badrabbit | hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/ransomwares/BadRabbit[.]zip

Resubmissions

03/03/2025, 10:51

250303-mxt97awvbv 4

03/03/2025, 10:49

250303-mwwfvswthv 10

Analysis

max time kernel
73s
max time network
72s
platform
windows11-21h2_x64
resource
win11-20250218-en
resource tags

arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system
submitted
03/03/2025, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/BadRabbit.zip

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002b06c-236.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
4012	C833.tmp

Loads dropped DLL 1 IoCs

pid	Process
1876	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
2	raw.githubusercontent.com

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\C833.tmp	rundll32.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133854725890854739"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2568	schtasks.exe
1980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3928	chrome.exe
3928	chrome.exe
1876	rundll32.exe
1876	rundll32.exe
1876	rundll32.exe
1876	rundll32.exe
4012	C833.tmp
4012	C833.tmp
4012	C833.tmp
4012	C833.tmp
4012	C833.tmp
4012	C833.tmp
4012	C833.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3928	chrome.exe
3928	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 3812	3928	chrome.exe	85
PID 3928 wrote to memory of 3812	3928	chrome.exe	85
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 2796	3928	chrome.exe	86
PID 3928 wrote to memory of 1632	3928	chrome.exe	87
PID 3928 wrote to memory of 1632	3928	chrome.exe	87
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88
PID 3928 wrote to memory of 5068	3928	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/BadRabbit.zip
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff884ebcc40,0x7ff884ebcc4c,0x7ff884ebcc58
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1764,i,11091902828044677757,5440233166415414088,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=1728 /prefetch:2
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2088,i,11091902828044677757,5440233166415414088,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,11091902828044677757,5440233166415414088,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2368 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,11091902828044677757,5440233166415414088,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,11091902828044677757,5440233166415414088,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4568,i,11091902828044677757,5440233166415414088,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,11091902828044677757,5440233166415414088,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:2468

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4144,i,5616534977014849087,11887380551757527862,262144 --variations-seed-version --mojo-platform-channel-handle=3860 /prefetch:14
1⤵
PID:1744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1556
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1068
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:564
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3409324111 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:404
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3409324111 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 11:08:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3884
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 11:08:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1980
- - C:\Windows\C833.tmp
    "C:\Windows\C833.tmp" \\.\pipe\{BDF5A8EC-B009-440B-8D02-683759ADBA67}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4a43416b9f261ae76e87a45ad9baaed4

SHA1
f543640693df4ce4232969cb85f2c07b5849c33e

SHA256
05a5396cbea859f411754c01438800ec17f40619ba601a20af9317319fbaeb8b

SHA512
68a7163c49a5b980e45a96c85fca08cecdb4ff5d7228db4dfd80c72be7426d0c1532f06ff927bf89e9c7928e425126184109efc15ce9b4bddfd101df754c09e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1b1e6e339c48dda020ba277948bb847c

SHA1
2450f440e213a70a8bde4d669cbc7a30f86859f6

SHA256
4c572d61696f2061e9e1452d772fb73943558614e051ba2b850d7b5c9b43f6d5

SHA512
f490b98fb136d91f697060ec849626f568de42c167ae1677eeb103835a111010c697c896f25a9009a7950f421456b4f24dfac9e8e15cefe9dedd620cfddf25e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d74d377cd1ec3d95246cd9cfd5fd4ed6

SHA1
6177ebeb006abb930697dbc34156ddd0abf96a7f

SHA256
60cd0e86de544d32169afb7b711a26a9d6d72ba34833f690ccb733af762d2b28

SHA512
e44c2adaf83bd0c5f466b53e579fe095070c654a2d3398d8a252d471f7cf2ea2ed44bba9d5bad8aa52ee4e5ea8180810f1d09bab0ccf07ec0d53214a461a3c02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b88fd8f0b347e15c14b7aa326c95d671

SHA1
60c13df396e8729cb813084986ce151d5c4bddbe

SHA256
91764f1334508d9ca3dc8d14276eee10a201a049dd2b5126d1451da6d0dea016

SHA512
47077ca6741e01507cdb085e0653ac16211174c7f4d7a3557063993633498018fa33c89b8509204d11bcc8b3b2df1a58d80e550ba8a3a8edd50b7f2ac522d4fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e6530349e0436fedace5edfbd2165ad1

SHA1
00d5e52145b11931801f927d1341694af8a1f417

SHA256
88f07b6f4e2166bf5144efa954bb16521385c94993220e827a6b96272ee84e35

SHA512
999878d2fbd3d1037a651a9892d4927be74b4a125af9cb15ad1f32fad7038c050b644342e40a90289ad9b679585a6d0234eb1dc1e46fd9a6618d0104f833132b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
823ef45e8ef21c5fdbb38a431d760c8e

