ea6856ccf513f6fb5ce9a5c728f99f4413fbf26959dc7ba864b26df03a1
-
Filesize
1KB
MD5a46e4e585810ab8dd5f9df87c6aa8c74
SHA1f879c9a78ac5e28f3f8b272c7fcbaf61526f8ebb
SHA256504021245d8aa89b51b590d9e0e1e16f8f98644e4df9dcd51e77cb3c4e32a7e8
SHA5121ffeeaa95c724f319e1eb122b0740ef8056dd4edb713bc18a473466dba54cb1188f721431a18a013b2b772aaacb672c578ccb811b6c4ce13ff35ebd01cf1eb26
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD55ca85d6a549690e0982e5cc1a1a59ded
SHA1ae323f74b1face02722ba8d6b80154053c16dcc8
SHA256f79b7401c4a195e34c2552201eb7db7e2905ba2bdd3a9e689051c7f168626078
SHA51215cd778cc541c15997a1f1a25a9c847eb1ebf0b82e02411be65cebc1601d715905a628a07efe91ca2cf2f17b8130aeca8fa236867b6bbb49a5f5a1cfdd8041c8
-
Filesize
12KB
MD555404406903a75d488b782f3ac22ce54
SHA10608ffb01d31c053e38176742abba40269571025
SHA256798a39638d797787ae44d788eb63f71bde31ec09927af2472a429c87b1457713
SHA512a8f69e02e7f7d77b15650db1120137d9833e9a232ec8dfb1fd5f7b39bc44454e7529ae70bf15ea89e73228126d0c657168ee6a2ed5bd8f3f3d5e9278c5ee3d6c
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113