Resubmissions
10-03-2021 22:38
210310-1ec6y9jbv2 1010-03-2021 22:29
210310-6hps979wpx 1018-01-2021 14:55
210118-4ydpsw46y2 10Analysis
-
max time kernel
22s -
max time network
29s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-03-2021 22:38
Static task
static1
Behavioral task
behavioral1
Sample
BABUK_2021-01-14_02-37.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
BABUK_2021-01-14_02-37.bin.exe
Resource
win10v20201028
General
-
Target
BABUK_2021-01-14_02-37.bin.exe
-
Size
196KB
-
MD5
9594d3a407ab03fc40b9539c63907bc2
-
SHA1
cce903f046fada4ed779539c00976c98ed0b93ee
-
SHA256
8140004ff3cf4923c928708505754497e48d26d822a95d63bd2ed54e14f19766
-
SHA512
d7fbdac93b3bf6f1ce133d026746f46dd67165d48c7bc6636eeff01c4701772ad617c851b29ac847f9d795d9b6c65770766bdf1333baf8a61d30bec137f21981
Malware Config
Extracted
C:\MSOCache\How To Restore Your Files.txt
http://babukq4e2p4wu4iq.onion/login.php?id=p9gFgBg5TsdcO3mV9mf2RJlJoI0iy1
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
BABUK_2021-01-14_02-37.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExpandRestart.raw => C:\Users\Admin\Pictures\ExpandRestart.raw.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\LockRedo.tif => C:\Users\Admin\Pictures\LockRedo.tif.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\RegisterInitialize.raw => C:\Users\Admin\Pictures\RegisterInitialize.raw.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\SwitchCheckpoint.raw => C:\Users\Admin\Pictures\SwitchCheckpoint.raw.babyk BABUK_2021-01-14_02-37.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
BABUK_2021-01-14_02-37.bin.exedescription ioc process File opened (read-only) \??\X: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\V: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\M: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\U: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\A: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\Z: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\F: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\J: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\K: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\L: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\Y: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\O: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\P: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\T: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\I: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\G: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\H: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\N: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\Q: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\W: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\E: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\R: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\S: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\B: BABUK_2021-01-14_02-37.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 824 vssadmin.exe 1964 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
BABUK_2021-01-14_02-37.bin.exepid process 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe 644 BABUK_2021-01-14_02-37.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1788 vssvc.exe Token: SeRestorePrivilege 1788 vssvc.exe Token: SeAuditPrivilege 1788 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
BABUK_2021-01-14_02-37.bin.execmd.execmd.exedescription pid process target process PID 644 wrote to memory of 1068 644 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 644 wrote to memory of 1068 644 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 644 wrote to memory of 1068 644 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 644 wrote to memory of 1068 644 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 1068 wrote to memory of 1964 1068 cmd.exe vssadmin.exe PID 1068 wrote to memory of 1964 1068 cmd.exe vssadmin.exe PID 1068 wrote to memory of 1964 1068 cmd.exe vssadmin.exe PID 644 wrote to memory of 1588 644 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 644 wrote to memory of 1588 644 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 644 wrote to memory of 1588 644 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 644 wrote to memory of 1588 644 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 1588 wrote to memory of 824 1588 cmd.exe vssadmin.exe PID 1588 wrote to memory of 824 1588 cmd.exe vssadmin.exe PID 1588 wrote to memory of 824 1588 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BABUK_2021-01-14_02-37.bin.exe"C:\Users\Admin\AppData\Local\Temp\BABUK_2021-01-14_02-37.bin.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:824
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1788