Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
31-08-2024 03:57
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Endermanch/MalwareDatabase
Resource
win10v2004-20240802-en
General
-
Target
https://github.com/Endermanch/MalwareDatabase
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x000800000002351e-403.dat mimikatz -
Executes dropped EXE 1 IoCs
pid Process 6040 FE60.tmp -
Loads dropped DLL 1 IoCs
pid Process 5672 rundll32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 98 raw.githubusercontent.com 99 raw.githubusercontent.com -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\FE60.tmp rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\TypedURLs taskmgr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4568 schtasks.exe 2172 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4112 msedge.exe 4112 msedge.exe 2752 msedge.exe 2752 msedge.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 4588 identity_helper.exe 4588 identity_helper.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 4616 msedge.exe 4616 msedge.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 5752 msedge.exe 5752 msedge.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1356 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1356 taskmgr.exe Token: SeSystemProfilePrivilege 1356 taskmgr.exe Token: SeCreateGlobalPrivilege 1356 taskmgr.exe Token: SeShutdownPrivilege 5672 rundll32.exe Token: SeDebugPrivilege 5672 rundll32.exe Token: SeTcbPrivilege 5672 rundll32.exe Token: SeDebugPrivilege 6040 FE60.tmp -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1356 taskmgr.exe 1356 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2752 wrote to memory of 2824 2752 msedge.exe 84 PID 2752 wrote to memory of 2824 2752 msedge.exe 84 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 2488 2752 msedge.exe 85 PID 2752 wrote to memory of 4112 2752 msedge.exe 86 PID 2752 wrote to memory of 4112 2752 msedge.exe 86 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87 PID 2752 wrote to memory of 1316 2752 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e3a546f8,0x7ff8e3a54708,0x7ff8e3a547182⤵PID:2824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵PID:2488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2584 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:82⤵PID:1316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:2460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5096 /prefetch:82⤵PID:3512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:82⤵PID:4132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵PID:892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:12⤵PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:12⤵PID:2876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2156 /prefetch:12⤵PID:5320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:12⤵PID:2968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3440 /prefetch:82⤵PID:5848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5920 /prefetch:82⤵PID:5856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵PID:5828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵PID:6084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14752666032504864806,15119049233512458976,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 /prefetch:22⤵PID:5352
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2536
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4868
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1356 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:924
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5800 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5672 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
- System Location Discovery: System Language Discovery
PID:5536
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2473841474 && exit"3⤵
- System Location Discovery: System Language Discovery
PID:3624 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2473841474 && exit"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 04:17:003⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 04:17:004⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4568
-
-
-
C:\Windows\FE60.tmp"C:\Windows\FE60.tmp" \\.\pipe\{50F1A4A0-D44E-4939-9728-F068968907B5}3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6040
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
Filesize
2KB
MD5c005648f4abf79b64c7b230385fb3adc
SHA1ac3bbdefd0ca8759cf3e88e28625547ba22b4644
SHA256eadd215ac1fbcca89e86b22b9a2b846d8c3f48699bf6bb48eacfce35e589a5eb
SHA5125beaf82e00c6e13d48e6dde73b55975f831a399f052260a5295a3f73f6b30728363ff83c4c67c94359ab67a23b4aca3a6b00b2ae0ab483be78f9b6d98fb53c17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD56af3af517ad3580c0bdadca6538f18c5
