b54a055e351b7b02f64ba65002436a13ba6554b2c407966db0ef212c1a409646

Resubmissions

06/07/2024, 23:19

240706-3baawsygmg 7

Analysis

max time kernel
368s
max time network
426s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
06/07/2024, 23:19

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Bad Rabbit Erotic virtual pet DEMO.exe
Size

484.7MB
MD5

3ba77571c34faaa2c32ccb41fe4ea7e7
SHA1

7803dbb58187294970a499e7e2b50cb0c25337a0
SHA256

b54a055e351b7b02f64ba65002436a13ba6554b2c407966db0ef212c1a409646
SHA512

8ed9bb5e8d3ce5e7909f0937998ade8160e75af6f40f61bc56260871d9c571626e1c290dd2329f35080770ef82753072dfe64696f02bd0e1682d31f507dd1a3d
SSDEEP

12582912:FHQ4LuWERB+c9GVa2kPLsjy2856zaVO+G8ObDzp9YKNRpCGQ+OhHgIbcwf4QWqtr:FHQ4LuWERB+c9GVa2kPLsjy2856zaVOy

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
3408	Bad Rabbit Erotic virtual pet DEMO.exe
3408	Bad Rabbit Erotic virtual pet DEMO.exe
3408	Bad Rabbit Erotic virtual pet DEMO.exe
3408	Bad Rabbit Erotic virtual pet DEMO.exe
3408	Bad Rabbit Erotic virtual pet DEMO.exe
3408	Bad Rabbit Erotic virtual pet DEMO.exe
3408	Bad Rabbit Erotic virtual pet DEMO.exe
3408	Bad Rabbit Erotic virtual pet DEMO.exe
3408	Bad Rabbit Erotic virtual pet DEMO.exe
3408	Bad Rabbit Erotic virtual pet DEMO.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	SystemSettingsAdminFlows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	SystemSettingsAdminFlows.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	SystemSettingsAdminFlows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	SystemSettingsAdminFlows.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	SystemSettingsAdminFlows.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "232"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1532	vlc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	3208	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3208	AUDIODG.EXE
Token: SeBackupPrivilege	324	vssvc.exe
Token: SeRestorePrivilege	324	vssvc.exe
Token: SeAuditPrivilege	324	vssvc.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1532	vlc.exe
1532	vlc.exe
1532	vlc.exe
1532	vlc.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1532	vlc.exe
1532	vlc.exe
1532	vlc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3408	Bad Rabbit Erotic virtual pet DEMO.exe
3408	Bad Rabbit Erotic virtual pet DEMO.exe
1532	vlc.exe
3648	SystemSettingsAdminFlows.exe
2392	LogonUI.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Bad Rabbit Erotic virtual pet DEMO.exe
"C:\Users\Admin\AppData\Local\Temp\Bad Rabbit Erotic virtual pet DEMO.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3408

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004B4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\ConvertToExpand.rmi"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4412

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3804

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Users\Admin\AppData\Local\Temp\BBF85184-F482-4783-AE15-995AB7EEBF9B\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\BBF85184-F482-4783-AE15-995AB7EEBF9B\dismhost.exe {5D4A19E4-1848-461A-84FE-08C975134D4B}
1⤵
- Drops file in Windows directory
PID:2564

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" EnterProductKey
1⤵
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:3648

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a28855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mrt5BD7.tmp\Box2DBase.mfx

Filesize
284KB

MD5
15c1f5c080b99d1ea6f3b70c7a69af8c

SHA1
79e85e2d054dc6a07c0f9f611978e129e98ebf69

SHA256
286605641cdba584c563d7241c106bc9ea9d3e5a22028ed92e7f5cabd33e1e4b

SHA512
c540e8a1d1dfb60daec7694ff0f1cad210f7a061f80f6aea1a507b172a6295960c6ceaf80a808d1f752ec0ad8e4e97ad9941fd85c3926a4351095ae00aaaf1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt5BD7.tmp\Box2DParticules.mfx

Filesize
116KB

MD5
620484ac56c6d8820f97f1b270780f4d

SHA1
0ffa10053fc6102662846c69c3caead76177d577

SHA256
d96b7d91eebd3ae5f967d2726d00beb834be41a113aded49298da94cbdae48db

SHA512
a8cbba36d670035fdda66ba2bda124963e27c2fbb23514f2f5c3d6775ba1ebafbe59494938cb6bf7e5f7cc8e949422c208f7e80124ca24af371ebe3b9234873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt5BD7.tmp\mmf2d3d11.dll

