Resubmissions

11-03-2021 10:45

210311-swwxrhg7f6 10

10-03-2021 22:39

210310-fs8l6vc2hj 10

28-01-2021 09:49

210128-b3gdrfb24s 10

Analysis

  • max time kernel
    30s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    10-03-2021 22:39

General

  • Target

    58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe

  • Size

    29KB

  • MD5

    67e49cfcd12103b5ef2f9f331f092dbe

  • SHA1

    72cad5a81ce546b42844b5b8fc2ab55e99f2b5d4

  • SHA256

    58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053

  • SHA512

    21fa0d1be0d5be2da8c4c68357e1e294503d87c21a304c5811669eaa9aba29b6cfcd077d083547e2f41269b12c6a8da5ad2ea0f1613d9a96917ea01c69fcb087

Score
10/10

Malware Config

Extracted

Path

C:\Users\How To Restore Your Files.txt

Ransom Note
Hello! serco.com, we are the BABUK team and you have big security problems, we are not a government hackers, we are only interested in money. We've been surfing inside your network for about 3 weeks and copied more than 1 TB of your data. Down below you can see screenshots of the data we stole. We strongly recommend you to get us in touch and discuss the details of the future deal in our private chat: * How to contact us? ---------------------------------------------- 1) Download Tor browser: https://www.torproject.org/download/ 2) Open it 3) Follow this link in tor browser: http://babukq4e2p4wu4iq.onion/login.php?id=dKK7wnOiVHoXdqSrVcb1gxKpC9JICQ We can provide you any amount of proofs of data we stole, in case we do not come to any agreement or you won't text us in near five days, the data will be published in our blog. Links to this blog is private now, but how fast it become public depends only from you. http://gtmx56k4hutn3ikv.onion/?dUIel0o8kfjZf4zUHDbm About the consequences that can appear in case if you won't cooperate with us to resolve this situation: -The price of your stocks will fall down and you will loose much more money than the amount we ask. -Your partners such as NATO, or Belgian Army or anyone else won't be so happy that their secret documents are in free access in the internet. Who knows how the third party can use those documents, we are not responsible for that. -GDPR will arrange the revision of your company and the outcome they figure out will make you cry, this is a fact. -Part of your systems will stay locked and you can't recover it and few years of labor of your employees become meaningless. https://temp.sh/fVAxj/1.png https://temp.sh/VZRcj/2.png https://temp.sh/qpkLy/3.png https://temp.sh/hPkTt/4.png https://temp.sh/ENvac/5.png https://temp.sh/YzAJd/6.png https://temp.sh/eBGdx/7.png https://temp.sh/KAXUW/8.png
URLs

http://babukq4e2p4wu4iq.onion/login.php?id=dKK7wnOiVHoXdqSrVcb1gxKpC9JICQ

http://gtmx56k4hutn3ikv.onion/?dUIel0o8kfjZf4zUHDbm

https://temp.sh/fVAxj/1.png

https://temp.sh/VZRcj/2.png

https://temp.sh/qpkLy/3.png

https://temp.sh/hPkTt/4.png

https://temp.sh/ENvac/5.png

https://temp.sh/YzAJd/6.png

https://temp.sh/eBGdx/7.png

https://temp.sh/KAXUW/8.png

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 17 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe
    "C:\Users\Admin\AppData\Local\Temp\58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1184
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:476
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1712
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1168

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/476-7-0x0000000000000000-mapping.dmp

  • memory/1184-6-0x0000000000000000-mapping.dmp

  • memory/1712-8-0x0000000000000000-mapping.dmp

  • memory/1784-2-0x00000000760D1000-0x00000000760D3000-memory.dmp

    Filesize

    8KB

  • memory/1784-3-0x0000000001EA0000-0x0000000001EB1000-memory.dmp

    Filesize

    68KB

  • memory/1784-4-0x00000000022B0000-0x00000000022C1000-memory.dmp

    Filesize

    68KB

  • memory/2040-5-0x0000000000000000-mapping.dmp