6059871321227264.zip

General
Target

a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe

Filesize

79KB

Completed

01-07-2021 04:41

Score
10/10
MD5

65eec80b04f4b8da236e7b9f8627e5e2

SHA1

47aba918cf1ef166a9868c74003496cf419e6290

SHA256

a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06

Malware Config
Signatures 9

Filter: none

Defense Evasion
Discovery
Impact
  • Babuk Locker

    Description

    RaaS first seen in 2021 initially called Vasa Locker.

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files
    a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\InstallDismount.crw.babyka9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened for modificationC:\Users\Admin\Pictures\CompressSplit.tiffa9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File renamedC:\Users\Admin\Pictures\CompressSplit.tiff => C:\Users\Admin\Pictures\CompressSplit.tiff.babyka9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File renamedC:\Users\Admin\Pictures\ConvertToUnregister.tif => C:\Users\Admin\Pictures\ConvertToUnregister.tif.babyka9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File renamedC:\Users\Admin\Pictures\DisconnectTrace.raw => C:\Users\Admin\Pictures\DisconnectTrace.raw.babyka9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File renamedC:\Users\Admin\Pictures\GrantCompress.png => C:\Users\Admin\Pictures\GrantCompress.png.babyka9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened for modificationC:\Users\Admin\Pictures\GrantCompress.png.babyka9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened for modificationC:\Users\Admin\Pictures\RepairGrant.tiffa9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened for modificationC:\Users\Admin\Pictures\MergeClear.tif.babyka9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened for modificationC:\Users\Admin\Pictures\RepairGrant.tiff.babyka9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File renamedC:\Users\Admin\Pictures\MergeClear.tif => C:\Users\Admin\Pictures\MergeClear.tif.babyka9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened for modificationC:\Users\Admin\Pictures\ConvertToUnregister.tif.babyka9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened for modificationC:\Users\Admin\Pictures\DisconnectTrace.raw.babyka9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened for modificationC:\Users\Admin\Pictures\ResolveRead.tiff.babyka9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened for modificationC:\Users\Admin\Pictures\CompressSplit.tiff.babyka9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened for modificationC:\Users\Admin\Pictures\ResolveRead.tiffa9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File renamedC:\Users\Admin\Pictures\InstallDismount.crw => C:\Users\Admin\Pictures\InstallDismount.crw.babyka9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File renamedC:\Users\Admin\Pictures\RepairGrant.tiff => C:\Users\Admin\Pictures\RepairGrant.tiff.babyka9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File renamedC:\Users\Admin\Pictures\ResolveRead.tiff => C:\Users\Admin\Pictures\ResolveRead.tiff.babyka9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
  • Enumerates connected drives
    a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\Q:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\W:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\I:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\G:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\H:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\J:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\K:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\Z:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\X:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\T:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\O:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\A:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\M:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\E:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\Y:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\S:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\F:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\B:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\R:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\U:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\P:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\L:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\V:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    File opened (read-only)\??\N:a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Interacts with shadow copies
    vssadmin.exevssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    1176vssadmin.exe
    1760vssadmin.exe
  • Suspicious behavior: EnumeratesProcesses
    a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe

    Reported IOCs

    pidprocess
    684a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege1956vssvc.exe
    Token: SeRestorePrivilege1956vssvc.exe
    Token: SeAuditPrivilege1956vssvc.exe
  • Suspicious use of WriteProcessMemory
    a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 684 wrote to memory of 2004684a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.execmd.exe
    PID 684 wrote to memory of 2004684a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.execmd.exe
    PID 684 wrote to memory of 2004684a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.execmd.exe
    PID 684 wrote to memory of 2004684a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.execmd.exe
    PID 2004 wrote to memory of 11762004cmd.exevssadmin.exe
    PID 2004 wrote to memory of 11762004cmd.exevssadmin.exe
    PID 2004 wrote to memory of 11762004cmd.exevssadmin.exe
    PID 684 wrote to memory of 560684a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.execmd.exe
    PID 684 wrote to memory of 560684a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.execmd.exe
    PID 684 wrote to memory of 560684a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.execmd.exe
    PID 684 wrote to memory of 560684a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.execmd.exe
    PID 560 wrote to memory of 1760560cmd.exevssadmin.exe
    PID 560 wrote to memory of 1760560cmd.exevssadmin.exe
    PID 560 wrote to memory of 1760560cmd.exevssadmin.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    "C:\Users\Admin\AppData\Local\Temp\a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe"
    Modifies extensions of user files
    Enumerates connected drives
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:684
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        Interacts with shadow copies
        PID:1176
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      Suspicious use of WriteProcessMemory
      PID:560
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        Interacts with shadow copies
        PID:1760
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:1956
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/560-63-0x0000000000000000-mapping.dmp

                    • memory/684-60-0x0000000075C71000-0x0000000075C73000-memory.dmp

                    • memory/1176-62-0x0000000000000000-mapping.dmp

                    • memory/1760-64-0x0000000000000000-mapping.dmp

                    • memory/2004-61-0x0000000000000000-mapping.dmp