Resubmissions
10-03-2021 22:42
210310-6calh615fj 1010-03-2021 22:38
210310-7j33lwf7tx 1022-01-2021 00:08
210122-dcvdsabdme 10Analysis
-
max time kernel
21s -
max time network
26s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-01-2021 00:08
Static task
static1
Behavioral task
behavioral1
Sample
BABUK.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
BABUK.exe
Resource
win10v20201028
General
-
Target
BABUK.exe
-
Size
38KB
-
MD5
be76ed428523b9aefe706aeaa72bb6b2
-
SHA1
b040f2bdee3999aad415396f9f79e43b2aa9452b
-
SHA256
afcf265a1dcd9eab5aab270d48aa561e4ddeb71c05e32c857d3b809bb64c0430
-
SHA512
d08870197e1234a8e7115fc8bc0a868841054a0f6d3153a9ad77dad1bb077da3c2af3bdeebf53c6304943a3169ef5ae4fde16ce0e45a421e9afc2b4041a07c5b
Malware Config
Extracted
C:\MSOCache\How To Restore Your Files.txt
http://babukq4e2p4wu4iq.onion/login.php?id=p9gFgBg5TsdcO3mV9mf2RJlJoI0iy1
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
BABUK.exedescription ioc process File renamed C:\Users\Admin\Pictures\AddGrant.raw => C:\Users\Admin\Pictures\AddGrant.raw.babyk BABUK.exe File opened for modification C:\Users\Admin\Pictures\MountClose.tiff BABUK.exe File opened for modification C:\Users\Admin\Pictures\ResolveInstall.tiff BABUK.exe File renamed C:\Users\Admin\Pictures\MountClose.tiff => C:\Users\Admin\Pictures\MountClose.tiff.babyk BABUK.exe File renamed C:\Users\Admin\Pictures\ResolveInstall.tiff => C:\Users\Admin\Pictures\ResolveInstall.tiff.babyk BABUK.exe File renamed C:\Users\Admin\Pictures\ConvertResize.tif => C:\Users\Admin\Pictures\ConvertResize.tif.babyk BABUK.exe File opened for modification C:\Users\Admin\Pictures\StopCheckpoint.tiff BABUK.exe File renamed C:\Users\Admin\Pictures\StopCheckpoint.tiff => C:\Users\Admin\Pictures\StopCheckpoint.tiff.babyk BABUK.exe File renamed C:\Users\Admin\Pictures\UnregisterTest.png => C:\Users\Admin\Pictures\UnregisterTest.png.babyk BABUK.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
BABUK.exedescription ioc process File opened (read-only) \??\F: BABUK.exe File opened (read-only) \??\J: BABUK.exe File opened (read-only) \??\Z: BABUK.exe File opened (read-only) \??\X: BABUK.exe File opened (read-only) \??\V: BABUK.exe File opened (read-only) \??\B: BABUK.exe File opened (read-only) \??\T: BABUK.exe File opened (read-only) \??\I: BABUK.exe File opened (read-only) \??\Y: BABUK.exe File opened (read-only) \??\P: BABUK.exe File opened (read-only) \??\S: BABUK.exe File opened (read-only) \??\H: BABUK.exe File opened (read-only) \??\L: BABUK.exe File opened (read-only) \??\Q: BABUK.exe File opened (read-only) \??\W: BABUK.exe File opened (read-only) \??\G: BABUK.exe File opened (read-only) \??\K: BABUK.exe File opened (read-only) \??\M: BABUK.exe File opened (read-only) \??\O: BABUK.exe File opened (read-only) \??\A: BABUK.exe File opened (read-only) \??\U: BABUK.exe File opened (read-only) \??\N: BABUK.exe File opened (read-only) \??\E: BABUK.exe File opened (read-only) \??\R: BABUK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 620 vssadmin.exe 1980 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 115 IoCs
Processes:
BABUK.exepid process 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe 1636 BABUK.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1760 vssvc.exe Token: SeRestorePrivilege 1760 vssvc.exe Token: SeAuditPrivilege 1760 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
BABUK.execmd.execmd.exedescription pid process target process PID 1636 wrote to memory of 1448 1636 BABUK.exe cmd.exe PID 1636 wrote to memory of 1448 1636 BABUK.exe cmd.exe PID 1636 wrote to memory of 1448 1636 BABUK.exe cmd.exe PID 1636 wrote to memory of 1448 1636 BABUK.exe cmd.exe PID 1448 wrote to memory of 1980 1448 cmd.exe vssadmin.exe PID 1448 wrote to memory of 1980 1448 cmd.exe vssadmin.exe PID 1448 wrote to memory of 1980 1448 cmd.exe vssadmin.exe PID 1636 wrote to memory of 536 1636 BABUK.exe cmd.exe PID 1636 wrote to memory of 536 1636 BABUK.exe cmd.exe PID 1636 wrote to memory of 536 1636 BABUK.exe cmd.exe PID 1636 wrote to memory of 536 1636 BABUK.exe cmd.exe PID 536 wrote to memory of 620 536 cmd.exe vssadmin.exe PID 536 wrote to memory of 620 536 cmd.exe vssadmin.exe PID 536 wrote to memory of 620 536 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BABUK.exe"C:\Users\Admin\AppData\Local\Temp\BABUK.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:620
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760