Analysis
-
max time kernel
150s -
max time network
91s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-01-2021 20:45
Static task
static1
Behavioral task
behavioral1
Sample
babuk_v4.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
babuk_v4.exe
Resource
win10v20201028
General
-
Target
babuk_v4.exe
-
Size
30KB
-
MD5
9478050023c7f8668df4fc39b0ddd79c
-
SHA1
7925725cfb04d796f497e5142cba62860fbf87a9
-
SHA256
3dda3ee9164d6815a18a2c23651a53c35d52e3a5ad375001ec824cf532c202e6
-
SHA512
74bbf45112de1bf0d51ab0295118035a7e2c2028dd9b03bb8e222b9ccf6e077014c6b5d211b9d3ebe6434a41d883bcae14a0a3e969550ef094b30b73a38514e9
Malware Config
Extracted
C:\MSOCache\How To Restore Your Files.txt
http://gtmx56k4hutn3ikv.onion/?h2giV0RRxo38Z2pWhBTs
http://gtmx56k4hutn3ikv.onion/
http://babukq4e2p4wu4iq.onion/login.php?id=MNn0Flxa2JVxrT2gAiMfYdmAzyvUGi
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\RevokeConvertTo.png.babyk babuk_v4.exe File opened for modification C:\Users\Admin\Pictures\TestLimit.tiff babuk_v4.exe File renamed C:\Users\Admin\Pictures\TestLimit.tiff => C:\Users\Admin\Pictures\TestLimit.tiff.babyk babuk_v4.exe File opened for modification C:\Users\Admin\Pictures\TestLimit.tiff.babyk babuk_v4.exe File renamed C:\Users\Admin\Pictures\ConfirmExpand.png => C:\Users\Admin\Pictures\ConfirmExpand.png.babyk babuk_v4.exe File opened for modification C:\Users\Admin\Pictures\ConfirmExpand.png.babyk babuk_v4.exe File renamed C:\Users\Admin\Pictures\RevokeConvertTo.png => C:\Users\Admin\Pictures\RevokeConvertTo.png.babyk babuk_v4.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: babuk_v4.exe File opened (read-only) \??\S: babuk_v4.exe File opened (read-only) \??\V: babuk_v4.exe File opened (read-only) \??\Q: babuk_v4.exe File opened (read-only) \??\W: babuk_v4.exe File opened (read-only) \??\R: babuk_v4.exe File opened (read-only) \??\O: babuk_v4.exe File opened (read-only) \??\P: babuk_v4.exe File opened (read-only) \??\X: babuk_v4.exe File opened (read-only) \??\E: babuk_v4.exe File opened (read-only) \??\Y: babuk_v4.exe File opened (read-only) \??\U: babuk_v4.exe File opened (read-only) \??\A: babuk_v4.exe File opened (read-only) \??\F: babuk_v4.exe File opened (read-only) \??\G: babuk_v4.exe File opened (read-only) \??\J: babuk_v4.exe File opened (read-only) \??\Z: babuk_v4.exe File opened (read-only) \??\B: babuk_v4.exe File opened (read-only) \??\N: babuk_v4.exe File opened (read-only) \??\I: babuk_v4.exe File opened (read-only) \??\H: babuk_v4.exe File opened (read-only) \??\K: babuk_v4.exe File opened (read-only) \??\L: babuk_v4.exe File opened (read-only) \??\M: babuk_v4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1156 vssadmin.exe 864 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 111 IoCs
pid Process 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe 1832 babuk_v4.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1832 babuk_v4.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1972 vssvc.exe Token: SeRestorePrivilege 1972 vssvc.exe Token: SeAuditPrivilege 1972 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1832 wrote to memory of 1044 1832 babuk_v4.exe 26 PID 1832 wrote to memory of 1044 1832 babuk_v4.exe 26 PID 1832 wrote to memory of 1044 1832 babuk_v4.exe 26 PID 1832 wrote to memory of 1044 1832 babuk_v4.exe 26 PID 1044 wrote to memory of 1156 1044 cmd.exe 28 PID 1044 wrote to memory of 1156 1044 cmd.exe 28 PID 1044 wrote to memory of 1156 1044 cmd.exe 28 PID 1832 wrote to memory of 564 1832 babuk_v4.exe 35 PID 1832 wrote to memory of 564 1832 babuk_v4.exe 35 PID 1832 wrote to memory of 564 1832 babuk_v4.exe 35 PID 1832 wrote to memory of 564 1832 babuk_v4.exe 35 PID 564 wrote to memory of 864 564 cmd.exe 37 PID 564 wrote to memory of 864 564 cmd.exe 37 PID 564 wrote to memory of 864 564 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\babuk_v4.exe"C:\Users\Admin\AppData\Local\Temp\babuk_v4.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1156
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:864
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972