Resubmissions
22-10-2024 00:20
241022-amwdaavhka 1022-10-2024 00:16
241022-akkh1axdjl 1022-10-2024 00:12
241022-ag8fnaxbnk 922-10-2024 00:09
241022-afjqxaxalp 822-10-2024 00:06
241022-adv16awgrr 6Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-10-2024 00:16
General
-
Target
WaveInstaller.exe
-
Size
2.3MB
-
MD5
215d509bc217f7878270c161763b471e
-
SHA1
bfe0a2580d54cfa28d3ff5ef8dc754fdc73adcd9
-
SHA256
984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886
-
SHA512
68e615dfcb1b7770ad64175438a913744c14bdd3af93b339c2b526271bdd0d23334e78d049fdae8ca9fe66672a8cf252ebf891be9ab6c46a3d8f1fb00fa8c83b
-
SSDEEP
49152:LinbT3qpTDQSmanAmwJAaDMg33U2pLOiniT:LinKpTJmWAmmAMP8in
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 5 IoCs
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 13 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
NTFS ADS 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 47 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 55 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaafae46f8,0x7ffaafae4708,0x7ffaafae47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2040 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6396 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6636 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6912 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6672 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3879546302 && exit"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3879546302 && exit"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:36:004⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:36:005⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\2F24.tmp"C:\Windows\2F24.tmp" \\.\pipe\{BD7C078A-64C0-42EB-AA3A-53413BF63AB2}4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,9077957328895335551,6523785564323263178,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ConvertToCompress.js"1⤵
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
Filesize
152B
MD50a9dc42e4013fc47438e96d24beb8eff
SHA1806ab26d7eae031a58484188a7eb1adab06457fc
SHA25658d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f
-
Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
Filesize
70KB
MD54308671e9d218f479c8810d2c04ea6c6
SHA1dd3686818bc62f93c6ab0190ed611031f97fdfcf
SHA2565addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a
SHA5125936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2
-
Filesize
19KB
MD576a3f1e9a452564e0f8dce6c0ee111e8
SHA111c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
3KB
MD5b040e52ca85e12ca2598a64ecf28bbe6
SHA1e4264594ce2009cfb954eccaf4e9ec6cbd65a379
SHA256b41585b57ad0acfd0fcf6f0305932c8bff099cca7a170574d5016a5145fdd44c
SHA512e3bac8a32af96bae4e201c3daab3b9cd5287371749126b7ff286df0f123f013b107f0558938c46b2f346c74ef1a0f5d8b328f3b4911dfb95b0a293842e64cf4e
-
Filesize
3KB
MD5a3e48900267b70b930a6f277cd3ace29
SHA110951b017ec539cd7f9c3023d1ef2e67214bbc44
SHA2560a42d1e4937487de33a618ce3a5294d44083a4ce8bfd1666bdc6fbd8604c5fe7
