badrabbit | b3c80146802eca48fd4fdd8c7f6e500c360165e4042cfac458d2830e532db4b4

Analysis

max time kernel
182s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BadRabbit.zip
Size

164KB
MD5

c279b056c175248970b86d544d4500ac
SHA1

b23b59b579e95d4c5b5c75f011c6b20438c1e223
SHA256

b3c80146802eca48fd4fdd8c7f6e500c360165e4042cfac458d2830e532db4b4
SHA512

22f25554000b76ad6c8801de02a3cf822210e5675fd117e83220a46fe0b5b56684d0b9d57d1262818c0028319ff7f546d9fa18de6613e5b1fbaac4c746516bdb
SSDEEP

3072:y0xwVWSrh1lhL2rypKP/X6OOKeRw+Ums1YElgGaPYwI1bwecpI7kzBrDUEbhg3P+:fTuoeF3uokeOvHS1d1+sNs8wbiWQu9Lm

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000236b6-431.dat	mimikatz

Executes dropped EXE 3 IoCs

pid	Process
412	[email protected]
4868	7D5F.tmp
4600	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
4312	rundll32.exe
3164	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
151	raw.githubusercontent.com
152	raw.githubusercontent.com
153	raw.githubusercontent.com

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\7D5F.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133674153061975384"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{82AA5CBF-77D3-4076-AD6D-289FE61E771B}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
744	schtasks.exe
1428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4284	chrome.exe
4284	chrome.exe
4312	rundll32.exe
4312	rundll32.exe
4312	rundll32.exe
4312	rundll32.exe
4868	7D5F.tmp
4868	7D5F.tmp
4868	7D5F.tmp
4868	7D5F.tmp
4868	7D5F.tmp
4868	7D5F.tmp
4868	7D5F.tmp
3164	rundll32.exe
3164	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3024	7zG.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3024	7zG.exe
Token: 35	3024	7zG.exe
Token: SeSecurityPrivilege	3024	7zG.exe
Token: SeSecurityPrivilege	3024	7zG.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3024	7zG.exe
3024	7zG.exe
3024	7zG.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
2408	7zG.exe
4284	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3024	7zG.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 3808	4284	chrome.exe	105
PID 4284 wrote to memory of 3808	4284	chrome.exe	105
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 2184	4284	chrome.exe	106
PID 4284 wrote to memory of 1620	4284	chrome.exe	107
PID 4284 wrote to memory of 1620	4284	chrome.exe	107
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108
PID 4284 wrote to memory of 1212	4284	chrome.exe	108

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\BadRabbit.zip
1⤵
PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4212,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=1316 /prefetch:8
1⤵
PID:4476

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3544

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\BadRabbit\" -spe -an -ai#7zMap17196:76:7zEvent23202
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff8cc8cc40,0x7fff8cc8cc4c,0x7fff8cc8cc58
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,18193582216989435087,1163662965870256635,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2224,i,18193582216989435087,1163662965870256635,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1944 /prefetch:3
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,18193582216989435087,1163662965870256635,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2464 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,18193582216989435087,1163662965870256635,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3328,i,18193582216989435087,1163662965870256635,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3732,i,18193582216989435087,1163662965870256635,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4736,i,18193582216989435087,1163662965870256635,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5080,i,18193582216989435087,1163662965870256635,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4412 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5092,i,18193582216989435087,1163662965870256635,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4012,i,18193582216989435087,1163662965870256635,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3548,i,18193582216989435087,1163662965870256635,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3400,i,18193582216989435087,1163662965870256635,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3180,i,18193582216989435087,1163662965870256635,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4576,i,18193582216989435087,1163662965870256635,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,18193582216989435087,1163662965870256635,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:1008

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4704

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BadRabbit\" -spe -an -ai#7zMap27931:80:7zEvent10656
1⤵
- Suspicious use of FindShellTrayWindow
PID:2408

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:412
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:456
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:116
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2902152456 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:740
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2902152456 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 11:14:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2296
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 11:14:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:744
- - C:\Windows\7D5F.tmp
    "C:\Windows\7D5F.tmp" \\.\pipe\{2BD92E5D-7098-425E-90B2-5B544ABC29C7}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4868

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4600
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
45255c3a8f7f3777f12770280bf82400

