Malware Analysis Report

2024-10-16 03:23

Sample ID 210407-qsebx3ywwa
Target e_win.exe
SHA256 f1719415abe4dcba0daef0a1e5c8994d1d3c0c659d3e0a11b34f307370dd8683
Tags
babuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1719415abe4dcba0daef0a1e5c8994d1d3c0c659d3e0a11b34f307370dd8683

Threat Level: Known bad

The file e_win.exe was found to be: Known bad.

Malicious Activity Summary

babuk ransomware

Babuk Locker

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

Enumerates physical storage devices

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-04-07 09:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-04-07 09:19

Reported

2021-04-07 09:23

Platform

win7v20201028

Max time kernel

18s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e_win.exe"

Signatures

Babuk Locker

ransomware babuk

Deletes shadow copies

ransomware

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\e_win.exe C:\Windows\System32\cmd.exe
PID 1964 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\e_win.exe C:\Windows\System32\cmd.exe
PID 1964 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\e_win.exe C:\Windows\System32\cmd.exe
PID 1964 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\e_win.exe C:\Windows\System32\cmd.exe
PID 2028 wrote to memory of 1776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2028 wrote to memory of 1776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2028 wrote to memory of 1776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1964 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\e_win.exe C:\Windows\System32\cmd.exe
PID 1964 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\e_win.exe C:\Windows\System32\cmd.exe
PID 1964 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\e_win.exe C:\Windows\System32\cmd.exe
PID 1964 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\e_win.exe C:\Windows\System32\cmd.exe
PID 1564 wrote to memory of 1660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1564 wrote to memory of 1660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1564 wrote to memory of 1660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e_win.exe

"C:\Users\Admin\AppData\Local\Temp\e_win.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

N/A

Files

memory/1964-2-0x00000000750C1000-0x00000000750C3000-memory.dmp

memory/1964-3-0x0000000000A20000-0x0000000000A31000-memory.dmp

memory/1964-4-0x0000000002250000-0x0000000002261000-memory.dmp

memory/2028-5-0x0000000000000000-mapping.dmp

memory/1776-6-0x0000000000000000-mapping.dmp

memory/1564-7-0x0000000000000000-mapping.dmp

memory/1660-8-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-04-07 09:19

Reported

2021-04-07 09:23

Platform

win10v20201028

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e_win.exe"

Signatures

Babuk Locker

ransomware babuk

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\DenyWatch.raw => C:\Users\Admin\Pictures\DenyWatch.raw.babyk C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File renamed C:\Users\Admin\Pictures\EnableReset.tif => C:\Users\Admin\Pictures\EnableReset.tif.babyk C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File renamed C:\Users\Admin\Pictures\RedoNew.raw => C:\Users\Admin\Pictures\RedoNew.raw.babyk C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened for modification C:\Users\Admin\Pictures\EnableReset.tif.babyk C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File renamed C:\Users\Admin\Pictures\ReceiveConnect.raw => C:\Users\Admin\Pictures\ReceiveConnect.raw.babyk C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened for modification C:\Users\Admin\Pictures\TestConvertTo.tiff C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File renamed C:\Users\Admin\Pictures\UnpublishResolve.raw => C:\Users\Admin\Pictures\UnpublishResolve.raw.babyk C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnpublishResolve.raw.babyk C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertToExpand.png => C:\Users\Admin\Pictures\ConvertToExpand.png.babyk C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertToExpand.png.babyk C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened for modification C:\Users\Admin\Pictures\RedoNew.raw.babyk C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File renamed C:\Users\Admin\Pictures\TestConvertTo.tiff => C:\Users\Admin\Pictures\TestConvertTo.tiff.babyk C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened for modification C:\Users\Admin\Pictures\TestConvertTo.tiff.babyk C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened for modification C:\Users\Admin\Pictures\DenyWatch.raw.babyk C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened for modification C:\Users\Admin\Pictures\ReceiveConnect.raw.babyk C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e_win.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e_win.exe

"C:\Users\Admin\AppData\Local\Temp\e_win.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

N/A

Files

memory/1100-3-0x0000000003450000-0x0000000003451000-memory.dmp

memory/1100-2-0x0000000002C50000-0x0000000002C51000-memory.dmp

memory/3996-4-0x0000000000000000-mapping.dmp

memory/1340-5-0x0000000000000000-mapping.dmp

memory/2968-6-0x0000000000000000-mapping.dmp

memory/1468-7-0x0000000000000000-mapping.dmp