SHA512ab0d210572b6863a508a6573bf42bd45dc67ce81115af05da7c44820ce31037bb6470c0d2b9fa3fe41a7ece541b75deebd4e846f270e583553bac404f28e45d2
-
Filesize
871B
MD5ddbcfd686d1c0c2a2d7c04c12d727432
SHA1bd0d1046e9cf38b4d963f25cdf0e4fc82d967fe1
SHA256c0fc87af4e6c19ba9a274bb73d654ced31ff0af9b0fdd5bf3b39a460916fe388
SHA5125360965b39a15c29ae6702f4d1c544fe15635bb0e540feed05df3b474a1e2190829a33cb7187642c46e840f7325552e20cde6c18cdbe918891f0d716d0a0c009
-
Filesize
6KB
MD53b3171d8208408acc54ecc44bd700454
SHA1cf39b9ca32e2b7c005d0cdec7d76876464e70e4f
SHA2564af8440c26799b5deb6b4a0bb90c0b244d080e9bb64f081267b28487bf248ee6
SHA512b663b45eba419a521e908ccc33236958b0fa900eb23fc06df0e06778d543124f70580dea92356a00ed9a7f66a920df21c981a03829ce0b4c21b41a4a050c16f5
-
Filesize
6KB
MD58df913c75268e37905900cd988497a04
SHA1c3aa3c78066604db3ec75e094cfe8e1cd85e1dc7
SHA256e21d66f0530a93add7a7e352faddc9750839d87aaded1a3cd716607114386356
SHA5129f948a41576b35549c8a4549e9671b0fee8eb541457e1a533d478bcafbf7ad0bde1032edf69be971e6bdb5942a2943ba1eae4f90b495c0c16465fd9c976bf4c3
-
Filesize
7KB
MD533e24fb975764da3eaa972cfadf0ec20
SHA13402d8ecfe7e75e7a6b41b64e2f6fb79c474cc76
SHA2562f0efaaddb88091b82d2bde19b05d41b87151c3f98753ebd1933488296155860
SHA512a04db3db1ed2726bf12875c0d2e6e51f94c16d6f760ad34a020a5f5a00125bb5ae87b4dd27f44e88928633f2c5175781498660601050893d7e66cf7bd2c3a0d7
-
Filesize
5KB
MD588230a4c49620186e4353f7b893acf05
SHA195cd88c0d10624fe9f3ad19e4f4eba6900c498d7
SHA2569089621ee1501b0b87a03e592aad0f2573303de58124195a1435fa00734d719d
SHA5123df5db462bc9e4b76c628251ba5cd0869a6f672e2b0b0ecbb0d15323d38fecd0e33a25adabb0aa61794fe8b1f9ab270d06acd946e7a7a2ed66f15df0f1fae5eb
-
Filesize
7KB
MD53563fa38ebcf5e7ef38bec61ef468566
SHA182615427dc582766fb9a0d81551682c9b7a98e34
SHA2564d542ee6e3a31b68f8f72c8a42ad86f3e4080471eeebaaf908061bfadfbdf574
SHA5128fd9c82bd2e2418bbcf1abc5cff480c2b3ec2966a25e01bd6cdba9c861784481447b6990cc97b6e9eddbced32c53c40e0d5ce2e5a370c203812d4be3379514ee
-
Filesize
1KB
MD5a5e1a45a7215ac4ba44e990586023472
SHA144cf6d59cae20697094abc206def638fd5c5cc28
SHA256a71d3028c894e0a65eb454e04b966a77a68cbb2c541b502fa7305a2e1b706a75
SHA51263b6fc656f23d379eed7d85ba16d335304ac9d6fd8fb661de82ff2a7151e0313bc597b6e28bff171100cbadacfb1492b3d5ab33c62ada39657ccce1ff6ac56c2
-
Filesize
1KB
MD54970246bb0ab00b7c82b077343093f75
SHA1dd082efa3647c6bf01987d5e63e42159084ccfa5
SHA25612af207a4d2f5cd85a3c132bfcffe86161b56747d30034a806c1212a4597787d
SHA5123f2ba0acd71df7bcd5066efa756f9cc7e2d600769639ff7de88bf6a9640a5d624032fe09e02dfbb2403bf3f11da6cebbc640ff4a83fa270c43bff0e10a0fd838
-
Filesize
1KB
MD59fe6b92a1a348e80bbe5f6a71af50af1
SHA14a1c80f0d92ea2d993931481425c2309be54108c
SHA2569faf0b44f37acae2cd473bd88f2181f6f6ab5728ca551bdb8ddb79573ae97404
SHA512e0e3ba90d2f580ca159cc69a22312869052e41ab9f859cadf44a7550ae482031402721c40f95eb52cded9dea6c26946f0a84e50f2ae5a31d1001ecb41c00dd94
-
Filesize
1KB
MD506707762d87381cc0aaf468a1a28fe03
SHA1889bff536a495f16f5dc24436ce00ba5c29ebc7b
SHA256d699a9bdb92d147823bdb2b5810ecbbb9bee0bbece5612dc407622d09c571caf
