Overview

overview

10

Static

static

1

BobaFett/data/21.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    869s
  • max time network
    872s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2024 11:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BobaFett/data/21.ps1

  • Size

    72KB

  • MD5

    6427a151bf58d55a2d2206becaa6c828

  • SHA1

    7503d61ce2d978e8a13896b77fee81f76a096e8b

  • SHA256

    0215d2b283a12a5a545cc99256c42d963f6c379392bc89242f54dd5e66d61fc3

  • SHA512

    582eaac5621eafe8c4ee5111108633b4199f23b21c6476b3a4e58d40453d57e187d3abaedd151658604d874e679eaa76b0200fb471f4cab91f2cdaa7b227d8b7

  • SSDEEP

    1536:edKS8RJA67OK1jlLfXso8Z6rD/EFD32/2fWt4DnqPOvwETg:2KDTzjNko8Z6H/4zVK4lv70

Score
10/10
badrabbitcerbermimikatzbootkitdiscoveryevasionexecutionpersistenceprivilege_escalationransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___5BMJ2W_.txt

Family

cerber

Ransom Note
Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/2435-6248-F759-0098-BADA Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/2435-6248-F759-0098-BADA 2. http://xpcx6erilkjced3j.19kdeh.top/2435-6248-F759-0098-BADA 3. http://xpcx6erilkjced3j.1mpsnr.top/2435-6248-F759-0098-BADA 4. http://xpcx6erilkjced3j.18ey8e.top/2435-6248-F759-0098-BADA 5. http://xpcx6erilkjced3j.17gcun.top/2435-6248-F759-0098-BADA ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/2435-6248-F759-0098-BADA

http://xpcx6erilkjced3j.1n5mod.top/2435-6248-F759-0098-BADA

http://xpcx6erilkjced3j.19kdeh.top/2435-6248-F759-0098-BADA

http://xpcx6erilkjced3j.1mpsnr.top/2435-6248-F759-0098-BADA

http://xpcx6erilkjced3j.18ey8e.top/2435-6248-F759-0098-BADA

http://xpcx6erilkjced3j.17gcun.top/2435-6248-F759-0098-BADA

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit
  • Badrabbit family
    badrabbit
  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Cerber family
    cerber
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Mimikatz family
    mimikatz
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Blocklisted process makes network request 8 IoCs
  • Contacts a large (1143) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 20 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 9 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 4 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs