Analysis
-
max time kernel
68s -
max time network
69s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
26/03/2025, 19:01
General
-
Target
Ransomware.BadRabbit.exe
-
Size
431KB
-
MD5
fbbdc39af1139aebba4da004475e8839
-
SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0
-
SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
-
SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
SSDEEP
12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Badrabbit family
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in Windows directory 5 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware.BadRabbit.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware.BadRabbit.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1113432943 && exit"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1113432943 && exit"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 19:19:003⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 19:19:004⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\5563.tmp"C:\Windows\5563.tmp" \\.\pipe\{B9120B3C-11F3-49F2-BF29-E38307A0A033}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\RemoveSwitch.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffeba36dcf8,0x7ffeba36dd04,0x7ffeba36dd102⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2124,i,6423955556485990093,16571708939415166292,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2112 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1548,i,6423955556485990093,16571708939415166292,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2232 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2456,i,6423955556485990093,16571708939415166292,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2468 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,6423955556485990093,16571708939415166292,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3216 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,6423955556485990093,16571708939415166292,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3256 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3964,i,6423955556485990093,16571708939415166292,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4500 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4772,i,6423955556485990093,16571708939415166292,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4800 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5396,i,6423955556485990093,16571708939415166292,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5352 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5720,i,6423955556485990093,16571708939415166292,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5896 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5824,i,6423955556485990093,16571708939415166292,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5420 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4632,i,6423955556485990093,16571708939415166292,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5820 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD541ff0cebf45ee0aa38b709558e714635
SHA1f7ffc72cdc23b85e436f7a9715479e23c988f9d2
SHA256ba807fb43b2f79cbe48b4bc0a81d823c232a0057d183fc4482d9af05b449c9a1
SHA51245d37d1ac439191d1b0970f05d5461395dedf1843bbedcf211148d2988b77d4cc6a872a51095432883c1ea722750facaa256f0bc8cbae989890fda41d82818f4
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2KB
MD59d0a86f32038f8d8946bffc3d79bf204
SHA11437b3b0f7ba9f3dc3028f2e5310ea63d971f17d
SHA256ae7b9f70cc1a068bbd5bf466e761578ea6d5e3163562ec794410f89886ce76e8
SHA51210c8c4dc636d4b09d6c72b59479a333f7c7de768a6fd3550cdc53a9e385a6546f543710fa6546b22ba619c97799ed84d9d3a1a23b73c680d24984b6a91149d2c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
10KB
MD59f881e9f30cff40b5b8fcadc53e821b7
SHA157dc233cb8c9706b9a327d8808c0c243eda67b15
SHA256bc246cc3cd23168f03f46d1680abe1a1fdf8b921a1f8334024b1a62c28c7dd16
SHA512fa1485426c46715212393f0f4870ef59057698da639c696613cfaf4b4354cd1faa8c7a2da4e19078660bc705a13f4d8fff4d0cfe72f9746a808f0af0a2e32923
-
Filesize
15KB
MD5c0f738fac7f7f4abd16f730c578332f5
SHA19246cfaea53d76cdec1ae191ebff9bef4c6d3812
SHA2560eebff33d23429faeb502b782cee9443f9273e010ce2a2765bec12a057487337
SHA512c3030c7c9ac047334ec379aacbe2fe70db0db625ef6b0026317ef819434c28005b5261c0f1e1a84d8e2754a69e84f052f8dd727a4c2d57b5fe3fabd18c63d913
-
Filesize
72B
MD59f8bd7552b92be48f8dc29cc96fb5335
SHA1d7edf2652fb65c73c821ddbd90a5408e3fc2f2cb
SHA256ff1ce954bc4a2e479c96cea9aacab727808fc4f20f391ab2682c88a485bdc6c1
SHA512bba818a5bb9b4683e175af7ee4c5b6f8ec20827fd8d94fbdc9d162a6d03ee9aef7215a531c7195c8caa370cb2c8b8dbcffad35f6a4abafe0c4bcd101c1f1c6c2
-
Filesize
48B
MD5f9c4acd55f2886c3716cc5ee9a5460a9
SHA1c71f2a56bb1d8994af02212573095a8513d0e871
SHA2560053be105e3895e123d4a35ea6ae8ed046f983d0470503d74c8e432ed543d8c1
SHA512226bf69ebc557de86bd6c592ef2daec6479723d7430048d1f7eaeb4fc3e237cdd7cfa3cf7f4708d70ea154924aa771630aa7884bc5ce925abfca603b85b532ad
-
Filesize
81KB
MD534eb567c88ac92f9768ea54d680a2f08
SHA11ca41544b554faf968a5b3f7739084316561ae38
SHA2569bee73ff87253e742e2f4b1b4b8d730e47f2f5a906bc805fc2a23c078db0daa3
SHA512d04ec1d590c715a97871672bcb1e071d4d8b0f7a747d6c529b3e5c7e89ae6a61826f364b08e0a6192fa27b473bbdfe32ca8fb66b82a51653d9a55987d44b8007
-
Filesize
80KB
MD5b94fbc21f2f89b0792fab1976bc431f5
SHA1fb6d9f4046f7ece1f42be7598dcdc2b93ca24419
SHA25611a213cc2a53c904721be685a0e505ebbbe2490781a03873d163ae77efaf7c34
SHA5128878a41e444df27584d2dc6b2b4e71ed4c559b40f93095ac4d3296d60fbdf90716b2ff10910e8e7eef2a865f4c62f278cfb89af2d5759c44cae4e844f7e1727a
-
Filesize
81KB
MD5f7da099df31cdc351c48e55c6293e82a
SHA1938e33001e96a8b8caabce9e7ab31124af6ead5b
SHA256334f8234ffadd5240a393b05b29827c2037e1bd6de1fd3b5c44086557675a26f
SHA51241224d332a5351075cf92fa7ff8d622c60a5396ae635b822b03ca4a65e9e84b3580f78503fe527c21e25a02418d651f9e70fb05662d3f7866bac281fe203cf6a
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB