Resubmissions
10-03-2021 22:38
210310-1ec6y9jbv2 1010-03-2021 22:29
210310-6hps979wpx 1018-01-2021 14:55
210118-4ydpsw46y2 10Analysis
-
max time kernel
33s -
max time network
34s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-03-2021 22:29
Static task
static1
Behavioral task
behavioral1
Sample
BABUK_2021-01-14_02-37.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
BABUK_2021-01-14_02-37.bin.exe
Resource
win10v20201028
General
-
Target
BABUK_2021-01-14_02-37.bin.exe
-
Size
196KB
-
MD5
9594d3a407ab03fc40b9539c63907bc2
-
SHA1
cce903f046fada4ed779539c00976c98ed0b93ee
-
SHA256
8140004ff3cf4923c928708505754497e48d26d822a95d63bd2ed54e14f19766
-
SHA512
d7fbdac93b3bf6f1ce133d026746f46dd67165d48c7bc6636eeff01c4701772ad617c851b29ac847f9d795d9b6c65770766bdf1333baf8a61d30bec137f21981
Malware Config
Extracted
C:\MSOCache\How To Restore Your Files.txt
http://babukq4e2p4wu4iq.onion/login.php?id=p9gFgBg5TsdcO3mV9mf2RJlJoI0iy1
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
BABUK_2021-01-14_02-37.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\ResizeAdd.tiff => C:\Users\Admin\Pictures\ResizeAdd.tiff.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\ResolveGroup.tiff => C:\Users\Admin\Pictures\ResolveGroup.tiff.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\SkipMount.png => C:\Users\Admin\Pictures\SkipMount.png.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\DismountReset.tif => C:\Users\Admin\Pictures\DismountReset.tif.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\DebugCompare.tif => C:\Users\Admin\Pictures\DebugCompare.tif.babyk BABUK_2021-01-14_02-37.bin.exe File opened for modification C:\Users\Admin\Pictures\ResizeAdd.tiff BABUK_2021-01-14_02-37.bin.exe File opened for modification C:\Users\Admin\Pictures\ResolveGroup.tiff BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\SuspendUnlock.tif => C:\Users\Admin\Pictures\SuspendUnlock.tif.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\SyncDebug.tif => C:\Users\Admin\Pictures\SyncDebug.tif.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\HidePing.crw => C:\Users\Admin\Pictures\HidePing.crw.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\PublishRemove.crw => C:\Users\Admin\Pictures\PublishRemove.crw.babyk BABUK_2021-01-14_02-37.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
BABUK_2021-01-14_02-37.bin.exedescription ioc process File opened (read-only) \??\Z: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\N: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\W: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\R: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\G: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\H: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\J: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\A: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\L: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\E: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\T: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\O: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\X: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\M: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\S: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\F: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\K: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\Q: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\Y: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\U: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\I: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\P: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\V: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\B: BABUK_2021-01-14_02-37.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 660 vssadmin.exe 1424 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
BABUK_2021-01-14_02-37.bin.exepid process 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe 1044 BABUK_2021-01-14_02-37.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1196 vssvc.exe Token: SeRestorePrivilege 1196 vssvc.exe Token: SeAuditPrivilege 1196 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
BABUK_2021-01-14_02-37.bin.execmd.execmd.exedescription pid process target process PID 1044 wrote to memory of 1912 1044 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 1044 wrote to memory of 1912 1044 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 1044 wrote to memory of 1912 1044 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 1044 wrote to memory of 1912 1044 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 1912 wrote to memory of 660 1912 cmd.exe vssadmin.exe PID 1912 wrote to memory of 660 1912 cmd.exe vssadmin.exe PID 1912 wrote to memory of 660 1912 cmd.exe vssadmin.exe PID 1044 wrote to memory of 848 1044 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 1044 wrote to memory of 848 1044 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 1044 wrote to memory of 848 1044 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 1044 wrote to memory of 848 1044 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 848 wrote to memory of 1424 848 cmd.exe vssadmin.exe PID 848 wrote to memory of 1424 848 cmd.exe vssadmin.exe PID 848 wrote to memory of 1424 848 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BABUK_2021-01-14_02-37.bin.exe"C:\Users\Admin\AppData\Local\Temp\BABUK_2021-01-14_02-37.bin.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1424
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196