badrabbit | hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

10-07-2024 20:43

240710-zhp35s1fna 10

10-07-2024 20:40

240710-zfyx9s1eng 6

10-07-2024 20:37

240710-zekn9a1ejd 7

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

badrabbit mimikatz ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023569-368.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
1876	B36D.tmp

Loads dropped DLL 1 IoCs

pid	Process
376	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
57	raw.githubusercontent.com
25	camo.githubusercontent.com
56	raw.githubusercontent.com

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\B36D.tmp	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3136	schtasks.exe
1392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4440	msedge.exe
4440	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
4764	identity_helper.exe
4764	identity_helper.exe
2620	msedge.exe
2620	msedge.exe
3796	msedge.exe
3796	msedge.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
376	rundll32.exe
1876	B36D.tmp
1876	B36D.tmp
1876	B36D.tmp
1876	B36D.tmp
1876	B36D.tmp
1876	B36D.tmp
1876	B36D.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3540	7zG.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	376	rundll32.exe
Token: SeDebugPrivilege	376	rundll32.exe
Token: SeTcbPrivilege	376	rundll32.exe
Token: SeDebugPrivilege	1876	B36D.tmp
Token: SeRestorePrivilege	3540	7zG.exe
Token: 35	3540	7zG.exe
Token: SeSecurityPrivilege	3540	7zG.exe
Token: SeSecurityPrivilege	3540	7zG.exe
Token: SeRestorePrivilege	2320	7zG.exe
Token: 35	2320	7zG.exe
Token: SeSecurityPrivilege	2320	7zG.exe
Token: SeSecurityPrivilege	2320	7zG.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
3540	7zG.exe
2320	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 4860	1688	msedge.exe	84
PID 1688 wrote to memory of 4860	1688	msedge.exe	84
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 2556	1688	msedge.exe	85
PID 1688 wrote to memory of 4440	1688	msedge.exe	86
PID 1688 wrote to memory of 4440	1688	msedge.exe	86
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87
PID 1688 wrote to memory of 856	1688	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2ceb46f8,0x7ffc2ceb4708,0x7ffc2ceb4718
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,12565706794684431709,11580933896589087267,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1956 /prefetch:8
  2⤵
  PID:5056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"
1⤵
- Drops file in Windows directory
PID:3624
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:4020
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:3224
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3582440775 && exit"
    3⤵
    PID:464
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3582440775 && exit"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 21:02:00
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 21:02:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1392
- - C:\Windows\B36D.tmp
    "C:\Windows\B36D.tmp" \\.\pipe\{5A98AEEB-3091-4B0E-83EA-4E96E66F5692}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1876

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BadRabbit\" -spe -an -ai#7zMap17541:80:7zEvent25675
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3540

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BadRabbit (1)\" -spe -an -ai#7zMap2520:88:7zEvent27941
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaaad45aced1889a90a8aa4c39f92659

SHA1
5c0130d9e8d1a64c97924090d9a5258b8a31b83c

SHA256
5e3237f26b6047f64459cd5d3a6bc3563e2642b98d75b97011c93e0a9bd26f3b

SHA512
0db1c6bdb51f4e6ba5ef4dc12fc73886e599ab28f1eec5d943110bc3d856401ca31c05baa9026dd441b69f3de92307eb77d93f089ba6e2b84eea6e93982620e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3ee50fb26a9d3f096c47ff8696c24321

SHA1
a8c83e798d2a8b31fec0820560525e80dfa4fe66

SHA256
d80ec29cb17280af0c7522b30a80ffa19d1e786c0b09accfe3234b967d23eb6f

SHA512
479c0d2b76850aa79b58f9e0a8ba5773bd8909d915b98c2e9dc3a95c0ac18d7741b2ee571df695c0305598d89651c7aef2ff7c2fedb8b6a6aa30057ecfc872c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
22KB

MD5
ebe1db309515e123b18b19043ccba3c9

SHA1
1d51173183af8383fd38e2f32b65edaed978e37b

SHA256
f8b2426d9138e6d2dd2d645882e487fae91b1e126cdb04edd927129ff7c613d8

SHA512
f391aa37c5d6ac4c8bc711d417033eed7abb56396c3ee3b32d2bdd74ae9e2de43dbe938064bfe422a6d114157c556960aeda24b9ee24f5a22ce142aa89a39b18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8da18b1d9449d4ba50961b56f2d10ea0

SHA1
1fd5e50a17c0d0dd2afbedc1070494745650a816

SHA256
0917d5eef11d3e7ff1f337323d0c89649ebf04e2fa794e458383e5fec86ff43e

SHA512
7c84215942e3c3caac505de1b2c766803e31856b27a009fc535916e701a9ff17daeadd604383943b156666107ebbc5ff53be0095987ee4e137746ec8d99832cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cea100e171de2dab85a8c6ca4c43b8ac

SHA1
ba0f89ff8f77b691ef4c782e8795c7b9153b46d3

SHA256
0c10bf2743f11e90ea9b62f5ac1215440a67593a693d73f22f7f4102149d338b

SHA512
a3345c3607a8a0562067b67822df9b9a38745d07065815212758874a46930db85ad5c317539cc7344022214d4ed4cfd964d313f0c13ec7f8384e5e0942b33c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
d6e3bf37c442b2d39e58f791930e5310

SHA1
8320df56dcc995ad18a087e3bce42bb574653689

SHA256
ce37006c5534f3037bcaf0609401c0e0e7b35625d49aff65bc1e9577e01a95b0

SHA512
7f59b78af656aa8f9bf3152dae5056586c5d79f35cefc29699f57c5832a4cc2ebfe6bd9ecc7587fccde524a4ea31d4e4aa9b8a0d50279ca6a52883b70bf2da28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa3d42cdf3f6c66c15814831198b4117

