Overview
overview
10Static
static
10155eaec829...23.exe
windows7_x64
10155eaec829...23.exe
windows10_x64
108a68388787...97.exe
windows7_x64
108a68388787...97.exe
windows10_x64
109a9bf626d4...d6.exe
windows7_x64
109a9bf626d4...d6.exe
windows10_x64
10a9fb354944...06.exe
windows7_x64
10a9fb354944...06.exe
windows10_x64
10Analysis
-
max time kernel
24s -
max time network
31s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
01-07-2021 04:38
Behavioral task
behavioral1
Sample
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
9a9bf626d4a3e9afe613f7eaa347acac600de2aecc45a5706aa2ba386625eed6.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
-
Size
79KB
-
MD5
65eec80b04f4b8da236e7b9f8627e5e2
-
SHA1
47aba918cf1ef166a9868c74003496cf419e6290
-
SHA256
a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06
-
SHA512
b5c45d833fc86e42c340b08d630218fde1f816bb36c3a5920553bddf8f2acd1b6951eb402dff5e82add7f623b76e6ee5414fbdaa293df0579776fc5cad62fbd9
Score
10/10
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 19 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\InstallDismount.crw.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\CompressSplit.tiff a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File renamed C:\Users\Admin\Pictures\CompressSplit.tiff => C:\Users\Admin\Pictures\CompressSplit.tiff.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File renamed C:\Users\Admin\Pictures\ConvertToUnregister.tif => C:\Users\Admin\Pictures\ConvertToUnregister.tif.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File renamed C:\Users\Admin\Pictures\DisconnectTrace.raw => C:\Users\Admin\Pictures\DisconnectTrace.raw.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File renamed C:\Users\Admin\Pictures\GrantCompress.png => C:\Users\Admin\Pictures\GrantCompress.png.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\GrantCompress.png.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\RepairGrant.tiff a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\MergeClear.tif.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\RepairGrant.tiff.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File renamed C:\Users\Admin\Pictures\MergeClear.tif => C:\Users\Admin\Pictures\MergeClear.tif.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\ConvertToUnregister.tif.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\DisconnectTrace.raw.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\ResolveRead.tiff.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\CompressSplit.tiff.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened for modification C:\Users\Admin\Pictures\ResolveRead.tiff a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File renamed C:\Users\Admin\Pictures\InstallDismount.crw => C:\Users\Admin\Pictures\InstallDismount.crw.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File renamed C:\Users\Admin\Pictures\RepairGrant.tiff => C:\Users\Admin\Pictures\RepairGrant.tiff.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File renamed C:\Users\Admin\Pictures\ResolveRead.tiff => C:\Users\Admin\Pictures\ResolveRead.tiff.babyk a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\W: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\I: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\G: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\H: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\J: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\K: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\Z: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\X: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\T: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\O: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\A: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\M: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\E: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\Y: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\S: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\F: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\B: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\R: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\U: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\P: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\L: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\V: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe File opened (read-only) \??\N: a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1176 vssadmin.exe 1760 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1956 vssvc.exe Token: SeRestorePrivilege 1956 vssvc.exe Token: SeAuditPrivilege 1956 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 684 wrote to memory of 2004 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe 26 PID 684 wrote to memory of 2004 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe 26 PID 684 wrote to memory of 2004 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe 26 PID 684 wrote to memory of 2004 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe 26 PID 2004 wrote to memory of 1176 2004 cmd.exe 28 PID 2004 wrote to memory of 1176 2004 cmd.exe 28 PID 2004 wrote to memory of 1176 2004 cmd.exe 28 PID 684 wrote to memory of 560 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe 32 PID 684 wrote to memory of 560 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe 32 PID 684 wrote to memory of 560 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe 32 PID 684 wrote to memory of 560 684 a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe 32 PID 560 wrote to memory of 1760 560 cmd.exe 34 PID 560 wrote to memory of 1760 560 cmd.exe 34 PID 560 wrote to memory of 1760 560 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe"C:\Users\Admin\AppData\Local\Temp\a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1176
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1760
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956