Analysis

  • max time kernel
    17s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    01-07-2021 04:38

General

  • Target

    a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe

  • Size

    79KB

  • MD5

    65eec80b04f4b8da236e7b9f8627e5e2

  • SHA1

    47aba918cf1ef166a9868c74003496cf419e6290

  • SHA256

    a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06

  • SHA512

    b5c45d833fc86e42c340b08d630218fde1f816bb36c3a5920553bddf8f2acd1b6951eb402dff5e82add7f623b76e6ee5414fbdaa293df0579776fc5cad62fbd9

Score
10/10

Malware Config

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

  • Deletes shadow copies ⋅ 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files ⋅ 13 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives ⋅ 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies ⋅ 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 3 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe
    "C:\Users\Admin\AppData\Local\Temp\a9fb354944ee5879b6e13381952889c604d850fe18ef552185a1c228b3bb3d06.exe"
    Modifies extensions of user files
    Enumerates connected drives
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:4016
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        Interacts with shadow copies
        PID:3868
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        Interacts with shadow copies
        PID:2288
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:2300

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • memory/1716-114-0x0000000000000000-mapping.dmp
                    • memory/2288-117-0x0000000000000000-mapping.dmp
                    • memory/3868-115-0x0000000000000000-mapping.dmp
                    • memory/4076-116-0x0000000000000000-mapping.dmp