badrabbit | e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734 | Triage

Submit
Reports

Overview

overview

Static

static

3

CryptoWall.exe

windows11-21h2-x64

Sharing

General

Target

CryptoWall.exe
Size

132KB
Sample

240924-wfgr7szcrc
MD5

919034c8efb9678f96b47a20fa6199f2
SHA1

747070c74d0400cffeb28fbea17b64297f14cfbd
SHA256

e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734
SHA512

745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4
SSDEEP

3072:naRQpzd/99wen3XgWorw8I3h8LkMvqCgQfBUnPy8L6kssU:nJdTwo30ri3h8LkMvqCgQfBUPy8L6ksP

Score

10^/10

badrabbit mimikatz defense_evasion discovery persistence ransomware

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

CryptoWall.exe

Resource

win11-20240802-en

badrabbit mimikatz defense_evasion discovery persistence ransomware

windows11-21h2-x64

25 signatures

150 seconds

Malware Config

Targets

- Target
  
  CryptoWall.exe
- Size
  
  132KB
- MD5
  
  919034c8efb9678f96b47a20fa6199f2
- SHA1
  
  747070c74d0400cffeb28fbea17b64297f14cfbd
- SHA256
  
  e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734
- SHA512
  
  745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4
- SSDEEP
  
  3072:naRQpzd/99wen3XgWorw8I3h8LkMvqCgQfBUnPy8L6kssU:nJdTwo30ri3h8LkMvqCgQfBUPy8L6ksP
Score

10^/10

badrabbit mimikatz defense_evasion discovery persistence ransomware
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

badrabbitmimikatzdefense_evasiondiscoverypersistenceransomware

© 2018-2024

Terms | Privacy