SHA14e8844b3cccac00d74341daa6470f30e8e8dd8c6
SHA25693ed5963fa662b62d5c3174ce15d1f2ca63cea5558c85cbcf961b1dffa873970
SHA5126d53e0425cd8c29d28a0e461cd23ce62e43342710f352622b9bb33238623e9c0f50cd0ea54e04228f9dffb7949144fa01dc0910c51370de2c07ee1605a3a5256
-
Filesize
678B
MD579bd5848e6705dff0bb80c576b374d76
SHA10931ce26c71cd1de42e246b2c02e12d8bcb4b53f
SHA2566bf9e78dec4cdbb2c3d9bbcba81c842de08a64f5df4fe1ec7657982f10a35d0c
SHA512a37e376976494ff8bec65c0355ca929ed2a443f0ae0892d87b899c4ccbfc7f549de3902c559de65d91ffcf11c1f9120488d60249a39ca45179f730a81d384714
-
Filesize
6KB
MD541d02c521da7e1ee022d4ab603b0fae9
SHA1c4b7e4063763a0d86582d879e5e2d78fc9e312a4
SHA256c2adc0e8540172adcfe2d04b755c195801b3c0b47dfe3a7d3541213a0fd87005
SHA512d956c0ce1f06ad081da1e8b007273bb336717bb1a6fd41875994364479ba3282d6264138e0b34f25e9d8acdb404260fa6420fc669d95564430e15dcfa8f96798
-
Filesize
5KB
MD573043714e9250b8e041731b83c8eb9e6
SHA17900642ceece651272d37a07ba69147e0db174b3
SHA256084e6c476885b139dd5f78c9c4e633116095625f58002b64a01b581bdd117f58
SHA512cacaf94e307553bb6743f6e03fb193389d70d2124b192cc3b7c244acf3bfded31043432eb52a732fbf6925b056372c4f88b490e6825efd85f833436303e5e9cd
-
Filesize
6KB
MD5a751a52f45fc9cfb7b0db28555e5ee8c
SHA1520a7ffaa6ea556f777ef6347ed1ec1d6a9a8bfe
SHA256bd32ea8328e87e6f376a99d68dd30db75ec3c3cdb309f1027da88c1387ae8802
SHA5122344378071aee705b74a10ff3c1ff7750b7f55435b4289228b8fa5dfdb845bbb2623182df0e12cbd1d1a01be50d5163ef0487bcd6fa68aeb845fd5366a880a45
-
Filesize
6KB
MD50648f06fe71ae67a50632fc541032006
SHA1e46fbb159717f85777e693c6cd974f79a16890ba
SHA256093abd5c09916ecd3a3c0a135f5cd522f3252be0bba444a18be40e32edf59521
SHA51271c3b42cde230055bd8af80dcc5b52bb6362b5db10b7da4da8927a20e106eaa420318952b4f69a524bc771afbda9eda0f7b6c63d6d1fb5cd7f77eb0fd6c038e6
-
Filesize
1KB
MD55cf6bb2895e34ae06a8b391514707ffb
SHA184a5b5df9ac7cdc6342ec63556e5f706077fca73
SHA2565c44eff4243dfc498b983c0cebea0cbe01ca1a623b58122060d12d9a6ea64a5e
SHA5125ab9ba79274cdb6087b21d0576778701aad15a2c0456d391fe5edd2c82f6c7560f4efd80fe7bf8e69fa85b6bc114b24f5871b21cfa09c128b8db9df395ea9276
-
Filesize
1KB
MD5887cbc6894d413aae7150f5385d24811
SHA1670d63e4330953f883a05e0adab7580bfba89999
SHA2567df3c258aed721b7a6bcb7e0c921c8e3a64d5d37653da06807a6ebaedea4e16d
SHA5125379e50664541e91f277264a7699734bd1a8314e27c6c765c1f570ef69f8752e94a17581fe2a5aa23c6f48a74c71f59b8f2bea2d5f41577d60e89e15822c5205
-
Filesize
1KB
MD5469aa815ab9eb35d76386fe0f444b3f4
SHA11afba03258c9b00d0d98027e6f2a877d691d7c72
SHA25678259413cbbbddefbbc69518fbcb6982a0761653b242994fb0f32fa6dfc057b3
SHA5122000b9d8e5d9f12a0feddf8f08f63bbc1a7b1dfc61265390d04a77db625dd640de9386f0ab29fb7e1de1c03c20271c4878022c5b26f18eb3a581a523df2688ae
-
Filesize
1KB
MD5cd637be464e329de39e65b1bedb01fc7
SHA1b9b338fab1b786e1826383bc6330549d7ce15c82
SHA256d08e4ba41df5fc8a822b4476aa7d278468d54ef24858dff0d6bfdbc295ac1340
SHA5120b7dcd598a5028da50bb23ebc5cc78c7acba2050f13847cddba8025c38547da4c8b79cd891a2d2cab151b0a78db06483316a5bbfff46ea5d06807909daed106f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5d7f07beec00bb482535156d72593455a
SHA1728982173a22faf672e95d0d42e0342076135ef3
SHA2561963e4e5782e5d3eb96ac7ff6cc58ee7073871956e1cb6557bf55c16f0712a33
SHA5122e3c9799873b1bc63d0939b24dd275ec2d721b1af56d5230523b14fc305540702b9c48877e4bd9fd4630975db0652717eee46352320175fbb037284c71400267
-
Filesize
11KB
MD5baf854fb918848eb4cf21f87d46cc4c4
SHA1b9ffeb7f7292d95dea437a2821d39b4db002339e
SHA2565521cf3eee30584b1442863711d9f40409f5eec18183ef8aed51028535a02dc3
SHA5124c7ec3e6d2eb257996b8865b0d3c502269151a7a4331751e3c603ca65468f095dd75392a88f7ae67c96a2c82354e85e9237c2cf41b0dcc291225938df594f380
-
Filesize
11KB
MD5e914bb9b8df156dd318f6b887b8cf24c
SHA1a3bce6e31cf12c52c2c1a2dfcb63486ac7d8f59c
SHA25660c7d8a93c1a1c5fe23be2c8a01cf6f5aaf5b71fd710ef8a7f625545a09e38e0
SHA51240738e2f0e691e94e6718f35b6ccbe4a1ae1587fda72c9aab8c2defcf6251e5b407af3b923dac5df62acf51279fdba7f615e9225ae7289e27e729aacc507793a
-
Filesize
12KB
MD5d15c17d63d03d11c07c353a05466a91c
SHA1c08f67615b32112af2e96fefe170f69f6959ca67
SHA2560a8f03c110ecde45cdf204a35ecda8ec11aa7a8561be62b94964fc46f224f086
SHA5128e4a7ea2740d735773f3696d5fdf38fa27c8e13c45245449c37e6fb89063f871f11673c07840a9738c60509b4a1042f7d353314d1f852ea4d671c21128ea2a3a
-
Filesize
393KB
MD501ed524f2126364c3ea3bae2c492cc21
SHA1b7577238336d22e450ca4709f98674d43ca3ff8d
SHA256bef8c8a5b5d6c2a636e9333050534827d63ec1bd88cbcf3a6e9511c3c007c3fa
SHA51254f4c2df177bd47e420e826f7d5aef8e47077b92007954be1b81572b1c6b1809f817788b86fef0c36ef7d22d93d0a4aecbe9946bb3adfc2dc7a35d1a6a58fd32
-
Filesize
393KB
MD561da9939db42e2c3007ece3f163e2d06
SHA14bd7e9098de61adecc1bdbd1a01490994d1905fb
SHA256ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa
SHA51214d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113