Bad Rabbit Ransomware | VMRay Analyzer Report
Try VMRay Analyzer
Analysis Information
Creation Time 2017-10-25 17:16 (UTC+2)
VM Analysis Duration Time -
Execution Successful True
Sample Filename ifzkkpwij.exe
Command Line Parameters False
Prescript False
Number of Processes 62
Termination Reason Timeout
Reputation Enabled True
Download Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON
VTI Information
VTI Score
100 / 100
VTI Database Version 2.6
VTI Rule Match Count 24
VTI Rule Type Default (PE, ...)
Tags
#badrabbit #ransomware #kernalcode
attention Privileged kernel code was executed during the analysis. Refer to the kernel analysis section on the left for further details.
Remarks
Critical The file extraction total size limit was reached during the analysis. Some files may be missing in the reports. You can increase the limit in the configuration.
Critical The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration.
Critical The operating system was rebooted during the analysis.
Critical The maximum number of dumps was reached during the analysis. Some memory dumps may be missing in the reports. You can increase the limit in the configuration.
Critical The overall sleep time of all monitored processes was truncated from 23 minutes to 30 seconds to reveal dormant functionality.
Screenshots
Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot
Monitored Processes
Process Graph


ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x948 Analysis Target High (Elevated) ifzkkpwij.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ifzkkpwij.exe" -
#2 0x960 Child Process High (Elevated) rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15 #1
#3 0x974 Child Process High (Elevated) cmd.exe /c schtasks /Delete /F /TN rhaegal #2
#4 0x988 Child Process High (Elevated) schtasks.exe schtasks /Delete /F /TN rhaegal #3
#5 0x998 Child Process High (Elevated) cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1550063777 && exit" #2
#6 0x9b0 Child Process High (Elevated) cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:34:00 #2
#7 0x9b8 Child Process High (Elevated) schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1550063777 && exit" #5
#8 0x9d4 Child Process High (Elevated) 41d0.tmp "C:\Windows\41D0.tmp" \\.\pipe\{2FDFCF81-BD74-41C3-9115-F628925CC568} #2
#9 0x9f0 Child Process High (Elevated) schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:34:00 #6
#10 0x6c0 Created Scheduled Job System (Elevated) taskeng.exe taskeng.exe {E7027C3A-1DB2-40E8-88FC-68D4A38CC290} S-1-5-18:NT AUTHORITY\System:Service: #7
#11 0x5bc Created Scheduled Job High (Elevated) taskeng.exe taskeng.exe {896F3D9B-55A7-4F1F-A74F-2820A0C0801C} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1] #7
#12 0xa38 Child Process High (Elevated) cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: #2
#13 0xa4c Child Process High (Elevated) wevtutil.exe wevtutil cl Setup #12
#14 0xa58 Child Process High (Elevated) wevtutil.exe wevtutil cl System #12
#15 0xa64 Child Process High (Elevated) wevtutil.exe wevtutil cl Security #12
#16 0xa70 Child Process High (Elevated) wevtutil.exe wevtutil cl Application #12
#17 0xa7c Child Process High (Elevated) fsutil.exe fsutil usn deletejournal /D C: #12
#18 0xa84 Child Process High (Elevated) cmd.exe /c schtasks /Delete /F /TN drogon #2
#19 0x444 Created Scheduled Job System (Elevated) taskeng.exe taskeng.exe {4222EA2E-0F28-4DC3-9F30-F6A79682CE97} S-1-5-18:NT AUTHORITY\System:Service: #9
#20 0x4 Kernel Analysis System (Elevated) System - -
#21 0x108 Child Process System (Elevated) smss.exe \SystemRoot\System32\smss.exe #20
#22 0x14c Child Process System (Elevated) csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 #21
#23 0x17c Child Process System (Elevated) wininit.exe wininit.exe #21
#24 0x188 Child Process System (Elevated) csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 #21
#25 0x1b4 Child Process System (Elevated) winlogon.exe winlogon.exe #21
#26 0x1d8 Child Process System (Elevated) services.exe C:\Windows\system32\services.exe #23
