Resubmissions
10-03-2021 22:38
210310-1ec6y9jbv2 1010-03-2021 22:29
210310-6hps979wpx 1018-01-2021 14:55
210118-4ydpsw46y2 10Analysis
-
max time kernel
34s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 14:55
Static task
static1
Behavioral task
behavioral1
Sample
BABUK_2021-01-14_02-37.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
BABUK_2021-01-14_02-37.bin.exe
Resource
win10v20201028
General
-
Target
BABUK_2021-01-14_02-37.bin.exe
-
Size
196KB
-
MD5
9594d3a407ab03fc40b9539c63907bc2
-
SHA1
cce903f046fada4ed779539c00976c98ed0b93ee
-
SHA256
8140004ff3cf4923c928708505754497e48d26d822a95d63bd2ed54e14f19766
-
SHA512
d7fbdac93b3bf6f1ce133d026746f46dd67165d48c7bc6636eeff01c4701772ad617c851b29ac847f9d795d9b6c65770766bdf1333baf8a61d30bec137f21981
Malware Config
Extracted
C:\Boot\bg-BG\How To Restore Your Files.txt
http://babukq4e2p4wu4iq.onion/login.php?id=p9gFgBg5TsdcO3mV9mf2RJlJoI0iy1
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
BABUK_2021-01-14_02-37.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\DisconnectCompress.tif => C:\Users\Admin\Pictures\DisconnectCompress.tif.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\AssertShow.tif => C:\Users\Admin\Pictures\AssertShow.tif.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\ExitEnable.raw => C:\Users\Admin\Pictures\ExitEnable.raw.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\RevokeMove.png => C:\Users\Admin\Pictures\RevokeMove.png.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\AddProtect.raw => C:\Users\Admin\Pictures\AddProtect.raw.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\CloseComplete.crw => C:\Users\Admin\Pictures\CloseComplete.crw.babyk BABUK_2021-01-14_02-37.bin.exe -
Drops startup file 1 IoCs
Processes:
BABUK_2021-01-14_02-37.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\How To Restore Your Files.txt BABUK_2021-01-14_02-37.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
BABUK_2021-01-14_02-37.bin.exedescription ioc process File opened (read-only) \??\I: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\G: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\L: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\B: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\N: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\T: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\O: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\A: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\Z: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\K: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\Q: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\W: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\R: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\U: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\P: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\S: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\H: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\X: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\E: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\Y: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\F: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\J: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\V: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\M: BABUK_2021-01-14_02-37.bin.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4304 vssadmin.exe 4592 vssadmin.exe -
Modifies Control Panel 1 IoCs
Processes:
ShellExperienceHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors ShellExperienceHost.exe -
Suspicious behavior: EnumeratesProcesses 284 IoCs
Processes:
BABUK_2021-01-14_02-37.bin.exepid process 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe 4772 BABUK_2021-01-14_02-37.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3356 vssvc.exe Token: SeRestorePrivilege 3356 vssvc.exe Token: SeAuditPrivilege 3356 vssvc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ShellExperienceHost.exepid process 1376 ShellExperienceHost.exe 1376 ShellExperienceHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
BABUK_2021-01-14_02-37.bin.execmd.execmd.exedescription pid process target process PID 4772 wrote to memory of 4232 4772 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 4772 wrote to memory of 4232 4772 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 4232 wrote to memory of 4304 4232 cmd.exe vssadmin.exe PID 4232 wrote to memory of 4304 4232 cmd.exe vssadmin.exe PID 4772 wrote to memory of 4512 4772 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 4772 wrote to memory of 4512 4772 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 4512 wrote to memory of 4592 4512 cmd.exe vssadmin.exe PID 4512 wrote to memory of 4592 4512 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BABUK_2021-01-14_02-37.bin.exe"C:\Users\Admin\AppData\Local\Temp\BABUK_2021-01-14_02-37.bin.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4304 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4592
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3356
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
PID:1376