Resubmissions
08-06-2024 08:50
240608-krvyesae91 1008-05-2024 16:15
240508-tqnx6ach3w 1008-05-2024 16:07
240508-tkr3mafa54 1001-05-2024 18:02
240501-wmf49acg3s 627-04-2024 08:46
240427-kpfeysff8s 1025-04-2024 21:25
240425-z9y55afb7v 1025-04-2024 21:16
240425-z4pphafa97 1025-04-2024 18:27
240425-w3929sde33 1025-04-2024 18:17
240425-ww4a5sdc8x 10Analysis
-
max time kernel
256s -
max time network
256s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 16:15
Static task
static1
Behavioral task
behavioral1
Sample
000.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Ana.exe
Resource
win7-20240220-en
Behavioral task
behavioral3
Sample
Bad Rabit.exe
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
Desktop Puzzle.exe
Resource
win7-20231129-en
Behavioral task
behavioral5
Sample
Memz.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
NoEscape.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
WannaCrypt0r.exe
Resource
win7-20240215-en
Errors
General
-
Target
Bad Rabit.exe
-
Size
431KB
-
MD5
fbbdc39af1139aebba4da004475e8839
-
SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0
-
SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
-
SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
SSDEEP
12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
Processes:
resource yara_rule behavioral3/files/0x00390000000136ec-23.dat mimikatz -
Executes dropped EXE 1 IoCs
Processes:
143C.tmppid Process 2552 143C.tmp -
Drops file in System32 directory 2 IoCs
Processes:
utilman.exedescription ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_BBDD54B4B68647EABB95D9857E2C8246.dat utilman.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_BBDD54B4B68647EABB95D9857E2C8246.dat utilman.exe -
Drops file in Windows directory 5 IoCs
Processes:
Bad Rabit.exerundll32.exedescription ioc Process File created C:\Windows\infpub.dat Bad Rabit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\143C.tmp rundll32.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2088 schtasks.exe 2304 schtasks.exe -
Enumerates system info in registry 2 TTPs 32 IoCs
Processes:
csrss.exedescription ioc Process Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information csrss.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
winlogon.exeutilman.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\AppLexicons utilman.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm utilman.exe Key created \REGISTRY\USER\.DEFAULT\System utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\ = "Speakers (High Definition Audio Device)" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\Voices\\Tokens\\MS-Anna-1033-20-DSK" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\AudioOutput\\TokenEnums\\MMAudioOut\\" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet utilman.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" winlogon.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\Generation = "0" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\Attributes\Technology = "MMSys" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\CLSID = "{C9E37C15-DF92-4727-85D6-72E5EEB6995A}" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\ = "Current User Lexicon" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\PhoneConverters\\Tokens\\English" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm utilman.exe Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655} utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\DeviceName = "Speakers (High Definition Audio Device)" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\Attributes\Vendor = "Microsoft" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE utilman.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AppLexicons utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\CLSID = "{A8C680EB-3D32-11D2-9EE7-00C04F797396}" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\Attributes utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A} utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files\Datafile = "%1a%\\Microsoft\\Speech\\Files\\UserLexicons\\SP_BBDD54B4B68647EABB95D9857E2C8246.dat" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\DeviceId = "{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}" utilman.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
rundll32.exe143C.tmputilman.exepid Process 2472 rundll32.exe 2472 rundll32.exe 2552 143C.tmp 2552 143C.tmp 2552 143C.tmp 2552 143C.tmp 2552 143C.tmp 2996 utilman.exe 2996 utilman.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