SHA5125a3a95c3f0e9afe72332a3d0c1a04a5e634180569ea18e4672233df75f6e50272ca4d8b63f20777a49430c6c29049896d9b23a2793bcd3c33dd75fb50b76ac25
-
Filesize
1KB
MD519bef8069aac401dc135bd550a51326e
SHA1ad88745a55a3e6a89bd84a090714be449e408a7a
SHA256227ff885c9b3dac053e8d131c8997fb5d66b277eb0b50c6c619be9448c7d1754
SHA51263b271418a1c0a15469d760ff4916e160528cf672e19e66d4cf39496c064a31c5a4a37652fa80411af5670674b95d812ba8429e37420ef861901416859175541
-
Filesize
1KB
MD5297a24e4e31be244f511b6d483c34fe5
SHA1454729e7eb24810e602062d74a95754d0f5a16cd
SHA256872366be257664643c6505326ca68cd2a07f8e7aa48984b282a4cdfb9bcd3081
SHA512115b26bc7293ab30070ce0f8346f8bf010ebd1831d15937dcf257f3b9767129e64a54bc153399b03885c0d20d9d09fb5453cdf863b14b837b6de04cb96a2323c
-
Filesize
1KB
MD5166d103970890a7afeccfedaabd5b318
SHA1b82958b919733de058e6ef9b2804b9e37c20be0f
SHA25602ccc3b6926ca2c61f4c50cf9255852546547fc38be9ea4a1179aeb15d86f561
SHA512e2bdf9f12cb6e9bbd6093583a5ef8bcd1d65e4f3a7781cd4f37232130c3dd7107c91f6b047899c9d9a3f60431f9e7544575d930d54cda9e6fd09bd9e324aaf3f
-
Filesize
1KB
MD5f3b67dafb2750bedf27775ee7d00d476
SHA1e2f0c48e7f6396bfac19c18b69242684ad8bb36c
SHA256f9e693a19d60e08472a620ba370830af1a99be08c4ef3e9e8e9f0d2f34c746fe
SHA512c36161476a9f72546a79326d7a7dff0ff180bc474bb453049b91cc58777323007f8fb96e854310f15913e2661a1784602254a5a4f267dd41389c148553c8dffc
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5e681f371e9ef9c5418e7e777fdc484c1
SHA161b7448cd29ebb5f789a5c27eea45fe7e67c0266
SHA25617ec88767177aae81d719ce185da625898044791bb3ad88650122b6d969144ec
SHA5122e710072286a835f5cb1492a5cb670668d8f563e9fad8ff2566660c162d17fa46f3e199b18673bea1e0e9a7afcb86065ad4100ac1bf14e03b168d4b8b42e8031
-
Filesize
12KB
MD5cc294cfa69c2a1cdb8ca3b8c574455c4
SHA188bf58206b8191fd6d95e634ed0408322c85fea9
SHA256b815be4e05b97f45c3fb80134e7a139f28413a6e6351d3410703fb423c116ec2
SHA512e8819536569592097d2290e531337d4aa6904373e35e07796cf04db9f6c5263943760cb637a563480707f458feaf59318695eb444c8772ac236e5df82282af40
-
Filesize
300KB
MD5f52fbb02ac0666cae74fc389b1844e98
SHA1f7721d590770e2076e64f148a4ba1241404996b8
SHA256a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683
SHA51278b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0
-
Filesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
Filesize
5KB
MD5fe537a3346590c04d81d357e3c4be6e8
SHA1b1285f1d8618292e17e490857d1bdf0a79104837
SHA256bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a
SHA51250a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD5c4f26ed277b51ef45fa180be597d96e8
SHA1e9efc622924fb965d4a14bdb6223834d9a9007e7
SHA25614d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958
SHA512afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
2.3MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
224KB
-
Filesize
56KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
80KB
-
Filesize
272KB
-
Filesize
32KB
-
Filesize
584KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
80KB
-
Filesize
328KB