Resubmissions
11-03-2021 10:45
210311-swwxrhg7f6 1010-03-2021 22:39
210310-fs8l6vc2hj 1028-01-2021 09:49
210128-b3gdrfb24s 10Analysis
-
max time kernel
19s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-01-2021 09:49
Static task
static1
Behavioral task
behavioral1
Sample
58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe
Resource
win10v20201028
General
-
Target
58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe
-
Size
29KB
-
MD5
67e49cfcd12103b5ef2f9f331f092dbe
-
SHA1
72cad5a81ce546b42844b5b8fc2ab55e99f2b5d4
-
SHA256
58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053
-
SHA512
21fa0d1be0d5be2da8c4c68357e1e294503d87c21a304c5811669eaa9aba29b6cfcd077d083547e2f41269b12c6a8da5ad2ea0f1613d9a96917ea01c69fcb087
Malware Config
Extracted
C:\Users\How To Restore Your Files.txt
http://babukq4e2p4wu4iq.onion/login.php?id=dKK7wnOiVHoXdqSrVcb1gxKpC9JICQ
http://gtmx56k4hutn3ikv.onion/?dUIel0o8kfjZf4zUHDbm
https://temp.sh/fVAxj/1.png
https://temp.sh/VZRcj/2.png
https://temp.sh/qpkLy/3.png
https://temp.sh/hPkTt/4.png
https://temp.sh/ENvac/5.png
https://temp.sh/YzAJd/6.png
https://temp.sh/eBGdx/7.png
https://temp.sh/KAXUW/8.png
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\UnprotectUninstall.tiff 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File renamed C:\Users\Admin\Pictures\UnprotectUninstall.tiff => C:\Users\Admin\Pictures\UnprotectUninstall.tiff.babyk 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened for modification C:\Users\Admin\Pictures\UnprotectUninstall.tiff.babyk 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File renamed C:\Users\Admin\Pictures\RenameGrant.raw => C:\Users\Admin\Pictures\RenameGrant.raw.babyk 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened for modification C:\Users\Admin\Pictures\RenameGrant.raw.babyk 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File renamed C:\Users\Admin\Pictures\RenameReset.tif => C:\Users\Admin\Pictures\RenameReset.tif.babyk 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened for modification C:\Users\Admin\Pictures\RenameReset.tif.babyk 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\Y: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\U: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\H: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\K: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\L: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\A: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\B: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\M: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\Q: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\T: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\O: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\G: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\Z: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\X: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\W: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\E: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\I: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\P: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\S: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\F: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\J: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\V: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe File opened (read-only) \??\N: 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2920 vssadmin.exe 1332 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3084 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe 3084 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 940 vssvc.exe Token: SeRestorePrivilege 940 vssvc.exe Token: SeAuditPrivilege 940 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3084 wrote to memory of 2876 3084 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe 75 PID 3084 wrote to memory of 2876 3084 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe 75 PID 2876 wrote to memory of 2920 2876 cmd.exe 77 PID 2876 wrote to memory of 2920 2876 cmd.exe 77 PID 3084 wrote to memory of 2748 3084 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe 80 PID 3084 wrote to memory of 2748 3084 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe 80 PID 2748 wrote to memory of 1332 2748 cmd.exe 82 PID 2748 wrote to memory of 1332 2748 cmd.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe"C:\Users\Admin\AppData\Local\Temp\58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1332
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:940