rundll32.exe143C.tmpLogonUI.exewinlogon.exeAUDIODG.EXEdescription pid Process Token: SeShutdownPrivilege 2472 rundll32.exe Token: SeDebugPrivilege 2472 rundll32.exe Token: SeTcbPrivilege 2472 rundll32.exe Token: SeDebugPrivilege 2552 143C.tmp Token: SeShutdownPrivilege 2932 LogonUI.exe Token: SeShutdownPrivilege 2932 LogonUI.exe Token: SeSecurityPrivilege 1724 winlogon.exe Token: SeBackupPrivilege 1724 winlogon.exe Token: SeSecurityPrivilege 1724 winlogon.exe Token: SeTcbPrivilege 1724 winlogon.exe Token: SeShutdownPrivilege 2932 LogonUI.exe Token: SeSecurityPrivilege 1724 winlogon.exe Token: SeBackupPrivilege 1724 winlogon.exe Token: SeSecurityPrivilege 1724 winlogon.exe Token: SeShutdownPrivilege 2932 LogonUI.exe Token: SeSecurityPrivilege 1724 winlogon.exe Token: SeBackupPrivilege 1724 winlogon.exe Token: SeSecurityPrivilege 1724 winlogon.exe Token: SeShutdownPrivilege 2932 LogonUI.exe Token: 33 1892 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1892 AUDIODG.EXE Token: 33 1892 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1892 AUDIODG.EXE Token: SeShutdownPrivilege 2932 LogonUI.exe Token: SeShutdownPrivilege 1724 winlogon.exe Token: SeShutdownPrivilege 1724 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Bad Rabit.exerundll32.execmd.execmd.execmd.execsrss.exewinlogon.exedescription pid Process procid_target PID 2972 wrote to memory of 2472 2972 Bad Rabit.exe 29 PID 2972 wrote to memory of 2472 2972 Bad Rabit.exe 29 PID 2972 wrote to memory of 2472 2972 Bad Rabit.exe 29 PID 2972 wrote to memory of 2472 2972 Bad Rabit.exe 29 PID 2972 wrote to memory of 2472 2972 Bad Rabit.exe 29 PID 2972 wrote to memory of 2472 2972 Bad Rabit.exe 29 PID 2972 wrote to memory of 2472 2972 Bad Rabit.exe 29 PID 2472 wrote to memory of 2588 2472 rundll32.exe 30 PID 2472 wrote to memory of 2588 2472 rundll32.exe 30 PID 2472 wrote to memory of 2588 2472 rundll32.exe 30 PID 2472 wrote to memory of 2588 2472 rundll32.exe 30 PID 2588 wrote to memory of 2740 2588 cmd.exe 32 PID 2588 wrote to memory of 2740 2588 cmd.exe 32 PID 2588 wrote to memory of 2740 2588 cmd.exe 32 PID 2588 wrote to memory of 2740 2588 cmd.exe 32 PID 2472 wrote to memory of 2920 2472 rundll32.exe 33 PID 2472 wrote to memory of 2920 2472 rundll32.exe 33 PID 2472 wrote to memory of 2920 2472 rundll32.exe 33 PID 2472 wrote to memory of 2920 2472 rundll32.exe 33 PID 2920 wrote to memory of 2088 2920 cmd.exe 35 PID 2920 wrote to memory of 2088 2920 cmd.exe 35 PID 2920 wrote to memory of 2088 2920 cmd.exe 35 PID 2920 wrote to memory of 2088 2920 cmd.exe 35 PID 2472 wrote to memory of 2632 2472 rundll32.exe 36 PID 2472 wrote to memory of 2632 2472 rundll32.exe 36 PID 2472 wrote to memory of 2632 2472 rundll32.exe 36 PID 2472 wrote to memory of 2632 2472 rundll32.exe 36 PID 2632 wrote to memory of 2304 2632 cmd.exe 39 PID 2632 wrote to memory of 2304 2632 cmd.exe 39 PID 2632 wrote to memory of 2304 2632 cmd.exe 39 PID 2632 wrote to memory of 2304 2632 cmd.exe 39 PID 2472 wrote to memory of 2552 2472 rundll32.exe 38 PID 2472 wrote to memory of 2552 2472 rundll32.exe 38 PID 2472 wrote to memory of 2552 2472 rundll32.exe 38 PID 2472 wrote to memory of 2552 2472 rundll32.exe 38 PID 696 wrote to memory of 2932 696 csrss.exe 47 PID 696 wrote to memory of 2932 696 csrss.exe 47 PID 1724 wrote to memory of 2932 1724 winlogon.exe 47 PID 1724 wrote to memory of 2932 1724 winlogon.exe 47 PID 1724 wrote to memory of 2932 1724 winlogon.exe 47 PID 696 wrote to memory of 2932 696 csrss.exe 47 PID 696 wrote to memory of 2932 696 csrss.exe 47 PID 696 wrote to memory of 2932 696 csrss.exe 47 PID 696 wrote to memory of 2932 696 csrss.exe 47 PID 696 wrote to memory of 2932 696 csrss.exe 47 PID 696 wrote to memory of 2932 696 csrss.exe 47 PID 696 wrote to memory of 2932 696 csrss.exe 47 PID 696 wrote to memory of 2932 696 csrss.exe 47 PID 696 wrote to memory of 2932 696 csrss.exe 47 PID 696 wrote to memory of 2996 696 csrss.exe 48 PID 696 wrote to memory of 2996 696 csrss.exe 48 PID 1724 wrote to memory of 2996 1724 winlogon.exe 48 PID 1724 wrote to memory of 2996 1724 winlogon.exe 48 PID 1724 wrote to memory of 2996 1724 winlogon.exe 48 PID 696 wrote to memory of 2996 696 csrss.exe 48 PID 696 wrote to memory of 2996 696 csrss.exe 48 PID 2472 wrote to memory of 1548 2472 rundll32.exe 52 PID 2472 wrote to memory of 1548 2472 rundll32.exe 52 PID 2472 wrote to memory of 1548 2472 rundll32.exe 52 PID 2472 wrote to memory of 1548 2472 rundll32.exe 52 PID 2472 wrote to memory of 1600 2472 rundll32.exe 54 PID 2472 wrote to memory of 1600 2472 rundll32.exe 54 PID 2472 wrote to memory of 1600 2472 rundll32.exe 54 PID 2472 wrote to memory of 1600 2472 rundll32.exe 54
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bad Rabit.exe"C:\Users\Admin\AppData\Local\Temp\Bad Rabit.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:2740
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3045833844 && exit"3⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3045833844 && exit"4⤵
- Creates scheduled task(s)
PID:2088
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:34:003⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:34:004⤵
- Creates scheduled task(s)
PID:2304
-
-
-
C:\Windows\143C.tmp"C:\Windows\143C.tmp" \\.\pipe\{DEBF03B3-2EC9-4707-9A44-8553488EE002}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:3⤵PID:1548
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN drogon3⤵PID:1600
-
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:696
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\system32\utilman.exeutilman.exe /debug2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2996
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:1248
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x22c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1752
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:3052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e