Filesize
541KB

MD5
839633898178f35f6de0b385b7de0ec7

SHA1
5396e52c45954f0953cc8cf2095b122f7353180e

SHA256
5f6563d6bf2f3ceab8b2ca2c15ba4f7fe882a82c1f72b10041b5692c6515a53a

SHA512
b0ed4fce2815dcb783e0b9a786178b337d215e6a4d16df1ddb3c28ccdba13081fee1976669d9f99505cf31b8f1e8d5584fd1aa9732e1add38217222726c76eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt5BD7.tmp\mmf2d3d9.dll

Filesize
1.5MB

MD5
c85bcc9f3049b57aa8ccbb290342ff14

SHA1
38f5b81a540f1c995ff8d949702440b70921acc5

SHA256
bddda991185a9e83b9855a109f2fcfa78cd2d5402e9db344c6ec77f6ce69a0c5

SHA512
5097f9d78ddc651aabf41f217f622ee656a1c6de6a9b339354525293102cf631cca2b7babaf991e99e49efe4d1bb6792c8a7a11f82e4ae2081c3961eb9b5afe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt5BD7.tmp\mmfs2.dll

Filesize
768KB

MD5
200520e6e8b4d675b77971dfa9fb91b3

SHA1
0c583bf4c3eda9c955fd0d0d3ba7fdc62a43bf07

SHA256
763ef4484ba9b9e10e19268c045732515f0ac143cf075e6d1ea1f5adcc77633b

SHA512
8b7bb334b6bd83ae43e5a4fe32a92b38b1edd2c292c4a540a54c2ee16092eb30108524c1c363508f7c62617bb224d9b447f07cda97ab7de01688acbfbacec51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt5BD7.tmp\mp3flt.sft

Filesize
24KB

MD5
5bebc3ae0122702b89f9262888d3a393

SHA1
064731c0f1d493b5b82921fa78f06e3d1db95284

SHA256
81c9a9459a8e124793addf142cd513945d6fe600e1d67f74897898d7570e56b2

SHA512
c10cb520c2c4a9fe7c371f17ce7f86f138db247468ab1e465dafd7abd294c2beb13cf3a2595b4c8c820d911d8b70842c8f4e45398693c4f0454f973bd58a10a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt5BD7.tmp\waveflt.sft

Filesize
8KB

MD5
57ea61dd14314ef155e80c6a0be8a664

SHA1
963b0ef2fe976ff77044a821fe1e29be4a8cf8a7

SHA256
92a5053cf5973a6aa228c738d55387f12f1dfa8a837d7b938c60f05b6b56b3ad

SHA512
cc23cb30d76d22500c3ed7ce9ee0388588309d0779441b95559fce25a42f1eff52ca285c347655f8b33c15b75f9d2067738a151f81f605d3b563799a3a06c9a9

Download Submit
memory/1532-48-0x00007FF6D7AC0000-0x00007FF6D7BB8000-memory.dmp

Filesize
992KB

Download
memory/1532-49-0x00007FFFD32B0000-0x00007FFFD32E4000-memory.dmp

Filesize
208KB

Download
memory/1532-60-0x00007FFFD32B0000-0x00007FFFD32E4000-memory.dmp

Filesize
208KB

Download
memory/1532-59-0x00007FF6D7AC0000-0x00007FF6D7BB8000-memory.dmp

Filesize
992KB

Download
memory/1532-54-0x00007FFFC19A0000-0x00007FFFC1C56000-memory.dmp

Filesize
2.7MB

Download
memory/1532-62-0x00007FFFC1120000-0x00007FFFC122E000-memory.dmp

Filesize
1.1MB

Download
memory/3408-17-0x00000000012F0000-0x0000000001310000-memory.dmp

Filesize
128KB

Download
memory/3648-69-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-70-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-71-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-72-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-73-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-89-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-88-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-87-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-86-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-85-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-84-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-83-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-82-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-121-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-122-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-118-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-120-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-119-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-81-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-114-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-80-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-112-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-111-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-110-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-79-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-108-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-109-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-107-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-106-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-104-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-105-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-103-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-102-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-78-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-100-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-101-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-98-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-99-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-97-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-77-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-95-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-96-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-76-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-94-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-92-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-93-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-91-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-90-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-75-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-74-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-113-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-117-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-116-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download
memory/3648-115-0x0000025B0BF50000-0x0000025B0BF60000-memory.dmp

Filesize
64KB

Download