badrabbit | c5fe32e5de97a1c0ff01c7bcbc99d7086a485b6df9ac7cdb37e906f6e1d01da3

Resubmissions

26/02/2025, 06:37

250226-hdnk3svqw2 10

25/02/2025, 10:24

250225-mflaystny2 10

Analysis

max time kernel
277s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2025, 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Urgent Contract Action.pdf.exe
Size

431KB
MD5

fbbdc39af1139aebba4da004475e8839
SHA1

de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512

74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
SSDEEP

12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023ab2-20.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
1984	B0A3.tmp

Loads dropped DLL 1 IoCs

pid	Process
3952	rundll32.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\B0A3.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	Urgent Contract Action.pdf.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Urgent Contract Action.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5080	schtasks.exe
1720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3952	rundll32.exe
3952	rundll32.exe
3952	rundll32.exe
3952	rundll32.exe
1984	B0A3.tmp
1984	B0A3.tmp
1984	B0A3.tmp
1984	B0A3.tmp
1984	B0A3.tmp
1984	B0A3.tmp
208	msedge.exe
208	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3952	rundll32.exe
Token: SeDebugPrivilege	3952	rundll32.exe
Token: SeTcbPrivilege	3952	rundll32.exe
Token: SeDebugPrivilege	1984	B0A3.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 3952	4184	Urgent Contract Action.pdf.exe	89
PID 4184 wrote to memory of 3952	4184	Urgent Contract Action.pdf.exe	89
PID 4184 wrote to memory of 3952	4184	Urgent Contract Action.pdf.exe	89
PID 3952 wrote to memory of 3920	3952	rundll32.exe	90
PID 3952 wrote to memory of 3920	3952	rundll32.exe	90
PID 3952 wrote to memory of 3920	3952	rundll32.exe	90
PID 3920 wrote to memory of 5012	3920	cmd.exe	92
PID 3920 wrote to memory of 5012	3920	cmd.exe	92
PID 3920 wrote to memory of 5012	3920	cmd.exe	92
PID 3952 wrote to memory of 720	3952	rundll32.exe	94
PID 3952 wrote to memory of 720	3952	rundll32.exe	94
PID 3952 wrote to memory of 720	3952	rundll32.exe	94
PID 3952 wrote to memory of 4092	3952	rundll32.exe	96
PID 3952 wrote to memory of 4092	3952	rundll32.exe	96
PID 3952 wrote to memory of 4092	3952	rundll32.exe	96
PID 720 wrote to memory of 5080	720	cmd.exe	97
PID 720 wrote to memory of 5080	720	cmd.exe	97
PID 720 wrote to memory of 5080	720	cmd.exe	97
PID 3952 wrote to memory of 1984	3952	rundll32.exe	98
PID 3952 wrote to memory of 1984	3952	rundll32.exe	98
PID 4092 wrote to memory of 1720	4092	cmd.exe	101
PID 4092 wrote to memory of 1720	4092	cmd.exe	101
PID 4092 wrote to memory of 1720	4092	cmd.exe	101
PID 4804 wrote to memory of 3504	4804	msedge.exe	124
PID 4804 wrote to memory of 3504	4804	msedge.exe	124
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125
PID 4804 wrote to memory of 4748	4804	msedge.exe	125

C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1226847722 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:720
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1226847722 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 06:55:00
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 06:55:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1720
- - C:\Windows\B0A3.tmp
    "C:\Windows\B0A3.tmp" \\.\pipe\{CD6763B0-4139-45B7-8C9D-2BCB150F580F}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta3dd4d36h5121h4cf5h8ddehc7d44498a499
1⤵
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9409f46f8,0x7ff9409f4708,0x7ff9409f4718
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,3126121142298269326,1964939861247824897,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,3126121142298269326,1964939861247824897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,3126121142298269326,1964939861247824897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:2636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f09c5037ff47e75546f2997642cac037

SHA1
63d599921be61b598ef4605a837bb8422222bef2

SHA256
ba61197fff5ed487084790b869045ab41830bdf6db815503e8e064dd4e4df662

SHA512
280bff6eac4b2b4fe515696223f61531f6b507c4c863ad9eef5ab0b1d65d264eba74fb7c9314b6920922142b8ab7605792211fca11a9a9ef0fc2ae995bf4f473

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e361c7f9a4ba7d4f3c5122fdc3ce9e1

SHA1
c5ff12badaf193e9675d0f66e99e134d553497a7

SHA256
10b6f9f8ab8fe61eaf0b8aba996fedf3462d4e0be37261c0ee8e942874e55aa9

SHA512
47c8df4f77661f41018f1c3a8ab97366d4b9a49b2e6a394df9e339794c787fb61360fb5d4a241ce552fc81395d4097088b6b44902f0b6600fab1ef204d3da386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
931f5c2a5b3fc1ebe38091640ef976c5

SHA1
9d0373ec1ef67d17444b361818f9ae593d59793e

SHA256
a87ab3f32652fa0a86249b9bd63e6272c0dceeca801944e4026858b06f094b8d

SHA512
822eeb51908d49215a7038e363ebb1e1dd845212cbbe22f64d076dc8ec91acae958bed1c50f8bcc0bfbe4684ec33a02974fa1eb713e56549e8e240e56a5cb07b

Download Submit
C:\Windows\B0A3.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/3952-4-0x0000000002640000-0x00000000026A8000-memory.dmp

Filesize
416KB

Download
memory/3952-11-0x0000000002640000-0x00000000026A8000-memory.dmp

Filesize
416KB

Download
memory/3952-14-0x0000000002640000-0x00000000026A8000-memory.dmp

Filesize
416KB

Download