Resubmissions
10-03-2021 22:38
210310-1ec6y9jbv2 1010-03-2021 22:29
210310-6hps979wpx 1018-01-2021 14:55
210118-4ydpsw46y2 10Analysis
-
max time kernel
40s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-03-2021 22:29
Static task
static1
Behavioral task
behavioral1
Sample
BABUK_2021-01-14_02-37.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
BABUK_2021-01-14_02-37.bin.exe
Resource
win10v20201028
General
-
Target
BABUK_2021-01-14_02-37.bin.exe
-
Size
196KB
-
MD5
9594d3a407ab03fc40b9539c63907bc2
-
SHA1
cce903f046fada4ed779539c00976c98ed0b93ee
-
SHA256
8140004ff3cf4923c928708505754497e48d26d822a95d63bd2ed54e14f19766
-
SHA512
d7fbdac93b3bf6f1ce133d026746f46dd67165d48c7bc6636eeff01c4701772ad617c851b29ac847f9d795d9b6c65770766bdf1333baf8a61d30bec137f21981
Malware Config
Extracted
C:\Boot\bg-BG\How To Restore Your Files.txt
http://babukq4e2p4wu4iq.onion/login.php?id=p9gFgBg5TsdcO3mV9mf2RJlJoI0iy1
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
BABUK_2021-01-14_02-37.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\FormatUse.tif => C:\Users\Admin\Pictures\FormatUse.tif.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\OutCopy.crw => C:\Users\Admin\Pictures\OutCopy.crw.babyk BABUK_2021-01-14_02-37.bin.exe File opened for modification C:\Users\Admin\Pictures\SetSave.tiff BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\SetSave.tiff => C:\Users\Admin\Pictures\SetSave.tiff.babyk BABUK_2021-01-14_02-37.bin.exe File opened for modification C:\Users\Admin\Pictures\StopEnter.tiff BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\ProtectTrace.png => C:\Users\Admin\Pictures\ProtectTrace.png.babyk BABUK_2021-01-14_02-37.bin.exe File renamed C:\Users\Admin\Pictures\StopEnter.tiff => C:\Users\Admin\Pictures\StopEnter.tiff.babyk BABUK_2021-01-14_02-37.bin.exe -
Drops startup file 1 IoCs
Processes:
BABUK_2021-01-14_02-37.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\How To Restore Your Files.txt BABUK_2021-01-14_02-37.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
BABUK_2021-01-14_02-37.bin.exedescription ioc process File opened (read-only) \??\Q: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\R: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\Y: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\O: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\P: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\F: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\L: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\X: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\E: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\T: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\U: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\K: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\Z: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\B: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\M: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\A: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\S: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\V: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\W: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\I: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\G: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\H: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\J: BABUK_2021-01-14_02-37.bin.exe File opened (read-only) \??\N: BABUK_2021-01-14_02-37.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3820 vssadmin.exe 3932 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
BABUK_2021-01-14_02-37.bin.exepid process 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe 3920 BABUK_2021-01-14_02-37.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 204 vssvc.exe Token: SeRestorePrivilege 204 vssvc.exe Token: SeAuditPrivilege 204 vssvc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ShellExperienceHost.exepid process 3156 ShellExperienceHost.exe 3156 ShellExperienceHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
BABUK_2021-01-14_02-37.bin.execmd.execmd.exedescription pid process target process PID 3920 wrote to memory of 2804 3920 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 3920 wrote to memory of 2804 3920 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 2804 wrote to memory of 3820 2804 cmd.exe vssadmin.exe PID 2804 wrote to memory of 3820 2804 cmd.exe vssadmin.exe PID 3920 wrote to memory of 264 3920 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 3920 wrote to memory of 264 3920 BABUK_2021-01-14_02-37.bin.exe cmd.exe PID 264 wrote to memory of 3932 264 cmd.exe vssadmin.exe PID 264 wrote to memory of 3932 264 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BABUK_2021-01-14_02-37.bin.exe"C:\Users\Admin\AppData\Local\Temp\BABUK_2021-01-14_02-37.bin.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3932
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:204
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3156