Malware Analysis Report

2024-10-16 03:24

Sample ID 210628-et5dbrtdr6
Target e_win.bin
SHA256 028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc
Tags
babuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc

Threat Level: Known bad

The file e_win.bin was found to be: Known bad.

Malicious Activity Summary

babuk ransomware

Babuk Locker

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

Enumerates physical storage devices

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-06-28 14:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-06-28 14:57

Reported

2021-06-28 15:00

Platform

win10v20210410

Max time kernel

23s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe"

Signatures

Babuk Locker

ransomware babuk

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\EditImport.raw.babyk C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandConnect.tif => C:\Users\Admin\Pictures\ExpandConnect.tif.babyk C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File renamed C:\Users\Admin\Pictures\ReceiveSuspend.tiff => C:\Users\Admin\Pictures\ReceiveSuspend.tiff.babyk C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\ReceiveSuspend.tiff.babyk C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File renamed C:\Users\Admin\Pictures\ResolveConvertTo.crw => C:\Users\Admin\Pictures\ResolveConvertTo.crw.babyk C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResolveConvertTo.crw.babyk C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File renamed C:\Users\Admin\Pictures\TestReceive.tif => C:\Users\Admin\Pictures\TestReceive.tif.babyk C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File renamed C:\Users\Admin\Pictures\UndoShow.tif => C:\Users\Admin\Pictures\UndoShow.tif.babyk C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\UndoShow.tif.babyk C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File renamed C:\Users\Admin\Pictures\EditImport.raw => C:\Users\Admin\Pictures\EditImport.raw.babyk C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExpandConnect.tif.babyk C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\ReceiveSuspend.tiff C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\TestReceive.tif.babyk C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe

"C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\How To Restore Your Files.txt

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

N/A

Files

memory/1756-114-0x0000000000000000-mapping.dmp

memory/4072-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\Desktop\How To Restore Your Files.txt

MD5 1cb251ec0d568de6a929b520c4aed8d1
SHA1 372ea08cab33e71c02c651dbc83a474d32c676ea
SHA256 982d9e3eb996f559e633f4d194def3761d909f5a3b647d1a851fead67c32c9d1
SHA512 eaf2c12742cb8c161bcbd84b032b9bb98999a23282542672ca01cc6edd268f7dce9987ad6b2bc79305634f89d90b90102bcd59a57e7135b8e3ceb93c0597117b

memory/3144-117-0x0000000000000000-mapping.dmp

memory/3084-118-0x0000000000000000-mapping.dmp