Analysis
-
max time kernel
123s -
max time network
170s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
01-07-2021 18:09
Static task
static1
Behavioral task
behavioral1
Sample
e_win.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
e_win.bin.exe
Resource
win10v20210408
General
-
Target
e_win.bin.exe
-
Size
79KB
-
MD5
e5adc80639046a5c69bcfeee458e0833
-
SHA1
d9e3f9edda5df290b5be6fb1d335b750dd7c6758
-
SHA256
ea95f131bd9b49104d9e7ae83335254549ded9d71d557c6e4746740aecca2c85
-
SHA512
c11a24e14ba5fa2b0e2c2b544dd4218ce4c8caae3db7cebd5b0305223f96bde09c9bd237cb8d32768f30118f7be73240971e772f7a89db7c0fba5c6105107e3a
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
e_win.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\MergeShow.tif.babyk e_win.bin.exe File renamed C:\Users\Admin\Pictures\SplitInstall.crw => C:\Users\Admin\Pictures\SplitInstall.crw.babyk e_win.bin.exe File opened for modification C:\Users\Admin\Pictures\SplitInstall.crw.babyk e_win.bin.exe File renamed C:\Users\Admin\Pictures\ConvertFromExport.raw => C:\Users\Admin\Pictures\ConvertFromExport.raw.babyk e_win.bin.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromExport.raw.babyk e_win.bin.exe File renamed C:\Users\Admin\Pictures\FormatHide.raw => C:\Users\Admin\Pictures\FormatHide.raw.babyk e_win.bin.exe File opened for modification C:\Users\Admin\Pictures\FormatHide.raw.babyk e_win.bin.exe File renamed C:\Users\Admin\Pictures\MergeShow.tif => C:\Users\Admin\Pictures\MergeShow.tif.babyk e_win.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e_win.bin.exedescription ioc process File opened (read-only) \??\R: e_win.bin.exe File opened (read-only) \??\P: e_win.bin.exe File opened (read-only) \??\K: e_win.bin.exe File opened (read-only) \??\L: e_win.bin.exe File opened (read-only) \??\Q: e_win.bin.exe File opened (read-only) \??\T: e_win.bin.exe File opened (read-only) \??\Y: e_win.bin.exe File opened (read-only) \??\U: e_win.bin.exe File opened (read-only) \??\I: e_win.bin.exe File opened (read-only) \??\A: e_win.bin.exe File opened (read-only) \??\H: e_win.bin.exe File opened (read-only) \??\Z: e_win.bin.exe File opened (read-only) \??\V: e_win.bin.exe File opened (read-only) \??\B: e_win.bin.exe File opened (read-only) \??\N: e_win.bin.exe File opened (read-only) \??\M: e_win.bin.exe File opened (read-only) \??\W: e_win.bin.exe File opened (read-only) \??\E: e_win.bin.exe File opened (read-only) \??\G: e_win.bin.exe File opened (read-only) \??\J: e_win.bin.exe File opened (read-only) \??\O: e_win.bin.exe File opened (read-only) \??\S: e_win.bin.exe File opened (read-only) \??\F: e_win.bin.exe File opened (read-only) \??\X: e_win.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1772 vssadmin.exe 996 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e_win.bin.exepid process 2016 e_win.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 772 vssvc.exe Token: SeRestorePrivilege 772 vssvc.exe Token: SeAuditPrivilege 772 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e_win.bin.execmd.execmd.exedescription pid process target process PID 2016 wrote to memory of 1648 2016 e_win.bin.exe cmd.exe PID 2016 wrote to memory of 1648 2016 e_win.bin.exe cmd.exe PID 2016 wrote to memory of 1648 2016 e_win.bin.exe cmd.exe PID 2016 wrote to memory of 1648 2016 e_win.bin.exe cmd.exe PID 1648 wrote to memory of 1772 1648 cmd.exe vssadmin.exe PID 1648 wrote to memory of 1772 1648 cmd.exe vssadmin.exe PID 1648 wrote to memory of 1772 1648 cmd.exe vssadmin.exe PID 2016 wrote to memory of 1104 2016 e_win.bin.exe cmd.exe PID 2016 wrote to memory of 1104 2016 e_win.bin.exe cmd.exe PID 2016 wrote to memory of 1104 2016 e_win.bin.exe cmd.exe PID 2016 wrote to memory of 1104 2016 e_win.bin.exe cmd.exe PID 1104 wrote to memory of 996 1104 cmd.exe vssadmin.exe PID 1104 wrote to memory of 996 1104 cmd.exe vssadmin.exe PID 1104 wrote to memory of 996 1104 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe"C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:996
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:772