#27 0x1e0 Child Process System (Elevated) lsass.exe C:\Windows\system32\lsass.exe #23
#28 0x1e8 Child Process System (Elevated) lsm.exe C:\Windows\system32\lsm.exe #23
#29 0x25c Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch #26
#30 0x2a0 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k RPCSS #26
#31 0x2d0 Child Process System (Elevated) svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted #26
#32 0x318 Child Process System (Elevated) logonui.exe "LogonUI.exe" /flags:0x0 #25
#33 0x33c Child Process System (Elevated) svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted #26
#34 0x374 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k netsvcs #26
#35 0x3b0 Child Process System (Elevated) audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x2e4 #31
#36 0x11c Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k LocalService #26
#37 0x138 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k NetworkService #26
#38 0x424 Child Process System (Elevated) dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} #29
#39 0x43c Child Process System (Elevated) spoolsv.exe C:\Windows\System32\spoolsv.exe #26
#40 0x47c Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork #26
#41 0x4a0 Child Process Medium taskhost.exe "taskhost.exe" #26
#42 0x4d4 Child Process Medium userinit.exe C:\Windows\system32\userinit.exe #25
#43 0x4e4 Child Process Medium dwm.exe "C:\Windows\system32\Dwm.exe" #33
#44 0x4f0 Child Process Medium explorer.exe C:\Windows\Explorer.EXE #42
#45 0x588 Child Process Medium bcssync.exe "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices #44
#46 0x590 Child Process Medium runonce.exe C:\Windows\SysWOW64\runonce.exe /Run6432 #44
#47 0x628 Child Process Medium dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} #29
#48 0x678 Child Process Medium reader_sl.exe "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\reader_sl.exe" #46
#49 0x688 Child Process Medium adobearm.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" #46
#50 0x698 Child Process Medium jusched.exe "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" #46
#51 0x7ec Child Process System (Elevated) taskhost.exe taskhost.exe SYSTEM #26
#52 0x338 Child Process System (Elevated) cmd.exe C:\Windows\system32\cmd.exe /C Start "" "C:\Windows\dispci.exe" -id 1550063777 && exit #19
#54 0x34c Child Process System (Elevated) dispci.exe "C:\Windows\dispci.exe" -id 1550063777 #52
#56 0x5f8 Child Process System (Elevated) cmd.exe /c schtasks /Delete /F /TN rhaegal #54
#57 0x650 Child Process System (Elevated) cmd.exe /c schtasks /Delete /F /TN drogon #54
#60 0x69c Child Process System (Elevated) cmd.exe /c schtasks /Create /SC ONCE /TN viserion_1 /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:20:00 #54
#62 0x6fc Child Process System (Elevated) cmd.exe /c schtasks /Delete /F /TN viserion_0 #54
#64 0x708 Child Process Medium dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} #29
#65 0x72c Child Process System (Elevated) schtasks.exe schtasks /Delete /F /TN rhaegal #56
#66 0x684 Child Process System (Elevated) schtasks.exe schtasks /Create /SC ONCE /TN viserion_1 /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:20:00 #60
#67 0x558 Child Process System (Elevated) schtasks.exe schtasks /Delete /F /TN drogon #57
#68 0x644 Child Process System (Elevated) schtasks.exe schtasks /Delete /F /TN viserion_0 #62
Sample Information
ID #19992
MD5 Hash Value fbbdc39af1139aebba4da004475e8839
SHA1 Hash Value de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 Hash Value 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
Filename ifzkkpwij.exe
File Size 431.54 KB (441899 bytes)
File Type Windows Exe (x86-32)
Analyzer and Virtual Machine Information
Analyzer Version 2.2.0
Analyzer Build Date 2017-10-17 16:08
Internet Explorer Version 8.0.7601.17514
Chrome Version 58.0.3029.110
Firefox Version 25.0
Flash Version 10.3.183.75
Java Version 7.0.450
VM Name win7_64_sp1
VM Architecture x86 64-bit
VM OS Windows 7
VM Kernel Version 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image