badrabbit | 137cfbc6611add95e7dd00247098efc9aa4b16771d62c20a5d149f2181da6d6c

Analysis

max time kernel
810s
max time network
432s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Urgent Contract Action.pdf.exe
Size

431KB
MD5

fbbdc39af1139aebba4da004475e8839
SHA1

de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512

74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
SSDEEP

12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x001b0000000162a8-20.dat	mimikatz

Blocklisted process makes network request 5 IoCs

flow	pid	Process
222	2628	rundll32.exe
234	2628	rundll32.exe
245	2628	rundll32.exe
257	2628	rundll32.exe
268	2628	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
372	8FDC.tmp
4000	dispci.exe

Loads dropped DLL 6 IoCs

pid	Process
2628	rundll32.exe
2436	rundll32.exe
1340	rundll32.exe
3448	rundll32.exe
768	rundll32.exe
5112	rundll32.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	Urgent Contract Action.pdf.exe
File created	C:\Windows\infpub.dat	Urgent Contract Action.pdf.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\8FDC.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	Urgent Contract Action.pdf.exe
File created	C:\Windows\infpub.dat	Urgent Contract Action.pdf.exe
File created	C:\Windows\infpub.dat	Urgent Contract Action.pdf.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\infpub.dat	Urgent Contract Action.pdf.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dispci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Urgent Contract Action.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Urgent Contract Action.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Urgent Contract Action.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Urgent Contract Action.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Urgent Contract Action.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Urgent Contract Action.pdf.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3436	schtasks.exe
4112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
372	8FDC.tmp
372	8FDC.tmp
372	8FDC.tmp
372	8FDC.tmp
372	8FDC.tmp
372	8FDC.tmp
2436	rundll32.exe
2436	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
3448	rundll32.exe
3448	rundll32.exe
768	rundll32.exe
768	rundll32.exe
5112	rundll32.exe
5112	rundll32.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2628	rundll32.exe
Token: SeDebugPrivilege	2628	rundll32.exe
Token: SeTcbPrivilege	2628	rundll32.exe
Token: SeDebugPrivilege	372	8FDC.tmp
Token: SeShutdownPrivilege	2436	rundll32.exe
Token: SeDebugPrivilege	2436	rundll32.exe
Token: SeTcbPrivilege	2436	rundll32.exe
Token: SeShutdownPrivilege	1340	rundll32.exe
Token: SeDebugPrivilege	1340	rundll32.exe
Token: SeTcbPrivilege	1340	rundll32.exe
Token: SeShutdownPrivilege	3448	rundll32.exe
Token: SeDebugPrivilege	3448	rundll32.exe
Token: SeTcbPrivilege	3448	rundll32.exe
Token: SeShutdownPrivilege	768	rundll32.exe
Token: SeDebugPrivilege	768	rundll32.exe
Token: SeTcbPrivilege	768	rundll32.exe
Token: SeShutdownPrivilege	5112	rundll32.exe
Token: SeDebugPrivilege	5112	rundll32.exe
Token: SeTcbPrivilege	5112	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4000	dispci.exe
4000	dispci.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 2628	3280	Urgent Contract Action.pdf.exe	84
PID 3280 wrote to memory of 2628	3280	Urgent Contract Action.pdf.exe	84
PID 3280 wrote to memory of 2628	3280	Urgent Contract Action.pdf.exe	84
PID 2628 wrote to memory of 2880	2628	rundll32.exe	87
PID 2628 wrote to memory of 2880	2628	rundll32.exe	87
PID 2628 wrote to memory of 2880	2628	rundll32.exe	87
PID 2880 wrote to memory of 4460	2880	cmd.exe	89
PID 2880 wrote to memory of 4460	2880	cmd.exe	89
PID 2880 wrote to memory of 4460	2880	cmd.exe	89
PID 2628 wrote to memory of 2476	2628	rundll32.exe	93
PID 2628 wrote to memory of 2476	2628	rundll32.exe	93
PID 2628 wrote to memory of 2476	2628	rundll32.exe	93
PID 2476 wrote to memory of 4112	2476	cmd.exe	95
PID 2476 wrote to memory of 4112	2476	cmd.exe	95
PID 2476 wrote to memory of 4112	2476	cmd.exe	95
PID 2628 wrote to memory of 4524	2628	rundll32.exe	96
PID 2628 wrote to memory of 4524	2628	rundll32.exe	96
PID 2628 wrote to memory of 4524	2628	rundll32.exe	96
PID 2628 wrote to memory of 372	2628	rundll32.exe	97
PID 2628 wrote to memory of 372	2628	rundll32.exe	97
PID 4524 wrote to memory of 3436	4524	cmd.exe	100
PID 4524 wrote to memory of 3436	4524	cmd.exe	100
PID 4524 wrote to memory of 3436	4524	cmd.exe	100
PID 2956 wrote to memory of 2436	2956	Urgent Contract Action.pdf.exe	116
PID 2956 wrote to memory of 2436	2956	Urgent Contract Action.pdf.exe	116
PID 2956 wrote to memory of 2436	2956	Urgent Contract Action.pdf.exe	116
PID 1968 wrote to memory of 1340	1968	Urgent Contract Action.pdf.exe	119
PID 1968 wrote to memory of 1340	1968	Urgent Contract Action.pdf.exe	119
PID 1968 wrote to memory of 1340	1968	Urgent Contract Action.pdf.exe	119
PID 4920 wrote to memory of 3448	4920	Urgent Contract Action.pdf.exe	123
PID 4920 wrote to memory of 3448	4920	Urgent Contract Action.pdf.exe	123
PID 4920 wrote to memory of 3448	4920	Urgent Contract Action.pdf.exe	123
PID 4868 wrote to memory of 768	4868	Urgent Contract Action.pdf.exe	126
PID 4868 wrote to memory of 768	4868	Urgent Contract Action.pdf.exe	126
PID 4868 wrote to memory of 768	4868	Urgent Contract Action.pdf.exe	126
PID 3684 wrote to memory of 5112	3684	Urgent Contract Action.pdf.exe	129
PID 3684 wrote to memory of 5112	3684	Urgent Contract Action.pdf.exe	129
PID 3684 wrote to memory of 5112	3684	Urgent Contract Action.pdf.exe	129
PID 4000 wrote to memory of 5100	4000	dispci.exe	134
PID 4000 wrote to memory of 5100	4000	dispci.exe	134
PID 4000 wrote to memory of 5100	4000	dispci.exe	134
PID 5100 wrote to memory of 1172	5100	cmd.exe	136
PID 5100 wrote to memory of 1172	5100	cmd.exe	136
PID 5100 wrote to memory of 1172	5100	cmd.exe	136

C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3308956734 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3308956734 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4112
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:07:00
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:07:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3436
- - C:\Windows\8FDC.tmp
    "C:\Windows\8FDC.tmp" \\.\pipe\{D081F385-ACC6-4F0C-9C9D-505D75ADD9A5}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436

C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\aria-debug-5000.log
1⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3448

C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:768

C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5112

C:\Windows\dispci.exe
"C:\Windows\dispci.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\SysWOW64\cmd.exe
  /c schtasks /Delete /F /TN rhaegal
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\8FDC.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\dispci.exe

Filesize
139KB

MD5
b14d8faf7f0cbcfad051cefe5f39645f

SHA1
afeee8b4acff87bc469a6f0364a81ae5d60a2add

SHA256
8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

SHA512
f5dcbf3634aedfe5b8d6255e20015555343add5b1be3801e62a5987e86a3e52495b5ce3156e4f63cf095d0cedfb63939eaf39bea379ccac82a10a4182b8ded22

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
c4f26ed277b51ef45fa180be597d96e8

SHA1
e9efc622924fb965d4a14bdb6223834d9a9007e7

SHA256
14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958

SHA512
afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e

Download Submit
memory/768-97-0x0000000002B10000-0x0000000002B78000-memory.dmp

Filesize
416KB

Download
memory/768-105-0x0000000002B10000-0x0000000002B78000-memory.dmp

Filesize
416KB

Download
memory/1340-67-0x00000000021F0000-0x0000000002258000-memory.dmp

Filesize
416KB

Download
memory/1340-75-0x00000000021F0000-0x0000000002258000-memory.dmp

Filesize
416KB

Download
memory/2436-55-0x0000000002CF0000-0x0000000002D58000-memory.dmp

Filesize
416KB

Download
memory/2436-63-0x0000000002CF0000-0x0000000002D58000-memory.dmp

Filesize
416KB

Download
memory/2628-15-0x0000000002770000-0x00000000027D8000-memory.dmp

Filesize
416KB

Download
memory/2628-11-0x0000000002770000-0x00000000027D8000-memory.dmp

Filesize
416KB

Download
memory/2628-3-0x0000000002770000-0x00000000027D8000-memory.dmp

Filesize
416KB

Download
memory/3448-85-0x0000000002FE0000-0x0000000003048000-memory.dmp

Filesize
416KB

Download
memory/3448-93-0x0000000002FE0000-0x0000000003048000-memory.dmp

Filesize
416KB

Download
memory/5112-109-0x0000000002490000-0x00000000024F8000-memory.dmp

Filesize
416KB

Download