Resubmissions
10-03-2021 22:42
210310-6calh615fj 1010-03-2021 22:38
210310-7j33lwf7tx 1022-01-2021 00:08
210122-dcvdsabdme 10Analysis
-
max time kernel
126s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-03-2021 22:42
Static task
static1
Behavioral task
behavioral1
Sample
BABUK.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
BABUK.exe
Resource
win10v20201028
General
-
Target
BABUK.exe
-
Size
38KB
-
MD5
be76ed428523b9aefe706aeaa72bb6b2
-
SHA1
b040f2bdee3999aad415396f9f79e43b2aa9452b
-
SHA256
afcf265a1dcd9eab5aab270d48aa561e4ddeb71c05e32c857d3b809bb64c0430
-
SHA512
d08870197e1234a8e7115fc8bc0a868841054a0f6d3153a9ad77dad1bb077da3c2af3bdeebf53c6304943a3169ef5ae4fde16ce0e45a421e9afc2b4041a07c5b
Malware Config
Extracted
C:\MSOCache\How To Restore Your Files.txt
http://babukq4e2p4wu4iq.onion/login.php?id=p9gFgBg5TsdcO3mV9mf2RJlJoI0iy1
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\CompressBlock.tiff => C:\Users\Admin\Pictures\CompressBlock.tiff.babyk BABUK.exe File renamed C:\Users\Admin\Pictures\DebugWait.raw => C:\Users\Admin\Pictures\DebugWait.raw.babyk BABUK.exe File opened for modification C:\Users\Admin\Pictures\BackupCheckpoint.tiff BABUK.exe File opened for modification C:\Users\Admin\Pictures\CompressBlock.tiff BABUK.exe File renamed C:\Users\Admin\Pictures\BackupCheckpoint.tiff => C:\Users\Admin\Pictures\BackupCheckpoint.tiff.babyk BABUK.exe File renamed C:\Users\Admin\Pictures\DebugMerge.tif => C:\Users\Admin\Pictures\DebugMerge.tif.babyk BABUK.exe File opened for modification C:\Users\Admin\Pictures\DenyTrace.tiff BABUK.exe File opened for modification C:\Users\Admin\Pictures\EnterJoin.tiff BABUK.exe File renamed C:\Users\Admin\Pictures\DenyTrace.tiff => C:\Users\Admin\Pictures\DenyTrace.tiff.babyk BABUK.exe File renamed C:\Users\Admin\Pictures\EnterJoin.tiff => C:\Users\Admin\Pictures\EnterJoin.tiff.babyk BABUK.exe File renamed C:\Users\Admin\Pictures\InstallFind.tif => C:\Users\Admin\Pictures\InstallFind.tif.babyk BABUK.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: BABUK.exe File opened (read-only) \??\X: BABUK.exe File opened (read-only) \??\Q: BABUK.exe File opened (read-only) \??\T: BABUK.exe File opened (read-only) \??\I: BABUK.exe File opened (read-only) \??\J: BABUK.exe File opened (read-only) \??\Z: BABUK.exe File opened (read-only) \??\M: BABUK.exe File opened (read-only) \??\E: BABUK.exe File opened (read-only) \??\U: BABUK.exe File opened (read-only) \??\H: BABUK.exe File opened (read-only) \??\B: BABUK.exe File opened (read-only) \??\N: BABUK.exe File opened (read-only) \??\O: BABUK.exe File opened (read-only) \??\K: BABUK.exe File opened (read-only) \??\L: BABUK.exe File opened (read-only) \??\P: BABUK.exe File opened (read-only) \??\A: BABUK.exe File opened (read-only) \??\F: BABUK.exe File opened (read-only) \??\G: BABUK.exe File opened (read-only) \??\V: BABUK.exe File opened (read-only) \??\W: BABUK.exe File opened (read-only) \??\R: BABUK.exe File opened (read-only) \??\Y: BABUK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 524 vssadmin.exe 1968 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe 1340 BABUK.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1536 vssvc.exe Token: SeRestorePrivilege 1536 vssvc.exe Token: SeAuditPrivilege 1536 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1340 wrote to memory of 1984 1340 BABUK.exe 26 PID 1340 wrote to memory of 1984 1340 BABUK.exe 26 PID 1340 wrote to memory of 1984 1340 BABUK.exe 26 PID 1340 wrote to memory of 1984 1340 BABUK.exe 26 PID 1984 wrote to memory of 524 1984 cmd.exe 28 PID 1984 wrote to memory of 524 1984 cmd.exe 28 PID 1984 wrote to memory of 524 1984 cmd.exe 28 PID 1340 wrote to memory of 920 1340 BABUK.exe 35 PID 1340 wrote to memory of 920 1340 BABUK.exe 35 PID 1340 wrote to memory of 920 1340 BABUK.exe 35 PID 1340 wrote to memory of 920 1340 BABUK.exe 35 PID 920 wrote to memory of 1968 920 cmd.exe 37 PID 920 wrote to memory of 1968 920 cmd.exe 37 PID 920 wrote to memory of 1968 920 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\BABUK.exe"C:\Users\Admin\AppData\Local\Temp\BABUK.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1968
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536