Analysis
-
max time kernel
177s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 07:12
Static task
static1
Behavioral task
behavioral1
Sample
BadRabbit.zip
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
BadRabbit.zip
Resource
win10v2004-20241007-en
General
-
Target
BadRabbit.zip
-
Size
393KB
-
MD5
61da9939db42e2c3007ece3f163e2d06
-
SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb
-
SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa
-
SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e
-
SSDEEP
12288:KPd6ZnyRPZJhKymLkH+yDXZEyfMrvDca6:Koy5ZJ7BeeXmb8a6
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x0007000000015d52-25.dat mimikatz -
Executes dropped EXE 7 IoCs
pid Process 808 [email protected] 2384 25D8.tmp 1164 [email protected] 2012 [email protected] 1700 [email protected] 2564 [email protected] 2372 [email protected] -
Drops file in Windows directory 15 IoCs
description ioc Process File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\infpub.dat [email protected] File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\25D8.tmp rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat [email protected] File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat [email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings rundll32.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1828 schtasks.exe 2744 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 376 rundll32.exe 376 rundll32.exe 2384 25D8.tmp 2384 25D8.tmp 2384 25D8.tmp 2384 25D8.tmp 2384 25D8.tmp 2236 rundll32.exe 2508 rundll32.exe 1060 rundll32.exe 1820 rundll32.exe 2736 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2252 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeRestorePrivilege 2252 7zFM.exe Token: 35 2252 7zFM.exe Token: SeSecurityPrivilege 2252 7zFM.exe Token: SeShutdownPrivilege 376 rundll32.exe Token: SeDebugPrivilege 376 rundll32.exe Token: SeTcbPrivilege 376 rundll32.exe Token: SeDebugPrivilege 2384 25D8.tmp Token: SeShutdownPrivilege 2236 rundll32.exe Token: SeDebugPrivilege 2236 rundll32.exe Token: SeTcbPrivilege 2236 rundll32.exe Token: SeShutdownPrivilege 2508 rundll32.exe Token: SeDebugPrivilege 2508 rundll32.exe Token: SeTcbPrivilege 2508 rundll32.exe Token: SeShutdownPrivilege 1060 rundll32.exe Token: SeDebugPrivilege 1060 rundll32.exe Token: SeTcbPrivilege 1060 rundll32.exe Token: SeShutdownPrivilege 1820 rundll32.exe Token: SeDebugPrivilege 1820 rundll32.exe Token: SeTcbPrivilege 1820 rundll32.exe Token: SeShutdownPrivilege 2736 rundll32.exe Token: SeDebugPrivilege 2736 rundll32.exe Token: SeTcbPrivilege 2736 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2252 7zFM.exe 2252 7zFM.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2112 AcroRd32.exe 2112 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 808 wrote to memory of 376 808 [email protected] 35 PID 808 wrote to memory of 376 808 [email protected] 35 PID 808 wrote to memory of 376 808 [email protected] 35 PID 808 wrote to memory of 376 808 [email protected] 35 PID 808 wrote to memory of 376 808 [email protected] 35 PID 808 wrote to memory of 376 808 [email protected] 35 PID 808 wrote to memory of 376 808 [email protected] 35 PID 376 wrote to memory of 2816 376 rundll32.exe 36 PID 376 wrote to memory of 2816 376 rundll32.exe 36 PID 376 wrote to memory of 2816 376 rundll32.exe 36 PID 376 wrote to memory of 2816 376 rundll32.exe 36 PID 2816 wrote to memory of 2308 2816 cmd.exe 38 PID 2816 wrote to memory of 2308 2816 cmd.exe 38 PID 2816 wrote to memory of 2308 2816 cmd.exe 38 PID 2816 wrote to memory of 2308 2816 cmd.exe 38 PID 376 wrote to memory of 340 376 rundll32.exe 39 PID 376 wrote to memory of 340 376 rundll32.exe 39 PID 376 wrote to memory of 340 376 rundll32.exe 39 PID 376 wrote to memory of 340 376 rundll32.exe 39 PID 340 wrote to memory of 1828 340 cmd.exe 41 PID 340 wrote to memory of 1828 340 cmd.exe 41 PID 340 wrote to memory of 1828 340 cmd.exe 41 PID 340 wrote to memory of 1828 340 cmd.exe 41 PID 376 wrote to memory of 1872 376 rundll32.exe 42 PID 376 wrote to memory of 1872 376 rundll32.exe 42 PID 376 wrote to memory of 1872 376 rundll32.exe 42 PID 376 wrote to memory of 1872 376 rundll32.exe 42 PID 376 wrote to memory of 2384 376 rundll32.exe 44 PID 376 wrote to memory of 2384 376 rundll32.exe 44 PID 376 wrote to memory of 2384 376 rundll32.exe 44 PID 376 wrote to memory of 2384 376 rundll32.exe 44 PID 1872 wrote to memory of 2744 1872 cmd.exe 46 PID 1872 