badrabbit | 2a45e44be359fba4c85591e7b13d1ec772ed181adc41254d8b00d31b2d15878e

Reason

Machine shutdown

General

Target

Bad Rabit.exe
Size

431KB
MD5

fbbdc39af1139aebba4da004475e8839
SHA1

de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512

74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
SSDEEP

12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score

10^/10

badrabbit mimikatz ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
C:\Windows\143C.tmp	mimikatz

Executes dropped EXE 1 IoCs

Processes:

143C.tmp

pid process

2552 143C.tmp

pid	process
2552	143C.tmp

Drops file in System32 directory 2 IoCs

Processes:

utilman.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_BBDD54B4B68647EABB95D9857E2C8246.dat	utilman.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_BBDD54B4B68647EABB95D9857E2C8246.dat	utilman.exe

Drops file in Windows directory 5 IoCs

Processes:

Bad Rabit.exerundll32.exe

description	ioc	process
File created	C:\Windows\infpub.dat	Bad Rabit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\143C.tmp	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2088 schtasks.exe
2304 schtasks.exe

pid	process
2088	schtasks.exe
2304	schtasks.exe

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

winlogon.exeutilman.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\AppLexicons	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\System	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\ = "Speakers (High Definition Audio Device)"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\Voices\\Tokens\\MS-Anna-1033-20-DSK"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\AudioOutput\\TokenEnums\\MMAudioOut\\"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	utilman.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\Generation = "0"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\Attributes\Technology = "MMSys"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\CLSID = "{C9E37C15-DF92-4727-85D6-72E5EEB6995A}"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\ = "Current User Lexicon"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\PhoneConverters\\Tokens\\English"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\DeviceName = "Speakers (High Definition Audio Device)"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\Attributes\Vendor = "Microsoft"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AppLexicons	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\CLSID = "{A8C680EB-3D32-11D2-9EE7-00C04F797396}"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\Attributes	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files\Datafile = "%1a%\\Microsoft\\Speech\\Files\\UserLexicons\\SP_BBDD54B4B68647EABB95D9857E2C8246.dat"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\DeviceId = "{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}"	utilman.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

rundll32.exe143C.tmputilman.exe

pid process

2472 rundll32.exe
2472 rundll32.exe
2552 143C.tmp
2552 143C.tmp
2552 143C.tmp
2552 143C.tmp
2552 143C.tmp
2996 utilman.exe
2996 utilman.exe

pid	process
2472	rundll32.exe
2472	rundll32.exe
2552	143C.tmp
2552	143C.tmp
2552	143C.tmp
2552	143C.tmp
2552	143C.tmp
2996	utilman.exe
2996	utilman.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

rundll32.exe143C.tmpLogonUI.exewinlogon.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	2472	rundll32.exe
Token: SeDebugPrivilege	2472	rundll32.exe
Token: SeTcbPrivilege	2472	rundll32.exe
Token: SeDebugPrivilege	2552	143C.tmp
Token: SeShutdownPrivilege	2932	LogonUI.exe
Token: SeShutdownPrivilege	2932	LogonUI.exe
Token: SeSecurityPrivilege	1724	winlogon.exe
Token: SeBackupPrivilege	1724	winlogon.exe
Token: SeSecurityPrivilege	1724	winlogon.exe
Token: SeTcbPrivilege	1724	winlogon.exe
Token: SeShutdownPrivilege	2932	LogonUI.exe
Token: SeSecurityPrivilege	1724	winlogon.exe
Token: SeBackupPrivilege	1724	winlogon.exe
Token: SeSecurityPrivilege	1724	winlogon.exe
Token: SeShutdownPrivilege	2932	LogonUI.exe
Token: SeSecurityPrivilege	1724	winlogon.exe
Token: SeBackupPrivilege	1724	winlogon.exe
Token: SeSecurityPrivilege	1724	winlogon.exe
Token: SeShutdownPrivilege	2932	LogonUI.exe
Token: 33	1892	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1892	AUDIODG.EXE
Token: 33	1892	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1892	AUDIODG.EXE
Token: SeShutdownPrivilege	2932	LogonUI.exe
Token: SeShutdownPrivilege	1724	winlogon.exe
Token: SeShutdownPrivilege	1724	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Bad Rabit.exerundll32.execmd.execmd.execmd.execsrss.exewinlogon.exe

