hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/BadRabbit[.]exe

Resubmissions

03-08-2024 19:41

240803-yeg3paxgpg 5

03-08-2024 18:29

240803-w487cswcqa 10

Analysis

max time kernel
1799s
max time network
1687s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03-08-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/BadRabbit.exe

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133671964960716653"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1448	chrome.exe
1448	chrome.exe
1560	chrome.exe
1560	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1448	chrome.exe
1448	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2304	1448	chrome.exe	73
PID 1448 wrote to memory of 2304	1448	chrome.exe	73
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 652	1448	chrome.exe	75
PID 1448 wrote to memory of 4680	1448	chrome.exe	76
PID 1448 wrote to memory of 4680	1448	chrome.exe	76
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77
PID 1448 wrote to memory of 2168	1448	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/BadRabbit.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffeab689758,0x7ffeab689768,0x7ffeab689778
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1840,i,227023599776844278,14815733976911672757,131072 /prefetch:2
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1752 --field-trial-handle=1840,i,227023599776844278,14815733976911672757,131072 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1840,i,227023599776844278,14815733976911672757,131072 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2844 --field-trial-handle=1840,i,227023599776844278,14815733976911672757,131072 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2852 --field-trial-handle=1840,i,227023599776844278,14815733976911672757,131072 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1840,i,227023599776844278,14815733976911672757,131072 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=1840,i,227023599776844278,14815733976911672757,131072 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5008 --field-trial-handle=1840,i,227023599776844278,14815733976911672757,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1560

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
346135eba1072026eebb69175f0faea2

SHA1
73879bec6004dfa95bed57bc02994de28fc2bc3b

SHA256
64269bedbeffcc6ce08c46ac39e1addc4135f4de702f6ae32385089ba7268f70

SHA512
0853eb7f5ba731e56bc91e9089351368aa41534a5570b15f0f80a1f6670baeab41ad1ab296c9c1f6642a1ac2cee505121199477d8539bd50e90bc3b3a77527b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
49501439bccb9dc7d436f24678fb7882

SHA1
75e47830b52f1b15a0e73e655824e306c0203681

SHA256
ec621291a655f8c7f2ee6ff0e7eafb322e60bf5236fab843de89b1c1ae3969b8

SHA512
62907e041f8e0509d93a29f0433e5d4a1cdae118c7f4750506780fd9bda09a5a96733eb4eca255e19d4a01a5b4b046dc72134239631d0aadcc6ff34cadfed439

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c3c9de9c-af2c-4b32-afc3-b76e6b74690f.tmp

Filesize
1KB

MD5
564ff28b861556dc1c32fd2a9a40978d

SHA1
253f6527261c9cb9a8fab4e3ab5cfb0170f3579f

SHA256
af30353ef530978ccee0ee3b35fa7d96450d32472eac26198fd98dc96eb2240c

SHA512
0bb2b9c08b8c327c214d5848952078fa6a17bae312248541388529f403203413ad34eb424b1c87955cdc0f5f02be7d043a402d7717fc043a66d5feb30cf51305

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a42e1140258c1cc8c91c69ae90dfe277

SHA1
a2ab8f676434cd86f9088aa1e80d61e11b844163

SHA256
6507eab6fc16fd6a3a1ea39b7c1586f9299750a6888592dc8556465f30b4bb15

SHA512
b6103024bf8d591171746ef2f83c6fa4ebd797e0ac8f9f7f70be09c44d5669c5f4be3056c6f223f219eec0cfefde08c3a890efa431050af2e7be84f3645fc941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d23e7118a76ca89956ded10147e0a449

SHA1
a1337a9a5d32b6f6e8309183ef1b49a27d22636d

SHA256
5636885fe4d4e84168603f1b2613144067896ecac8bb3a940a71fda6c9ae55e1

SHA512
b030133baafbab515df1d3cb7a55cc7c19de1139853e17254e71a3c2adf138322f8b705b089e6b5992b09658454bcae576511bb2ba6c5e82894720df4aa82598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6ab689721ace1e3c7dfe3602944a9757

SHA1
57bea92ad4c65250422a7dc3461d62baa5cc0f8e

SHA256
d2a949702b9d5d3a4762d723ecfb79f1800238ab994e4d3ffe2aa2d433529a98

SHA512
b5f85b32ec4692e772f54b7073875a2f6d2f7ea7df7a7f7d874dc5bb25da0c2d4c984e027bbfeb13d7ffd0c9b4928716832fe2aac36b7bb2c8594a2bab32cd09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
0869373cb0657d4316c337c9eb689d00

SHA1
1ca11da98085b7d3f0160493da7f77f806880c56

SHA256
928f91e6b63fce8773dc0038c352b0299dc0efe8215ca51761e29578659af5bc

SHA512
2cdf2cf88f5820d3c9cf10d4168a3cdc2634a4e3cf922695915b4e95ff846e9f46dc8e2a2fd1ad18b73a3de873fb6c958525bb581d167415fc71c5bf07579ae3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit