Analysis
-
max time kernel
17s -
max time network
16s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
23-03-2021 04:23
Static task
static1
Behavioral task
behavioral1
Sample
military.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
military.exe
Resource
win10v20201028
General
-
Target
military.exe
-
Size
79KB
-
MD5
d24e9b0c3a81e884e14596d6047e31be
-
SHA1
0557ae0a95e11e10fe9a33742f8b258b35c0aae6
-
SHA256
1deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402
-
SHA512
5f9cfaf495d186c599ffe8fd63b7bf1c775313e38f0397f4f422d0944cfabf1c497b8cf81514d2a5d1ed2631d00f9356d8013fd90efea1bb29d17d7bae2a2ccd
Malware Config
Extracted
C:\How To Restore Your Files.txt
http://tsu2dpiiv4zjzfyq73eibemit2qyrimbbb6lhpm6n5ihgallom5lhdyd.onion/08deb1f2411fcdd93d524213ee3063b9719716e6813e886cb80f21df4a0d3ad5
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: military.exe File opened (read-only) \??\K: military.exe File opened (read-only) \??\L: military.exe File opened (read-only) \??\Z: military.exe File opened (read-only) \??\U: military.exe File opened (read-only) \??\I: military.exe File opened (read-only) \??\O: military.exe File opened (read-only) \??\F: military.exe File opened (read-only) \??\R: military.exe File opened (read-only) \??\T: military.exe File opened (read-only) \??\X: military.exe File opened (read-only) \??\B: military.exe File opened (read-only) \??\Q: military.exe File opened (read-only) \??\E: military.exe File opened (read-only) \??\A: military.exe File opened (read-only) \??\G: military.exe File opened (read-only) \??\H: military.exe File opened (read-only) \??\V: military.exe File opened (read-only) \??\N: military.exe File opened (read-only) \??\M: military.exe File opened (read-only) \??\W: military.exe File opened (read-only) \??\Y: military.exe File opened (read-only) \??\P: military.exe File opened (read-only) \??\S: military.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1436 vssadmin.exe 1664 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1932 military.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1772 vssvc.exe Token: SeRestorePrivilege 1772 vssvc.exe Token: SeAuditPrivilege 1772 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1932 wrote to memory of 1972 1932 military.exe 26 PID 1932 wrote to memory of 1972 1932 military.exe 26 PID 1932 wrote to memory of 1972 1932 military.exe 26 PID 1932 wrote to memory of 1972 1932 military.exe 26 PID 1972 wrote to memory of 1436 1972 cmd.exe 28 PID 1972 wrote to memory of 1436 1972 cmd.exe 28 PID 1972 wrote to memory of 1436 1972 cmd.exe 28 PID 1932 wrote to memory of 2012 1932 military.exe 35 PID 1932 wrote to memory of 2012 1932 military.exe 35 PID 1932 wrote to memory of 2012 1932 military.exe 35 PID 1932 wrote to memory of 2012 1932 military.exe 35 PID 2012 wrote to memory of 1664 2012 cmd.exe 37 PID 2012 wrote to memory of 1664 2012 cmd.exe 37 PID 2012 wrote to memory of 1664 2012 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\military.exe"C:\Users\Admin\AppData\Local\Temp\military.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1664
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772