badrabbit | fbd2fc91df25ccd0bb980ee37e092fafa2a2c63d659a98565684006a9e8f72ac | Triage

Resubmissions

28-08-2024 08:25

240828-kbjkfs1eqb 3

28-08-2024 06:36

240828-hc6p9szepj 10

Sharing

General

Target

purim-0-311-0-409.jpg
Size

41KB
Sample

240828-hc6p9szepj
MD5

b7bd9c98d26f6d64bc007f8f10519cd8
SHA1

f7921a954a5af85457f6a0e64bb5ee0caf498d68
SHA256

fbd2fc91df25ccd0bb980ee37e092fafa2a2c63d659a98565684006a9e8f72ac
SHA512

d97de52d7831a195358186f81bf318a8931f5e1ead55b2ad760dde876074c003cb933a6470a52830d377d3fbace1cc4f2b9a58a172180661495027713cec9f3f
SSDEEP

768:32AEFF9IXfj87OB16z9lgOIGp9qocLYQYP1V8Ahz+R/X9E7WBOa:GPFFarkOB1MNIGm/kpXmRv9n

Score

10^/10

badrabbit mimikatz bootkit defense_evasion discovery persistence ransomware

Malware Config

Targets

- Target
  
  purim-0-311-0-409.jpg
- Size
  
  41KB
- MD5
  
  b7bd9c98d26f6d64bc007f8f10519cd8
- SHA1
  
  f7921a954a5af85457f6a0e64bb5ee0caf498d68
- SHA256
  
  fbd2fc91df25ccd0bb980ee37e092fafa2a2c63d659a98565684006a9e8f72ac
- SHA512
  
  d97de52d7831a195358186f81bf318a8931f5e1ead55b2ad760dde876074c003cb933a6470a52830d377d3fbace1cc4f2b9a58a172180661495027713cec9f3f
- SSDEEP
  
  768:32AEFF9IXfj87OB16z9lgOIGp9qocLYQYP1V8Ahz+R/X9E7WBOa:GPFFarkOB1MNIGm/kpXmRv9n
Score

10^/10

badrabbit mimikatz bootkit defense_evasion discovery persistence ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- System Binary Proxy Execution: Verclsid
  Adversaries may abuse Verclsid to proxy execution of malicious code.
  defense_evasion
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Pre-OS Boot

Bootkit

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Pre-OS Boot

Bootkit

System Binary Proxy Execution

Verclsid

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

badrabbitmimikatzbootkitdefense_evasiondiscoverypersistenceransomware