Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-04-2021 18:31
Static task
static1
Behavioral task
behavioral1
Sample
18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe
Resource
win10v20210410
General
-
Target
18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe
-
Size
79KB
-
MD5
16c7212928b23a170cebb12935a933fa
-
SHA1
5d316698dfe20b8fcdc881dbf68632b13af11d0f
-
SHA256
18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb
-
SHA512
1f3f9d2486f0d2af768dd7d3537e98a97e856318a06e6a01972c1f58c8029151cfa29cdfaceff098daf8d7ac30bbe6b7bf1aa09c3c44f33ffda8cf0d08f98f0c
Malware Config
Extracted
C:\How To Restore Your Files.txt
http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/faca5581ddd262c4cfa85446f862883116ce07b04c69202579d8292ca1fb8a18/
http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/
http://vq3zf757tzpwhs7bulnr43d2rfg5fkvvfkhee2zhhzievuxrbnarmgqd.onion/24a5bd3358eb457250046982645af76f346a5f5401a0e6175641860fd476a18a
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\UnprotectConvert.png.babyk 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File renamed C:\Users\Admin\Pictures\InstallLimit.raw => C:\Users\Admin\Pictures\InstallLimit.raw.babyk 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened for modification C:\Users\Admin\Pictures\InstallLimit.raw.babyk 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened for modification C:\Users\Admin\Pictures\PushProtect.tiff 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File renamed C:\Users\Admin\Pictures\UnprotectConvert.png => C:\Users\Admin\Pictures\UnprotectConvert.png.babyk 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File renamed C:\Users\Admin\Pictures\MeasureUpdate.tif => C:\Users\Admin\Pictures\MeasureUpdate.tif.babyk 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened for modification C:\Users\Admin\Pictures\MergeInitialize.tif.babyk 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File renamed C:\Users\Admin\Pictures\MergeInitialize.tif => C:\Users\Admin\Pictures\MergeInitialize.tif.babyk 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened for modification C:\Users\Admin\Pictures\GroupClose.raw.babyk 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened for modification C:\Users\Admin\Pictures\MeasureUpdate.tif.babyk 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File renamed C:\Users\Admin\Pictures\MountTrace.crw => C:\Users\Admin\Pictures\MountTrace.crw.babyk 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened for modification C:\Users\Admin\Pictures\MountTrace.crw.babyk 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File renamed C:\Users\Admin\Pictures\PushProtect.tiff => C:\Users\Admin\Pictures\PushProtect.tiff.babyk 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened for modification C:\Users\Admin\Pictures\PushProtect.tiff.babyk 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File renamed C:\Users\Admin\Pictures\GroupClose.raw => C:\Users\Admin\Pictures\GroupClose.raw.babyk 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exedescription ioc process File opened (read-only) \??\Q: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\O: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\P: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\F: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\G: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\V: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\W: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\E: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\T: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\Y: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\Z: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\X: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\M: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\R: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\U: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\I: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\J: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\K: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\L: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\B: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\A: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\S: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\H: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe File opened (read-only) \??\N: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1980 vssadmin.exe 1740 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exepid process 1092 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1720 vssvc.exe Token: SeRestorePrivilege 1720 vssvc.exe Token: SeAuditPrivilege 1720 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.execmd.execmd.exedescription pid process target process PID 1092 wrote to memory of 1416 1092 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe cmd.exe PID 1092 wrote to memory of 1416 1092 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe cmd.exe PID 1092 wrote to memory of 1416 1092 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe cmd.exe PID 1092 wrote to memory of 1416 1092 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe cmd.exe PID 1416 wrote to memory of 1980 1416 cmd.exe vssadmin.exe PID 1416 wrote to memory of 1980 1416 cmd.exe vssadmin.exe PID 1416 wrote to memory of 1980 1416 cmd.exe vssadmin.exe PID 1092 wrote to memory of 1924 1092 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe cmd.exe PID 1092 wrote to memory of 1924 1092 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe cmd.exe PID 1092 wrote to memory of 1924 1092 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe cmd.exe PID 1092 wrote to memory of 1924 1092 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe cmd.exe PID 1924 wrote to memory of 1740 1924 cmd.exe vssadmin.exe PID 1924 wrote to memory of 1740 1924 cmd.exe vssadmin.exe PID 1924 wrote to memory of 1740 1924 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe"C:\Users\Admin\AppData\Local\Temp\18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1092-60-0x0000000076E11000-0x0000000076E13000-memory.dmpFilesize
8KB
-
memory/1416-61-0x0000000000000000-mapping.dmp
-
memory/1740-64-0x0000000000000000-mapping.dmp
-
memory/1924-63-0x0000000000000000-mapping.dmp
-
memory/1980-62-0x0000000000000000-mapping.dmp