SHA1
119683a638b805cfe624fbdb0df58ac37ad09a20

SHA256
87c420a67bf2e5354f6226af1769b1976d17e6a1f6be60138ced341d3c8943d3

SHA512
e0d6de754cb1c0bf0c864ec34e92a66a0118836023088452635c25f9aaedb0017e1db2893244e529aa6c4955ef852a95a789970c7263054a014f341d6b2343d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
0895b10fc298f5722c9e1a9b637b5e74

SHA1
208af55d4da1faddd05fdbc86dba525a715ebe69

SHA256
bf53c7a76a1a944296eb78962e92f852887ec27ee695f4dcec5ade1127c82001

SHA512
03bb8ae8fd95068d8bb378cfda0431d89b9b47a213519a24c9d8b7ec3b3f17c9f10e2612d54e01ffa491b083977312b313514e3525fa7767e437ef9a67e8dd69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
97f889c6863011eacd3b5f7aabe20225

SHA1
ead90d082ab28dd85c0656c3298fcd021b8a276b

SHA256
6b9415d235ca32fc11487147976646ce8afa2445c2f5421dc1d7dd53b44440ca

SHA512
458b387502a0d9f4b1dd7521aea962d7ffc706404e78d7e8322da831f92caa8cd10596956d3af28a27088cf5308a8818f77a0b0144bc10bdf8aa12ef870429cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
332edcf6ee1fb692d92e417e1d80b149

SHA1
35756b705ff85e54e5381b2d3f12c3ff52beb6ba

SHA256
bf23d10230af659a096bf8ec56281b297a095824b50c64f5d3d84966af2eddfb

SHA512
ace0305c6c98225c4ae78d72e98097bb95db27ca50f03562a715c391e2943156a8e6dc76b786e509913d1d2edd92c67a6270c78c20fb59dc503bd90199a3276f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b2ec5979484b7fc6134ca77b5df379eb

SHA1
297ad0a2cb4ee12701189dde64ff835ae9b4b568

SHA256
bcf20480972ef7e1c86106d27b1a07ba80a4a573530de644c099c94dddf5daf4

SHA512
761daa779d306b421f7d71904197b34d3169b987e9d4dd87cf1ebd7cfe7b1ce04a65cfaac1f30ee57aabf832fc2afb72664b217c14a34cdf2b7f78cf586df90b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f2f6b770320a89310d7ff6dded61de8c

SHA1
c73126d84277dad4f79825644d0288d5ccce3618

SHA256
02ed2793034c5a482f9673d93ab214484d3249847917c51f18fb66f876703e95

SHA512
6a5ad8797026d1506aa30630be776404087d55b9914c60fb30bba7284bad7911fe98d405daba7ec5f34475b975e31a34b10b1bedebd9734d26f76f0c667e5ada

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9ed32be432d45d75be932bb12f944408

SHA1
0f10feb28360ac679babdeaa54573ec270effb97

SHA256
e279419bc701a0328b8ec90d7db61bc695afcd0935255ab16b240936820f32c6

SHA512
64da06ee9ae85ea948139f76279c71a4e0609ff7fa124d8e9a6a407a69d8ff3d29e94f4442752000ab77b81221ab7d32cbbb5ba0ade987ffd10d983b27c20ee1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fe74991baef413ca12b45747e227b9df

SHA1
3a91c1676bd9f53138ce8084ddfa1a943065f22a

SHA256
42e0e0036fbbc746120544f2c10080d899c27ff6ea6a137e2950705311548d1c

SHA512
5403e092d4f3a98da081e2fc48cb63aa365cfe4889c1da0e39ded8447d20d3e088692a15615cfd3040e127f80819bb8c2d2bc28da76eb86d3ac2020c80d5d730

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ad2dd68c4094c92d182b4049e66f1ff5

SHA1
5bf97b07c864137a42fb7081dadc29c337f6ca6f

SHA256
d004b241db5c322320afb7fc7d83d67cdcf0131eafad7e6bf6b26bdbb84480ee

SHA512
fa4c2d54d2117de062ffea219043ded8b13d642549ec7635310cc48250ce193ce199306fbed368993452f7edda593ec7747b7c37320355e2437616263ea89b75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5eb59118018cc79e9e6a2604195a17b2

SHA1
9210155258b31ea77e3929ff6232641c1f058589

SHA256
b13a8c7b839a50b683dd942e08de1472135357f8f414a194a85753aaf53be624

SHA512
b987298177507fb620b0f33378cad36d814b51cb3288717e156cd43a29eecab1f3fb86900c39cb35ffd02b79030d097fbcb0d84f452449444bef61a1b76e9c56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bb06812d5af1d7675177b55655cb9e4c

