Analysis
-
max time kernel
124s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-03-2021 22:26
Static task
static1
Behavioral task
behavioral1
Sample
550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
Resource
win10v20201028
General
-
Target
550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe
-
Size
22KB
-
MD5
64f7ac45f930fe0ae05f6a6102ddb511
-
SHA1
499c21991aecc205fd9c64784909d94eb34a9a71
-
SHA256
550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf
-
SHA512
864f551b85dcacfc6ecb0af94292c520366889c09287b1c34fb2971113744ef364eff8c4b77739baa25a8456be3f7bb8b7d19ab21c241b7330bf0a22f63abcd5
Malware Config
Extracted
C:\MSOCache\How To Restore Your Files.txt
http://babukq4e2p4wu4iq.onion/login.php?id=6iAq0NR1jS3TgDD3OoEiWFHJpUPrGc
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\RestoreRevoke.tiff => C:\Users\Admin\Pictures\RestoreRevoke.tiff.babuk2 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File renamed C:\Users\Admin\Pictures\SelectMove.png => C:\Users\Admin\Pictures\SelectMove.png.babuk2 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File renamed C:\Users\Admin\Pictures\StepJoin.tiff => C:\Users\Admin\Pictures\StepJoin.tiff.babuk2 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File renamed C:\Users\Admin\Pictures\EnterSplit.tif => C:\Users\Admin\Pictures\EnterSplit.tif.babuk2 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File renamed C:\Users\Admin\Pictures\RedoRevoke.png => C:\Users\Admin\Pictures\RedoRevoke.png.babuk2 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File renamed C:\Users\Admin\Pictures\RemoveDisconnect.tiff => C:\Users\Admin\Pictures\RemoveDisconnect.tiff.babuk2 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File renamed C:\Users\Admin\Pictures\RequestSet.tif => C:\Users\Admin\Pictures\RequestSet.tif.babuk2 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened for modification C:\Users\Admin\Pictures\RestoreRevoke.tiff 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened for modification C:\Users\Admin\Pictures\StepJoin.tiff 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File renamed C:\Users\Admin\Pictures\EnableLimit.png => C:\Users\Admin\Pictures\EnableLimit.png.babuk2 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File renamed C:\Users\Admin\Pictures\MergeFind.tif => C:\Users\Admin\Pictures\MergeFind.tif.babuk2 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened for modification C:\Users\Admin\Pictures\RemoveDisconnect.tiff 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\Q: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\W: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\T: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\I: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\P: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\H: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\K: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\B: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\Z: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\E: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\Y: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\O: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\A: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\G: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\J: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\N: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\R: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\U: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\S: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\F: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\L: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\X: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe File opened (read-only) \??\M: 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2004 vssadmin.exe 888 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1456 vssvc.exe Token: SeRestorePrivilege 1456 vssvc.exe Token: SeAuditPrivilege 1456 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1652 wrote to memory of 1940 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 26 PID 1652 wrote to memory of 1940 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 26 PID 1652 wrote to memory of 1940 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 26 PID 1652 wrote to memory of 1940 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 26 PID 1940 wrote to memory of 2004 1940 cmd.exe 28 PID 1940 wrote to memory of 2004 1940 cmd.exe 28 PID 1940 wrote to memory of 2004 1940 cmd.exe 28 PID 1652 wrote to memory of 1704 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 37 PID 1652 wrote to memory of 1704 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 37 PID 1652 wrote to memory of 1704 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 37 PID 1652 wrote to memory of 1704 1652 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe 37 PID 1704 wrote to memory of 888 1704 cmd.exe 39 PID 1704 wrote to memory of 888 1704 cmd.exe 39 PID 1704 wrote to memory of 888 1704 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe"C:\Users\Admin\AppData\Local\Temp\550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf.bin.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:888
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456