badrabbit | 06d269411d74cbc6026eab2776a7cded68dd3380b7e1b890f15d2210d2ff376f

General

Target

06d269411d74cbc6026eab2776a7cded68dd3380b7e1b890f15d2210d2ff376f.exe
Size

431KB
MD5

d7ad0cdda235608cb4afb702562fdcfd
SHA1

358699a2bc63d26030f88b6287b07aaeb69680c5
SHA256

06d269411d74cbc6026eab2776a7cded68dd3380b7e1b890f15d2210d2ff376f
SHA512

4e269eb4a0d11f54d2e3ce167471b3a52cb4cb33f0766c420c0553db48c95f41c2a73fe1257669a63893a2a3e9cb0c1920a516d1ba780faea3f46e97260d2636
SSDEEP

12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR6:vT56NbqWRwZaEr3yt2O3XR6

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x000500000001e45a-22.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
2396	B1FA.tmp

Loads dropped DLL 1 IoCs

pid	Process
3048	rundll32.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	06d269411d74cbc6026eab2776a7cded68dd3380b7e1b890f15d2210d2ff376f.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\B1FA.tmp	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06d269411d74cbc6026eab2776a7cded68dd3380b7e1b890f15d2210d2ff376f.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4884	schtasks.exe
3200	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3048	rundll32.exe
3048	rundll32.exe
3048	rundll32.exe
3048	rundll32.exe
2396	B1FA.tmp
2396	B1FA.tmp
2396	B1FA.tmp
2396	B1FA.tmp
2396	B1FA.tmp
2396	B1FA.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3048	rundll32.exe
Token: SeDebugPrivilege	3048	rundll32.exe
Token: SeTcbPrivilege	3048	rundll32.exe
Token: SeDebugPrivilege	2396	B1FA.tmp

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 3048	3476	06d269411d74cbc6026eab2776a7cded68dd3380b7e1b890f15d2210d2ff376f.exe	85
PID 3476 wrote to memory of 3048	3476	06d269411d74cbc6026eab2776a7cded68dd3380b7e1b890f15d2210d2ff376f.exe	85
PID 3476 wrote to memory of 3048	3476	06d269411d74cbc6026eab2776a7cded68dd3380b7e1b890f15d2210d2ff376f.exe	85
PID 3048 wrote to memory of 2352	3048	rundll32.exe	86
PID 3048 wrote to memory of 2352	3048	rundll32.exe	86
PID 3048 wrote to memory of 2352	3048	rundll32.exe	86
PID 2352 wrote to memory of 1016	2352	cmd.exe	88
PID 2352 wrote to memory of 1016	2352	cmd.exe	88
PID 2352 wrote to memory of 1016	2352	cmd.exe	88
PID 3048 wrote to memory of 4612	3048	rundll32.exe	94
PID 3048 wrote to memory of 4612	3048	rundll32.exe	94
PID 3048 wrote to memory of 4612	3048	rundll32.exe	94
PID 3048 wrote to memory of 3656	3048	rundll32.exe	96
PID 3048 wrote to memory of 3656	3048	rundll32.exe	96
PID 3048 wrote to memory of 3656	3048	rundll32.exe	96
PID 3048 wrote to memory of 2396	3048	rundll32.exe	97
PID 3048 wrote to memory of 2396	3048	rundll32.exe	97
PID 4612 wrote to memory of 4884	4612	cmd.exe	100
PID 4612 wrote to memory of 4884	4612	cmd.exe	100
PID 4612 wrote to memory of 4884	4612	cmd.exe	100
PID 3656 wrote to memory of 3200	3656	cmd.exe	101
PID 3656 wrote to memory of 3200	3656	cmd.exe	101
PID 3656 wrote to memory of 3200	3656	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\06d269411d74cbc6026eab2776a7cded68dd3380b7e1b890f15d2210d2ff376f.exe
"C:\Users\Admin\AppData\Local\Temp\06d269411d74cbc6026eab2776a7cded68dd3380b7e1b890f15d2210d2ff376f.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:1016
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 418499242 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 418499242 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:12:00
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:12:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3200
- - C:\Windows\B1FA.tmp
    "C:\Windows\B1FA.tmp" \\.\pipe\{74A98667-56E4-484A-B9F0-72FAC7AA342F}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\B1FA.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/3048-3-0x0000000002D60000-0x0000000002DC8000-memory.dmp

Filesize
416KB

Download
memory/3048-11-0x0000000002D60000-0x0000000002DC8000-memory.dmp

Filesize
416KB

Download
memory/3048-14-0x0000000002D60000-0x0000000002DC8000-memory.dmp

Filesize
416KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads