Overview

overview

10

Static

static

1

Urgent Con...df.exe

windows7-x64

10

Urgent Con...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    97s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-02-2025 15:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Urgent Contract Action.pdf.exe

  • Size

    431KB

  • MD5

    fbbdc39af1139aebba4da004475e8839

  • SHA1

    de5c8d858e6e41da715dca1c019df0bfb92d32c0

  • SHA256

    630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

  • SHA512

    74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

  • SSDEEP

    12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score
10/10
badrabbitmimikatzdiscoveryransomware

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit
  • Badrabbit family
    badrabbit
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Mimikatz family
    mimikatz
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Delete /F /TN rhaegal
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /F /TN rhaegal
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2632
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4190991895 && exit"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4190991895 && exit"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1856
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:43:00
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:43:00
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1556
      • C:\Windows\F299.tmp
        "C:\Windows\F299.tmp" \\.\pipe\{5DCF2538-D0A1-4AAF-9E66-B785CB2B474E}
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2620
  • C:\Windows\System32\xpsrchvw.exe
    "C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\UnprotectSuspend.edrwx"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2836
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:344
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="344.0.1764633790\2123550491" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1196 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5769bc69-1114-4578-8c01-6f0d17138444} 344 "\\.\pipe\gecko-crash-server-pipe.344" 1296 48db158 gpu
        3⤵
          PID:2088
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="344.1.570220520\1413150635" -parentBuildID 20221007134813 -prefsHandle 1488 -prefMapHandle 1484 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97d069d5-e4c9-45bd-b74e-5265e142454b} 344 "\\.\pipe\gecko-crash-server-pipe.344" 1500 48c7358 socket
          3⤵
          • Checks processor information in registry
          PID:1656
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="344.2.903830256\865985136" -childID 1 -isForBrowser -prefsHandle 2004 -prefMapHandle 2000 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {439b11f3-5191-4177-9c83-d8801e321bb2} 344 "\\.\pipe\gecko-crash-server-pipe.344" 2016 18f58858 tab
          3⤵
            PID:1228
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="344.3.1704726327\1333021315" -childID 2 -isForBrowser -prefsHandle 740 -prefMapHandle 540 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f17157e-8952-4fde-81c6-6538850fdb15} 344 "\\.\pipe\gecko-crash-server-pipe.344" 2460 e5b258 tab
            3⤵
              PID:2384
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="344.4.106701802\1934711563" -childID 3 -isForBrowser -prefsHandle 2808 -prefMapHandle 2804 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b60cc30-e291-481c-bf51-dd8e0c57db30} 344 "\\.\pipe\gecko-crash-server-pipe.344" 2820 e62b58 tab
              3⤵
                PID:1772
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="344.5.1194077595\1229025739" -childID 4 -isForBrowser -prefsHandle 3880 -prefMapHandle 3884 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cafb0e3-c56b-4da0-8a40-ac64ddf22bb1} 344 "\\.\pipe\gecko-crash-server-pipe.344" 3896 1fdd9858 tab
                3⤵
                  PID:3056
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="344.6.1275994444\1494571790" -childID 5 -isForBrowser -prefsHandle 4004 -prefMapHandle 4008 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4c51c9b-bd22-44e8-8aea-de59ad12c358} 344 "\\.\pipe\gecko-crash-server-pipe.344" 3992 1fddce58 tab
                  3⤵
                    PID:884
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="344.7.246908930\1824699712" -childID 6 -isForBrowser -prefsHandle 4196 -prefMapHandle 4200 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {332c97b3-f98e-442f-af20-a5c8ece92d37} 344 "\\.\pipe\gecko-crash-server-pipe.344" 4184 1fddb358 tab
                    3⤵
                      PID:2000

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  26KB

                  MD5

                  9739420755ba8d31f97f72a2d3979172

                  SHA1

                  69fa78930316a6167f968c06fa93e9e930800cfb

                  SHA256

                  768844a68022637931966dd713e805eb22962b72ea508ead1172ca7247e30ce2

                  SHA512

                  ca78f84ca6267c5f406b6aa540dc5c24a95ee2a61efac14cd985edb7861e6bcf3aa7e826a1fb36acfc007d877348fa5c840c8ec171c1779d009ef79c0ec40aed

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                  Filesize

                  15KB

                  MD5

                  96c542dec016d9ec1ecc4dddfcbaac66

                  SHA1

                  6199f7648bb744efa58acf7b96fee85d938389e4

                  SHA256

                  7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                  SHA512

                  cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  2KB

                  MD5

                  1db9d7fb4878afdec0dfc902ed83119d

                  SHA1

                  103ea120154fdf8b57fc223d1079792c2e8e185e

                  SHA256

                  bb9c548b40212d7840234b52128f282df6bec328440a503624cca578f36606fc

                  SHA512

                  535ffdd45195f4d6272d0cf73854fbb37c18b79a73dc0ac6f8f81e4c871f63efaa52046e3ef96ec5847b22a95b7da813f4398cc52b6135926852ff20dab916c2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\9a5e61fc-d98d-40c1-9f16-f44b91399533
                  Filesize

                  11KB

                  MD5

                  53f2d69eadef7aebf206a7a4a7e867bb

                  SHA1

                  82eaa42a684384a67d379d6d3405883a0bcc8a81

                  SHA256

                  4aefd9d74a44877f804f8ed86417eb35b5963c88bbf5ef2fa073ca2d1e4a2499

                  SHA512

                  d58bc6f867d77bf2caa988515e6729029b99fe9235f37d8d46b3015028fefa418652d2b4f54321c90aeb946b6a3853fa23246a666b1ce8dfe1caf11fa72f785b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\cc77d4bd-832b-4b07-b48f-826082cb49e8
                  Filesize

                  745B

                  MD5

                  2eef7435d8d098383e11b971740fc198

                  SHA1

                  baaed49aaa255e8a0581cccb1b6a71361ac441fc

                  SHA256

                  1f1b28ccbdeaa62d6fba862c10af2db2fed1ec1be55a5541141cb10e588a3bd5

                  SHA512

                  062cee4c1f184716cd61bf04ce8ffc65cc7430043460fb5de6ae28a0aa0a8380164b7c31d2d30f259c2c6f17bc97ca015afbf45f21d83bcee245490ec5781c1b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  2b6c12ce94f2db173eb7005921dffd75

                  SHA1

                  ca9b0a7d136181cff90afa7a5fd6587b0fb5d370

                  SHA256

                  2bfd2b077b00361a87ebb6da2d0bc694501b829e8508640c9a2a45b6327257ef

                  SHA512

                  5e4e341d135b354cac91c699b28167a8a6e131a939658dbbdae7dcabb81292e863d1ade4f1f1c250da2bb3e2cbd167644bd5caef8583ac5c0332204126141f8e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore.jsonlz4
                  Filesize

                  831B

                  MD5

                  2fb0e2df2e845f76b28c55bcd5421dec

                  SHA1

                  5301b514a8605aef847ed6e65e03d214716fef62

                  SHA256

                  876979fb4925c986d2221ff845422c86c46a00d2898a8de4bc33b5ede692afb7

                  SHA512

                  74d6f39a4fef7aa71ef2f686a930ce393f6626845b13cd121402b6e3a46db7c0faae3888623fb4a14cfe9f52e9b55a2483d06595c813e3686245e5435a3f3c0a

                  Download Submit

                • C:\Windows\F299.tmp
                  Filesize

                  60KB

                  MD5

                  347ac3b6b791054de3e5720a7144a977

                  SHA1

                  413eba3973a15c1a6429d9f170f3e8287f98c21c

                  SHA256

                  301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

                  SHA512

                  9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

                  Download Submit

                • C:\Windows\infpub.dat
                  Filesize

                  401KB

                  MD5

                  1d724f95c61f1055f0d02c2154bbccd3

                  SHA1

                  79116fe99f2b421c52ef64097f0f39b815b20907

                  SHA256

                  579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

                  SHA512

                  f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

                  Download Submit

                • memory/2696-10-0x00000000001F0000-0x0000000000258000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2696-2-0x00000000001F0000-0x0000000000258000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2696-13-0x00000000001F0000-0x0000000000258000-memory.dmp

                  Filesize

                  416KB

                  Download