wrote to memory of 2744 1872 cmd.exe 46 PID 1872 wrote to memory of 2744 1872 cmd.exe 46 PID 1872 wrote to memory of 2744 1872 cmd.exe 46 PID 1164 wrote to memory of 2236 1164 [email protected] 49 PID 1164 wrote to memory of 2236 1164 [email protected] 49 PID 1164 wrote to memory of 2236 1164 [email protected] 49 PID 1164 wrote to memory of 2236 1164 [email protected] 49 PID 1164 wrote to memory of 2236 1164 [email protected] 49 PID 1164 wrote to memory of 2236 1164 [email protected] 49 PID 1164 wrote to memory of 2236 1164 [email protected] 49 PID 2012 wrote to memory of 2508 2012 [email protected] 52 PID 2012 wrote to memory of 2508 2012 [email protected] 52 PID 2012 wrote to memory of 2508 2012 [email protected] 52 PID 2012 wrote to memory of 2508 2012 [email protected] 52 PID 2012 wrote to memory of 2508 2012 [email protected] 52 PID 2012 wrote to memory of 2508 2012 [email protected] 52 PID 2012 wrote to memory of 2508 2012 [email protected] 52 PID 1700 wrote to memory of 1060 1700 [email protected] 56 PID 1700 wrote to memory of 1060 1700 [email protected] 56 PID 1700 wrote to memory of 1060 1700 [email protected] 56 PID 1700 wrote to memory of 1060 1700 [email protected] 56 PID 1700 wrote to memory of 1060 1700 [email protected] 56 PID 1700 wrote to memory of 1060 1700 [email protected] 56 PID 1700 wrote to memory of 1060 1700 [email protected] 56 PID 2208 wrote to memory of 864 2208 rundll32.exe 58 PID 2208 wrote to memory of 864 2208 rundll32.exe 58 PID 2208 wrote to memory of 864 2208 rundll32.exe 58 PID 864 wrote to memory of 2112 864 rundll32.exe 60 PID 864 wrote to memory of 2112 864 rundll32.exe 60 PID 864 wrote to memory of 2112 864 rundll32.exe 60 PID 864 wrote to memory of 2112 864 rundll32.exe 60 PID 2564 wrote to memory of 1820 2564 [email protected] 64
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BadRabbit.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2252
-
C:\Users\Admin\Desktop\[email protected]"C:\Users\Admin\Desktop\[email protected]"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
- System Location Discovery: System Language Discovery
PID:2308
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1355648636 && exit"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1355648636 && exit"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1828
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:32:003⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:32:004⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2744
-
-
-
C:\Windows\25D8.tmp"C:\Windows\25D8.tmp" \\.\pipe\{72655514-63B1-4D09-9F1D-B9FE754F094C}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
-
C:\Users\Admin\Desktop\[email protected]"C:\Users\Admin\Desktop\[email protected]"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Users\Admin\Desktop\[email protected]"C:\Users\Admin\Desktop\[email protected]"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Users\Admin\Desktop\[email protected]"C:\Users\Admin\Desktop\[email protected]"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\RegisterConvert.7z1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\RegisterConvert.7z2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\RegisterConvert.7z"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2112
-
-
-
C:\Users\Admin\Desktop\[email protected]"C:\Users\Admin\Desktop\[email protected]"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
C:\Users\Admin\Desktop\[email protected]"C:\Users\Admin\Desktop\[email protected]"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5c0dba47d378768fa7530ce242c928321
SHA131e12170028fdd669f598193bcbb6bb86d600099
SHA256fdc3f2e730955b89692cbd2d9b1707d5d4e8ad8f36e785355b3bffbcc763dc7d
SHA51286ac007f021a2e1c90bb4cb0cf3a86deb791030c77813b1a956363bfc86bd87622ed6f7c5d1d649ba45dc8cd28ca278328d7488249cbb883242ac76747688baf
-
C:\Users\Admin\Desktop\[email protected]
Filesize431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD5c29d6253d89ee9c0c872dd377a7a8454
SHA146be3800684f6b208e0a8c7b120ef8614c22c4b0
SHA25603f4198a279ea4c36a62cd271d3b2d796547013548666006fbef45e20bb920cb
SHA51250141de5e0a827688251161353932b677c85e0d6e6831293c9a0044543e541fe8bd4e62fa403abc06df9d220fd843aa58ff9cc37abf46be3e06ae14905c24a5e
-
Filesize
401KB
MD5c4f26ed277b51ef45fa180be597d96e8
SHA1e9efc622924fb965d4a14bdb6223834d9a9007e7
SHA25614d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958
SHA512afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113