SHA1
c8b672b0bb563892ef76fff90ba2c9a18ac99377

SHA256
a9f8229b9d65bacf2f21897fd97230c1aa6974699aefd068d2cc96d86b960f63

SHA512
aee484e6a5b64753b51713ad106b8d07f107aa266dad20a49d374dc8d975bea63ab1e313f55ed4c12e7762a8ac36c3460ac1054ac5574855d7fd5da99f745cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e1016134b9b77464942b9944eacd489a

SHA1
38b71e0e29d489a39756585a8e8e30e6396a9aad

SHA256
74e606cb0aae93a3552e10aa1d16b55eae3692bb422675f119bcfc9e3cb7838f

SHA512
dfe8ec5882b25c2ed354f1a17f82f723c84c4713c16bbfb38db366d4af3b7b5b751cd530ce8c1c0b143e78ab944754ebabed27816a7b60b55e81803e3f613b21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c9d947d8104ede5aef62421de309936a

SHA1
a76e25dfe06fc35df1797153579927af4b523da4

SHA256
de4b826e5e6f27fdce306f75b35b6fb4d7e0569d7b6a68b5a6b06c951da231ac

SHA512
ad08e16b059cd9fc4b86ce1c7d841e8299721cb5f7c56d9055bfcc46a83e606a87628a93d1020e353a409bc31cb975c0c462e100a59a89cf636b378fb8b9e783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a10769d4f6f08dc3fbd060acfc02726

SHA1
e6ad1bcf4a063b2375220815dffaad8ea6618a6f

SHA256
7285fc108e73d99a541ec844f5e12b069f815094c6805b7cc4385ea31e93014b

SHA512
f365b0e6153c11cf23596feec73e61c2dc854057b5aa2f752012d20c9cfabeeb8c46d5d3b963bd91f946a9fa3f2d6e5192ed05a6f149718ff2c12b5161c18aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9c9985103e777df99f8d07a1723fc82b

SHA1
ae5da2bd5abeb97944eed445d3273d50253b23f2

SHA256
c3d0d85b1ae5a8a28c9d7fbb93a0ebc9dae1fb61a53f5a4087b00fbf6345eb73

SHA512
d5cd78cfca9c3788a12ea964fcac8e56dfc1c999c98fe0c37ef1daaba0a3001855fb7a6916be7ca34fb9e14197816960aec6f699ecb66addfdbbefc37b2613fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9c4eadaf7fcba6d51e503734dc5d53fe

SHA1
faa1a104ef09cdfcc44726cf6c52f1af55b3814e

SHA256
5bffbb846d12de79cca7248259c8cc106e79c5036721344145c545ffb3c1bb82

SHA512
2a968536fc20424c52ebbcdca034cfb56b6893b77f90ebc3ec87a9da46b379eafa96fc9aeac11b87e08d0927c3d2fcf80b4afa6ce4ca439ec69df04cae1a42f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58118f.TMP

Filesize
1KB

MD5
fc0f6ae946bf749be99cf8fbec0b9bf8

SHA1
0a7ffe4c61f843e9ed3fccade5e03c79795defc6

SHA256
6be12de7b7e036346b69374612e9b8b8812aef163826d5601ec175ab85307177

SHA512
309419b3faa5810df6ad367e748cd84fe25ce63ca70d73a142f15801d49846036b3b9134cc597c1943068610c55b6d9b055bc1cbec37c19578318e74ab4f2775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
825df97a5d8babcd21597a085f5f9e6e

SHA1
7637549d62daaa7a9d345f9edeabb8461628b5ad

SHA256
2d487c4350d553474894cce4a2ec8f77eee6c88901d23fc28dee22a186536c84

SHA512
4bf13e6fdf4c8e49421073baeb397159ecf6892a9f3d49e5d5441770d0c043020862e8cf4112cac8827808f9da905cdf2aa82c15a3882110470c248797d5feff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a473f5f6-4569-4fc2-9ac3-c621b1c44c45.tmp

Filesize
11KB

MD5
7629a91af415a96e4ac7b8d63b12f424

SHA1
190f0bd2cffaa3ca4e4ff63d7a46f7d18a12137d

SHA256
d76536f83d278027e1ac146ac19797dbe23002da2ef436d33adbb861b68960ad

SHA512
ccdff1eaf08f0b06e6d7ae43cd2591debbe7d8714f820b388297df035ba947c836bd1b275e7381ce3cef4e2feeb2eacb2ce06f2c8f0812d45487ea3b59c0a4da

Download Submit
C:\Users\Admin\Downloads\BadRabbit (1).zip

Filesize
393KB

MD5
6ee6f504e88cc634aeee14bb421bfac2

SHA1
227ebff725fe3159250dae67c3d68058545babbe

SHA256
615eb01b6ce4af7aee11c5d86c13f80964df7c390d0a4d52a5e13f9e6509c8ee

SHA512
3108df970265229129818181c13135b50af9777322c7afcf3c275a98e467b28366b90405f19d6aa0ec758fb91ed4598d91a30071f3c09764dd1d2aa98d933405

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Windows\B36D.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/376-351-0x0000000000C90000-0x0000000000CF8000-memory.dmp

Filesize
416KB

Download
memory/376-359-0x0000000000C90000-0x0000000000CF8000-memory.dmp

Filesize
416KB

Download
memory/376-362-0x0000000000C90000-0x0000000000CF8000-memory.dmp

Filesize
416KB

Download