Overview

overview

10

Static

static

10

155eaec829...23.exe

windows7_x64

10

155eaec829...23.exe

windows10_x64

10

8a68388787...97.exe

windows7_x64

10

8a68388787...97.exe

windows10_x64

10

9a9bf626d4...d6.exe

windows7_x64

10

9a9bf626d4...d6.exe

windows10_x64

10

a9fb354944...06.exe

windows7_x64

10

a9fb354944...06.exe

windows10_x64

10

Analysis

  • max time kernel
    24s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    01-07-2021 04:38

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe

  • Size

    79KB

  • MD5

    65eec80b04f4b8da236e7b9f8627e5e2

  • SHA1

    47aba918cf1ef166a9868c74003496cf419e6290

  • SHA256

    a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06

  • SHA512

    b5c45d833fc86e42c340b08d630218fde1f816bb36c3a5920553bddf8f2acd1b6951eb402dff5e82add7f623b76e6ee5414fbdaa293df0579776fc5cad62fbd9

Score
10/10
babukransomware

Malware Config

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 19 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    "C:\Users\Admin\AppData\Local\Temp\a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe"
    Modifies extensions of user files
    Enumerates connected drives
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:684
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        Interacts with shadow copies
        PID:1176
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      Suspicious use of WriteProcessMemory
      PID:560
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        Interacts with shadow copies
        PID:1760
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:1956

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

File Deletion

2
T1107

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Execution

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

  • memory/560-63-0x0000000000000000-mapping.dmp
    Download
  • memory/684-60-0x0000000075C71000-0x0000000075C73000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1176-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1760-64-0x0000000000000000-mapping.dmp
    Download
  • memory/2004-61-0x0000000000000000-mapping.dmp
    Download