SHA1
7c9cbee75b25643c011e276183452b0391953769

SHA256
c252049c6a90caa311770a9c4336b1f38bbb09a4484ffd7f7f95db6b6804f765

SHA512
88e7c8c29c476fc13c1a04082a62c5fe0f5bfa7665c74b40c70bbcb53107601a48d75c466659eb110391bb21c75b127ccf7dba98a36b983f935b292bc6378c64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
11f293173be6893e1b098d0aa223652f

SHA1
056ab661e9cee73be414939c659d332273abc475

SHA256
88c7c7e4142fd562c1c6eda85282ec4f1df3a365490f135b60178e031a053e29

SHA512
f27e70791277db85421fee18cc317a1dc211dac227b187698ea7a30eedb6e6589fba25bff512c8c07c7e397f2bdf2f65c20afa72a89d30d06728e7bb78d6efe9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d7e93f99ccc40c582fce25676c20ce99

SHA1
feadfd599f239cc7a2a5e236f69f065a3e3d3a4e

SHA256
ceedc23161cbe65b0ae0963405d717f5ad1b6f8edc553e9b62fab376db88b68d

SHA512
24bc87d7e965c244815dd1b6ef987894e3426eb4acdca0c0a3edf577ec664ce3c026089108bec6f8a16612986790296cb7e12be8a5169990724707eb1ef39851

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
82B

MD5
9c12ec41b948e46a5108b7dbfaf1d16c

SHA1
860c5126809bae1950aa06800c5c1bcdf05f6c53

SHA256
34291f16a0ca09f3129132c388fbf0d909778432ae92059c6d85f77a622dc004

SHA512
a93099ce7e7896b91fe111c44df3beece4828d40705f08f403c63502cf778822f276a3d40f01bee3433b8b1de32cfeef9c8b445bfcfaf56befae6b3ec43f463c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe59d5b5.TMP

Filesize
146B

MD5
6e3953ea58a8154fbb8e722ea22e9c23

SHA1
3576479bb049bcd528b7a8dce32d5e8487ee7d42

SHA256
932d24052c201800498dd56e149af60b6b9a2b2dc8176c2c2a3b22225b6a4e22

SHA512
592c17e5307d2e12a377c6af46342f7533eac77d0d995c91f2c8a7e5af3d1683688c8ac4495bf11f40d9737489484e04808546a95695a0614745cbae1ce85e95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
410fcb4079de10fc7063a4883960e72a

SHA1
c90d4b28bf3a8136edf607fd991633a4a46e014d

SHA256
9b25a20119f0bdb42832487aeb577302124b07db856f8775933085ee829f2a47

SHA512
a439f245d8a8fb8a5fdbbf0a8d782fdb8e02a289e7850a376cce1acac37031132596cd54c61bc783f4179575f83521037e989b56b246832344dcb85de35e8887

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
2e51dcace4199085fdd14c4de42a9c7b

SHA1
bc9eeaa2b102dbe9e244f7bd456d32d0b08a89a3

SHA256
cce9e41cad7411568b3d5d0b993301f3475374b1b56b7dda7990490115ead96a

SHA512
e6778f8e5f467630b94f8e34253b45e7301ed61a74d791f0922178dc7556382614e88a21d762aed4c2acb76bd98807662c1fd39f55b894b007e9db7db4ced878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
9b50871051cf05456bfb54aa3231c70f

SHA1
10be906244059b3c4e3dcbe2d9688c92590e251b

SHA256
397fbba48bcf4e4d939bc8d02502f4f4efcaebf64287d219bb62697dbf369504

SHA512
8dabcda181778ce937c69398a2b2dd616f34452a55aa4b25de661499b1e1309a064e345f6921cdaaea279520b58d62942323566490408087f3dc0e55b0b92207

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip.crdownload

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit\[email protected]

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Windows\7D5F.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/3164-578-0x00000000006D0000-0x0000000000738000-memory.dmp

Filesize
416KB

Download
memory/3164-570-0x00000000006D0000-0x0000000000738000-memory.dmp

Filesize
416KB

Download
memory/4312-415-0x0000000000FB0000-0x0000000001018000-memory.dmp

Filesize
416KB

Download
memory/4312-422-0x0000000000FB0000-0x0000000001018000-memory.dmp

Filesize
416KB

Download
memory/4312-425-0x0000000000FB0000-0x0000000001018000-memory.dmp

Filesize
416KB

Download