SHA1
f472265e9c88534b8c3ea9ef886c74b06ffea9cd

SHA256
df7f4d75bf883db6f6ddbab71e46f4bd97362edcee205e083c8b0ffa935d8c49

SHA512
207b3e43c387c546ed6a42fc1055957faed86f3dc880180f39548c6a4fd0d504b9f8bef56b01a5ef5491ddca918e6b030bd6e44e3feef05866d06540551d4b7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25250d87009468f5a3121ae2c096db95

SHA1
16b1987256e49159acc287490cc4f425497a7dd2

SHA256
4c4e85fd166da2e9dfbd584f3e950c8d1fee6c0b58a8bd358a2d1ae99aeae8fd

SHA512
77b803664a5b88db7271627ce234fc4f9e19853351e094990bbf9b9442d1e0fba1b0dbee19ff1d307924e9208e99098ae1a4feb6dadf06286d4ac1df0ef4640f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
63ac250969e9e6df781225d666081e4d

SHA1
5d8838f273b38c9c54edbf1418157ea69ef75396

SHA256
9585d98b9a0fb77ac13cff3e8e6d1046782265cb72d3ff3fc3b9b8bf3ffe1bc7

SHA512
02eac530fffa8716388d982b772dbc7404935fd3f94369cf22e483d9fbcaea15e2ac48a98ca7c1f877d1a9d2122f076a89b5943b934969cb3ac224314897a344

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b05ec451bb37ade6737acec7c38d63aa

SHA1
70ddb164de5c279761eaa28d871864901818f43f

SHA256
763b55b1496831fa8ea3487f2d3c353e92d6a0e71e1a6aa91a021d8df3714b16

SHA512
73e0f150e399d153fa65f8a9bf9c2760392f6abd5b56c67f6e9ea336aedef39ebf3d9f71592f1978b39952765eb25006ee9cc31b9bd88ac700f0ffee9367faac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
96774550ccb944b18529d4021a97f0ef

SHA1
2a149abea82efa028ff51b8eaedd80c6ae1a8b53

SHA256
206e0b4cde62bed6a1db0b4ec37c7e08fd093c6958bc29fb1ab0f1aa73b327d8

SHA512
72113c32ac8860905a65ef795f672802ca807a8c8724cdc3414de9324f34bb51f3fa5ef4bf82224571ecfd1eccfd2e0963c97774a5ba713782660e0161b6af63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6b54ede82310786a43a313d5844b9582

SHA1
a070b042c4b89f0d22b7a8bb1dc2fc0fe3a33b5c

SHA256
8ad9115ba9168d87eb0c5ab0f4b9e28e9e9e80e4d234f9ae5e79a8d2c8c53f41

SHA512
5871091b9827d6015f9a3cc701a9a257a6489ac0be2c75ef92150c311e5bb1991d3332a32f90d641e46da25492ee5674f382b1adcb819d69ba7e71895c66d8c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
99855d99a8eec1c0d96c3625a85917cb

SHA1
dd8010d084e707ee1f226d51a0a7df57df233c9b

SHA256
4d175bc17eb89491e9cbd908484cfd6da3a55a96cfcd2d0aab057e7dd28dc65a

SHA512
24e41c58146754a7b15558e732a571d476005f1620ac0f0cd31eaf20e42a5b7385a087059b7ab787de2f0a5c2c82a839f2f43972c43697e59b7d6f06f4528e0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
14b40ed3ecc855edbf31c4d3050dc698

SHA1
8c8f54ae10eb05b3f86bedd8b1f3b9b18e1a1309

SHA256
a0498aed741c8ae3b516f579fad961bea071c1f759e861983aa0372ff940ead0

SHA512
e6fd094496744558944016278c742e57279200b4c200f8c3e379fc58566f50d19d7a831bad4e9d99973b69cf5c9249112f34a04abd339e234469a340b40296f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
8c3ba159fc97ee5bcee18a172bb342bd

SHA1
3c3e6d95213caaee59f7063c2c883fbf83cf7dcb

SHA256
815223b58ab2b0a6ae290e8f0eee88192a21361a7eff55f71306e3d34c359eaf

SHA512
e47a7cf4b13cb5f3e6070660ee6e1a9ce0b00f09cc14ad9500cb78b139932d657dd067f0da6ed3ebbb075f2b11784f42fa5df69516db73e435b50cdf2b411c2e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Windows\C833.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/1876-219-0x0000000000C80000-0x0000000000CE8000-memory.dmp

Filesize
416KB

Download
memory/1876-227-0x0000000000C80000-0x0000000000CE8000-memory.dmp

Filesize
416KB

Download
memory/1876-230-0x0000000000C80000-0x0000000000CE8000-memory.dmp

Filesize
416KB

Download