Overview

overview

10

Static

static

1

Urget Cont...on.zip

windows10-2004-x64

7

Urget Cont...on.eml

windows10-2004-x64

3

Urgent Con...df.exe

windows10-2004-x64

10

email-html-2.txt

windows10-2004-x64

1

email-plain-1.txt

windows10-2004-x64

1

Analysis

  • max time kernel
    209s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2025, 02:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Urgent Contract Action.pdf.exe

  • Size

    431KB

  • MD5

    fbbdc39af1139aebba4da004475e8839

  • SHA1

    de5c8d858e6e41da715dca1c019df0bfb92d32c0

  • SHA256

    630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

  • SHA512

    74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

  • SSDEEP

    12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score
10/10
badrabbitmimikatzdiscoveryransomware

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit
  • Badrabbit family
    badrabbit
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Mimikatz family
    mimikatz
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Delete /F /TN rhaegal
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4024
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /F /TN rhaegal
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2000
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4206746066 && exit"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3588
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4206746066 && exit"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2996
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 03:05:00
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 03:05:00
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2984
      • C:\Windows\A940.tmp
        "C:\Windows\A940.tmp" \\.\pipe\{129D3813-C41D-4476-B327-BC400081F6ED}
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3776
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2724
    • C:\Windows\dispci.exe
      "C:\Windows\dispci.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3932
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Delete /F /TN rhaegal
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5072
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /F /TN rhaegal
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2104
    • C:\Windows\dispci.exe
      "C:\Windows\dispci.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:852
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Delete /F /TN rhaegal
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:388
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /F /TN rhaegal
          3⤵
          • System Location Discovery: System Language Discovery
          PID:396
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\DtcInstall.log
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:244
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3956

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\A940.tmp
      Filesize

      60KB

      MD5

      347ac3b6b791054de3e5720a7144a977

      SHA1

      413eba3973a15c1a6429d9f170f3e8287f98c21c

      SHA256

      301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

      SHA512

      9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

      Download Submit

    • C:\Windows\dispci.exe
      Filesize

      139KB

      MD5

      b14d8faf7f0cbcfad051cefe5f39645f

      SHA1

      afeee8b4acff87bc469a6f0364a81ae5d60a2add

      SHA256

      8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

      SHA512

      f5dcbf3634aedfe5b8d6255e20015555343add5b1be3801e62a5987e86a3e52495b5ce3156e4f63cf095d0cedfb63939eaf39bea379ccac82a10a4182b8ded22

      Download Submit

    • C:\Windows\infpub.dat
      Filesize

      401KB

      MD5

      1d724f95c61f1055f0d02c2154bbccd3

      SHA1

      79116fe99f2b421c52ef64097f0f39b815b20907

      SHA256

      579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

      SHA512

      f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

      Download Submit

    • memory/3972-4-0x0000000002D60000-0x0000000002DC8000-memory.dmp

      Filesize

      416KB

      Download

    • memory/3972-11-0x0000000002D60000-0x0000000002DC8000-memory.dmp

      Filesize

      416KB

      Download

    • memory/3972-14-0x0000000002D60000-0x0000000002DC8000-memory.dmp

      Filesize

      416KB

      Download