6059871321227264.zip
a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
79KB
01-07-2021 04:41
65eec80b04f4b8da236e7b9f8627e5e2
47aba918cf1ef166a9868c74003496cf419e6290
a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06
Filter: none
-
Babuk Locker
Description
RaaS first seen in 2021 initially called Vasa Locker.
Tags
-
Deletes shadow copies
Description
Ransomware often targets backup files to inhibit system recovery.
Tags
TTPs
-
Modifies extensions of user filesa9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
Description
Ransomware generally changes the extension on encrypted files.
Tags
Reported IOCs
description ioc process File opened for modification C:\Users\Admin\Pictures\InstallDismount.crw.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\CompressSplit.tiff a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File renamed C:\Users\Admin\Pictures\CompressSplit.tiff => C:\Users\Admin\Pictures\CompressSplit.tiff.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File renamed C:\Users\Admin\Pictures\ConvertToUnregister.tif => C:\Users\Admin\Pictures\ConvertToUnregister.tif.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File renamed C:\Users\Admin\Pictures\DisconnectTrace.raw => C:\Users\Admin\Pictures\DisconnectTrace.raw.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File renamed C:\Users\Admin\Pictures\GrantCompress.png => C:\Users\Admin\Pictures\GrantCompress.png.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\GrantCompress.png.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\RepairGrant.tiff a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\MergeClear.tif.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\RepairGrant.tiff.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File renamed C:\Users\Admin\Pictures\MergeClear.tif => C:\Users\Admin\Pictures\MergeClear.tif.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\ConvertToUnregister.tif.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\DisconnectTrace.raw.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\ResolveRead.tiff.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\CompressSplit.tiff.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\ResolveRead.tiff a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File renamed C:\Users\Admin\Pictures\InstallDismount.crw => C:\Users\Admin\Pictures\InstallDismount.crw.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File renamed C:\Users\Admin\Pictures\RepairGrant.tiff => C:\Users\Admin\Pictures\RepairGrant.tiff.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File renamed C:\Users\Admin\Pictures\ResolveRead.tiff => C:\Users\Admin\Pictures\ResolveRead.tiff.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe -
Enumerates connected drivesa9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
Description
Attempts to read the root path of hard drives other than the default C: drive.
TTPs
Reported IOCs
description ioc process File opened (read-only) \??\Q: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\W: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\I: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\G: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\H: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\J: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\K: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\Z: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\X: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\T: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\O: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\A: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\M: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\E: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\Y: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\S: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\F: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\B: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\R: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\U: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\P: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\L: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\V: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\N: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe -
Enumerates physical storage devices
Description
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
TTPs
-
Interacts with shadow copiesvssadmin.exevssadmin.exe
Description
Shadow copies are often targeted by ransomware to inhibit system recovery.
Tags
TTPs
Reported IOCs
pid process 1176 vssadmin.exe 1760 vssadmin.exe -
Suspicious behavior: EnumeratesProcessesa9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
Reported IOCs
pid process 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe -
Suspicious use of AdjustPrivilegeTokenvssvc.exe
Reported IOCs
description pid process Token: SeBackupPrivilege 1956 vssvc.exe Token: SeRestorePrivilege 1956 vssvc.exe Token: SeAuditPrivilege 1956 vssvc.exe -
Suspicious use of WriteProcessMemorya9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.execmd.execmd.exe
Reported IOCs
description pid process target process PID 684 wrote to memory of 2004 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe cmd.exe PID 684 wrote to memory of 2004 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe cmd.exe PID 684 wrote to memory of 2004 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe cmd.exe PID 684 wrote to memory of 2004 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe cmd.exe PID 2004 wrote to memory of 1176 2004 cmd.exe vssadmin.exe PID 2004 wrote to memory of 1176 2004 cmd.exe vssadmin.exe PID 2004 wrote to memory of 1176 2004 cmd.exe vssadmin.exe PID 684 wrote to memory of 560 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe cmd.exe PID 684 wrote to memory of 560 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe cmd.exe PID 684 wrote to memory of 560 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe cmd.exe PID 684 wrote to memory of 560 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe cmd.exe PID 560 wrote to memory of 1760 560 cmd.exe vssadmin.exe PID 560 wrote to memory of 1760 560 cmd.exe vssadmin.exe PID 560 wrote to memory of 1760 560 cmd.exe vssadmin.exe
-
C:\Users\Admin\AppData\Local\Temp\a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe"C:\Users\Admin\AppData\Local\Temp\a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe"Modifies extensions of user filesEnumerates connected drivesSuspicious behavior: EnumeratesProcessesSuspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quietSuspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quietInteracts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quietSuspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quietInteracts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeSuspicious use of AdjustPrivilegeToken
-
memory/560-63-0x0000000000000000-mapping.dmp
-
memory/684-60-0x0000000075C71000-0x0000000075C73000-memory.dmp
-
memory/1176-62-0x0000000000000000-mapping.dmp
-
memory/1760-64-0x0000000000000000-mapping.dmp
-
memory/2004-61-0x0000000000000000-mapping.dmp