Analysis Overview
SHA256
f1719415abe4dcba0daef0a1e5c8994d1d3c0c659d3e0a11b34f307370dd8683
Threat Level: Known bad
The file e_win.exe was found to be: Known bad.
Malicious Activity Summary
Babuk Locker
Deletes shadow copies
Modifies extensions of user files
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-04-07 09:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-04-07 09:19
Reported
2021-04-07 09:23
Platform
win7v20201028
Max time kernel
18s
Max time network
16s
Command Line
Signatures
Babuk Locker
Deletes shadow copies
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e_win.exe
"C:\Users\Admin\AppData\Local\Temp\e_win.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
Files
memory/1964-2-0x00000000750C1000-0x00000000750C3000-memory.dmp
memory/1964-3-0x0000000000A20000-0x0000000000A31000-memory.dmp
memory/1964-4-0x0000000002250000-0x0000000002261000-memory.dmp
memory/2028-5-0x0000000000000000-mapping.dmp
memory/1776-6-0x0000000000000000-mapping.dmp
memory/1564-7-0x0000000000000000-mapping.dmp
memory/1660-8-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-04-07 09:19
Reported
2021-04-07 09:23
Platform
win10v20201028
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Babuk Locker
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\DenyWatch.raw => C:\Users\Admin\Pictures\DenyWatch.raw.babyk | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\EnableReset.tif => C:\Users\Admin\Pictures\EnableReset.tif.babyk | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RedoNew.raw => C:\Users\Admin\Pictures\RedoNew.raw.babyk | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\EnableReset.tif.babyk | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ReceiveConnect.raw => C:\Users\Admin\Pictures\ReceiveConnect.raw.babyk | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\TestConvertTo.tiff | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnpublishResolve.raw => C:\Users\Admin\Pictures\UnpublishResolve.raw.babyk | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnpublishResolve.raw.babyk | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertToExpand.png => C:\Users\Admin\Pictures\ConvertToExpand.png.babyk | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertToExpand.png.babyk | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RedoNew.raw.babyk | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\TestConvertTo.tiff => C:\Users\Admin\Pictures\TestConvertTo.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\TestConvertTo.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DenyWatch.raw.babyk | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ReceiveConnect.raw.babyk | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e_win.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1100 wrote to memory of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\e_win.exe | C:\Windows\System32\cmd.exe |
| PID 1100 wrote to memory of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\e_win.exe | C:\Windows\System32\cmd.exe |
| PID 1100 wrote to memory of 1340 | N/A | C:\Users\Admin\AppData\Local\Temp\e_win.exe | C:\Windows\System32\cmd.exe |
| PID 1100 wrote to memory of 1340 | N/A | C:\Users\Admin\AppData\Local\Temp\e_win.exe | C:\Windows\System32\cmd.exe |
| PID 3996 wrote to memory of 2968 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 3996 wrote to memory of 2968 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 1340 wrote to memory of 1468 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 1340 wrote to memory of 1468 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e_win.exe
"C:\Users\Admin\AppData\Local\Temp\e_win.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
Files
memory/1100-3-0x0000000003450000-0x0000000003451000-memory.dmp
memory/1100-2-0x0000000002C50000-0x0000000002C51000-memory.dmp
memory/3996-4-0x0000000000000000-mapping.dmp
memory/1340-5-0x0000000000000000-mapping.dmp
memory/2968-6-0x0000000000000000-mapping.dmp
memory/1468-7-0x0000000000000000-mapping.dmp