description	pid	process	target process
PID 2972 wrote to memory of 2472	2972	Bad Rabit.exe	rundll32.exe
PID 2972 wrote to memory of 2472	2972	Bad Rabit.exe	rundll32.exe
PID 2972 wrote to memory of 2472	2972	Bad Rabit.exe	rundll32.exe
PID 2972 wrote to memory of 2472	2972	Bad Rabit.exe	rundll32.exe
PID 2972 wrote to memory of 2472	2972	Bad Rabit.exe	rundll32.exe
PID 2972 wrote to memory of 2472	2972	Bad Rabit.exe	rundll32.exe
PID 2972 wrote to memory of 2472	2972	Bad Rabit.exe	rundll32.exe
PID 2472 wrote to memory of 2588	2472	rundll32.exe	cmd.exe
PID 2472 wrote to memory of 2588	2472	rundll32.exe	cmd.exe
PID 2472 wrote to memory of 2588	2472	rundll32.exe	cmd.exe
PID 2472 wrote to memory of 2588	2472	rundll32.exe	cmd.exe
PID 2588 wrote to memory of 2740	2588	cmd.exe	schtasks.exe
PID 2588 wrote to memory of 2740	2588	cmd.exe	schtasks.exe
PID 2588 wrote to memory of 2740	2588	cmd.exe	schtasks.exe
PID 2588 wrote to memory of 2740	2588	cmd.exe	schtasks.exe
PID 2472 wrote to memory of 2920	2472	rundll32.exe	cmd.exe
PID 2472 wrote to memory of 2920	2472	rundll32.exe	cmd.exe
PID 2472 wrote to memory of 2920	2472	rundll32.exe	cmd.exe
PID 2472 wrote to memory of 2920	2472	rundll32.exe	cmd.exe
PID 2920 wrote to memory of 2088	2920	cmd.exe	schtasks.exe
PID 2920 wrote to memory of 2088	2920	cmd.exe	schtasks.exe
PID 2920 wrote to memory of 2088	2920	cmd.exe	schtasks.exe
PID 2920 wrote to memory of 2088	2920	cmd.exe	schtasks.exe
PID 2472 wrote to memory of 2632	2472	rundll32.exe	cmd.exe
PID 2472 wrote to memory of 2632	2472	rundll32.exe	cmd.exe
PID 2472 wrote to memory of 2632	2472	rundll32.exe	cmd.exe
PID 2472 wrote to memory of 2632	2472	rundll32.exe	cmd.exe
PID 2632 wrote to memory of 2304	2632	cmd.exe	schtasks.exe
PID 2632 wrote to memory of 2304	2632	cmd.exe	schtasks.exe
PID 2632 wrote to memory of 2304	2632	cmd.exe	schtasks.exe
PID 2632 wrote to memory of 2304	2632	cmd.exe	schtasks.exe
PID 2472 wrote to memory of 2552	2472	rundll32.exe	143C.tmp
PID 2472 wrote to memory of 2552	2472	rundll32.exe	143C.tmp
PID 2472 wrote to memory of 2552	2472	rundll32.exe	143C.tmp
PID 2472 wrote to memory of 2552	2472	rundll32.exe	143C.tmp
PID 696 wrote to memory of 2932	696	csrss.exe	LogonUI.exe
PID 696 wrote to memory of 2932	696	csrss.exe	LogonUI.exe
PID 1724 wrote to memory of 2932	1724	winlogon.exe	LogonUI.exe
PID 1724 wrote to memory of 2932	1724	winlogon.exe	LogonUI.exe
PID 1724 wrote to memory of 2932	1724	winlogon.exe	LogonUI.exe
PID 696 wrote to memory of 2932	696	csrss.exe	LogonUI.exe
PID 696 wrote to memory of 2932	696	csrss.exe	LogonUI.exe
PID 696 wrote to memory of 2932	696	csrss.exe	LogonUI.exe
PID 696 wrote to memory of 2932	696	csrss.exe	LogonUI.exe
PID 696 wrote to memory of 2932	696	csrss.exe	LogonUI.exe
PID 696 wrote to memory of 2932	696	csrss.exe	LogonUI.exe
PID 696 wrote to memory of 2932	696	csrss.exe	LogonUI.exe
PID 696 wrote to memory of 2932	696	csrss.exe	LogonUI.exe
PID 696 wrote to memory of 2932	696	csrss.exe	LogonUI.exe
PID 696 wrote to memory of 2996	696	csrss.exe	utilman.exe
PID 696 wrote to memory of 2996	696	csrss.exe	utilman.exe
PID 1724 wrote to memory of 2996	1724	winlogon.exe	utilman.exe
PID 1724 wrote to memory of 2996	1724	winlogon.exe	utilman.exe
PID 1724 wrote to memory of 2996	1724	winlogon.exe	utilman.exe
PID 696 wrote to memory of 2996	696	csrss.exe	utilman.exe
PID 696 wrote to memory of 2996	696	csrss.exe	utilman.exe
PID 2472 wrote to memory of 1548	2472	rundll32.exe	cmd.exe
PID 2472 wrote to memory of 1548	2472	rundll32.exe	cmd.exe
PID 2472 wrote to memory of 1548	2472	rundll32.exe	cmd.exe
PID 2472 wrote to memory of 1548	2472	rundll32.exe	cmd.exe
PID 2472 wrote to memory of 1600	2472	rundll32.exe	cmd.exe
PID 2472 wrote to memory of 1600	2472	rundll32.exe	cmd.exe
PID 2472 wrote to memory of 1600	2472	rundll32.exe	cmd.exe
PID 2472 wrote to memory of 1600	2472	rundll32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Bad Rabit.exe
"C:\Users\Admin\AppData\Local\Temp\Bad Rabit.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3045833844 && exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3045833844 && exit"
      4⤵
      Creates scheduled task(s)
      PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:34:00
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:34:00
      4⤵
      Creates scheduled task(s)
      PID:2304
- - C:\Windows\143C.tmp
    "C:\Windows\143C.tmp" \\.\pipe\{DEBF03B3-2EC9-4707-9A44-8553488EE002}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN drogon
    3⤵
    PID:1600

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\system32\utilman.exe
  utilman.exe /debug
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2996

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1248

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x22c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1752

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\143C.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2472-2-0x0000000002260000-0x00000000022C8000-memory.dmp

Filesize
416KB

Download
memory/2472-10-0x0000000002260000-0x00000000022C8000-memory.dmp

Filesize
416KB

Download
memory/2472-13-0x0000000002260000-0x00000000022C8000-memory.dmp

Filesize
416KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads