Overview

overview

10

Static

static

1

rabbit.exe

windows7-x64

10

rabbit.exe

windows10-2004-x64

10

rabbit.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-01-2025 04:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rabbit.exe

  • Size

    431KB

  • MD5

    fbbdc39af1139aebba4da004475e8839

  • SHA1

    de5c8d858e6e41da715dca1c019df0bfb92d32c0

  • SHA256

    630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

  • SHA512

    74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

  • SSDEEP

    12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score
10/10
badrabbitmimikatzdiscoveryransomware

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit
  • Badrabbit family
    badrabbit
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Mimikatz family
    mimikatz
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

    discovery
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rabbit.exe
    "C:\Users\Admin\AppData\Local\Temp\rabbit.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Delete /F /TN rhaegal
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3648
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /F /TN rhaegal
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3956
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2215651720 && exit"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3724
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2215651720 && exit"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:244
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 05:18:00
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1028
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 05:18:00
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3644
      • C:\Windows\9C40.tmp
        "C:\Windows\9C40.tmp" \\.\pipe\{F861D40A-35EE-407B-AE7E-254E24F01785}
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3344
  • C:\Windows\System32\GameBarPresenceWriter.exe
    "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
    1⤵
    • Network Service Discovery
    PID:4628
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:4172
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
    1⤵
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Modifies registry class
    PID:1576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Videos\Captures\desktop.ini
    Filesize

    190B

    MD5

    b0d27eaec71f1cd73b015f5ceeb15f9d

    SHA1

    62264f8b5c2f5034a1e4143df6e8c787165fbc2f

    SHA256

    86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

    SHA512

    7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

    Download Submit

  • C:\Windows\9C40.tmp
    Filesize

    60KB

    MD5

    347ac3b6b791054de3e5720a7144a977

    SHA1

    413eba3973a15c1a6429d9f170f3e8287f98c21c

    SHA256

    301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

    SHA512

    9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

    Download Submit

  • C:\Windows\infpub.dat
    Filesize

    401KB

    MD5

    1d724f95c61f1055f0d02c2154bbccd3

    SHA1

    79116fe99f2b421c52ef64097f0f39b815b20907

    SHA256

    579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

    SHA512

    f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

    Download Submit

  • memory/1180-3-0x00000000029F0000-0x0000000002A58000-memory.dmp

    Filesize

    416KB

    Download

  • memory/1180-11-0x00000000029F0000-0x0000000002A58000-memory.dmp

    Filesize

    416KB

    Download

  • memory/1180-28-0x00000000029F0000-0x0000000002A58000-memory.dmp

    Filesize

    416KB

    Download