badrabbit | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

General

Target

Urgent Contract Action.pdf.exe
Size

431KB
MD5

fbbdc39af1139aebba4da004475e8839
SHA1

de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512

74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
SSDEEP

12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x001100000001e452-20.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
5096	C18B.tmp

Loads dropped DLL 1 IoCs

pid	Process
3580	rundll32.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\C18B.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	Urgent Contract Action.pdf.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Urgent Contract Action.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings	mspaint.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
692	schtasks.exe
388	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1976	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3580	rundll32.exe
3580	rundll32.exe
3580	rundll32.exe
3580	rundll32.exe
5096	C18B.tmp
5096	C18B.tmp
5096	C18B.tmp
5096	C18B.tmp
5096	C18B.tmp
5096	C18B.tmp
468	mspaint.exe
468	mspaint.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3580	rundll32.exe
Token: SeDebugPrivilege	3580	rundll32.exe
Token: SeTcbPrivilege	3580	rundll32.exe
Token: SeDebugPrivilege	5096	C18B.tmp

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
468	mspaint.exe
5020	OpenWith.exe
1976	EXCEL.EXE
1976	EXCEL.EXE
1976	EXCEL.EXE
1976	EXCEL.EXE
1976	EXCEL.EXE
1976	EXCEL.EXE
1976	EXCEL.EXE
1976	EXCEL.EXE
1976	EXCEL.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 3580	3340	Urgent Contract Action.pdf.exe	86
PID 3340 wrote to memory of 3580	3340	Urgent Contract Action.pdf.exe	86
PID 3340 wrote to memory of 3580	3340	Urgent Contract Action.pdf.exe	86
PID 3580 wrote to memory of 3728	3580	rundll32.exe	87
PID 3580 wrote to memory of 3728	3580	rundll32.exe	87
PID 3580 wrote to memory of 3728	3580	rundll32.exe	87
PID 3728 wrote to memory of 4904	3728	cmd.exe	90
PID 3728 wrote to memory of 4904	3728	cmd.exe	90
PID 3728 wrote to memory of 4904	3728	cmd.exe	90
PID 3580 wrote to memory of 1524	3580	rundll32.exe	94
PID 3580 wrote to memory of 1524	3580	rundll32.exe	94
PID 3580 wrote to memory of 1524	3580	rundll32.exe	94
PID 1524 wrote to memory of 692	1524	cmd.exe	96
PID 1524 wrote to memory of 692	1524	cmd.exe	96
PID 1524 wrote to memory of 692	1524	cmd.exe	96
PID 3580 wrote to memory of 1984	3580	rundll32.exe	97
PID 3580 wrote to memory of 1984	3580	rundll32.exe	97
PID 3580 wrote to memory of 1984	3580	rundll32.exe	97
PID 3580 wrote to memory of 5096	3580	rundll32.exe	98
PID 3580 wrote to memory of 5096	3580	rundll32.exe	98
PID 1984 wrote to memory of 388	1984	cmd.exe	101
PID 1984 wrote to memory of 388	1984	cmd.exe	101
PID 1984 wrote to memory of 388	1984	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2221552266 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2221552266 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:692
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:08:00
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:08:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:388
- - C:\Windows\C18B.tmp
    "C:\Windows\C18B.tmp" \\.\pipe\{C8580D39-AA11-4E07-9F4D-7C0AD517553B}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5096

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\PopRename.jpeg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:4160

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5020

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\StartGet.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\C18B.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/1976-64-0x00007FFA79510000-0x00007FFA79520000-memory.dmp

Filesize
64KB

Download
memory/1976-61-0x00007FFA79510000-0x00007FFA79520000-memory.dmp

Filesize
64KB

Download
memory/1976-62-0x00007FFA79510000-0x00007FFA79520000-memory.dmp

Filesize
64KB

Download
memory/1976-101-0x00007FFA79510000-0x00007FFA79520000-memory.dmp

Filesize
64KB

Download
memory/1976-60-0x00007FFA79510000-0x00007FFA79520000-memory.dmp

Filesize
64KB

Download
memory/1976-98-0x00007FFA79510000-0x00007FFA79520000-memory.dmp

Filesize
64KB

Download
memory/1976-100-0x00007FFA79510000-0x00007FFA79520000-memory.dmp

Filesize
64KB

Download
memory/1976-99-0x00007FFA79510000-0x00007FFA79520000-memory.dmp

Filesize
64KB

Download
memory/1976-66-0x00007FFA76CC0000-0x00007FFA76CD0000-memory.dmp

Filesize
64KB

Download
memory/1976-65-0x00007FFA76CC0000-0x00007FFA76CD0000-memory.dmp

Filesize
64KB

Download
memory/1976-63-0x00007FFA79510000-0x00007FFA79520000-memory.dmp

Filesize
64KB

Download
memory/3580-11-0x0000000002C70000-0x0000000002CD8000-memory.dmp

Filesize
416KB

Download
memory/3580-3-0x0000000002C70000-0x0000000002CD8000-memory.dmp

Filesize
416KB

Download
memory/3580-14-0x0000000002C70000-0x0000000002CD8000-memory.dmp

Filesize
416KB

Download
memory/4160-39-0x0000016B99260000-0x0000016B99270000-memory.dmp

Filesize
64KB

Download
memory/4160-58-0x0000016BA16B0000-0x0000016BA16B1000-memory.dmp

Filesize
4KB

Download
memory/4160-57-0x0000016BA16B0000-0x0000016BA16B1000-memory.dmp

Filesize
4KB

Download
memory/4160-56-0x0000016BA16A0000-0x0000016BA16A1000-memory.dmp

Filesize
4KB

Download
memory/4160-55-0x0000016BA16A0000-0x0000016BA16A1000-memory.dmp

Filesize
4KB

Download
memory/4160-54-0x0000016BA1610000-0x0000016BA1611000-memory.dmp

Filesize
4KB

Download
memory/4160-52-0x0000016BA1610000-0x0000016BA1611000-memory.dmp

Filesize
4KB

Download
memory/4160-50-0x0000016BA1590000-0x0000016BA1591000-memory.dmp

Filesize
4KB

Download
memory/4160-43-0x0000016B992A0000-0x0000016B992B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads