Analysis

  • max time kernel
    18s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    26-07-2021 12:57

General

  • Target

    2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe

  • Size

    79KB

  • MD5

    d0cf60b2779a45bc9160e3bffcdf82d6

  • SHA1

    5f4f54f118ed571e91012ab61e9dbcee40515338

  • SHA256

    2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9

  • SHA512

    879b805d8eb16777c2db7607c6fa4d34e5853aeabf870420b774027ab78e0ec6f6b63c705e0d84c992ac4ee7d2904f0f4c2eab92a00ed4f261eb8d8662539629

Score
10/10

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
--------------- Hello --------------- *** By BABUCK LOCKER *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0,006 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to [email protected] 3) Launch decryptor.exe, which our support will send you through email What guarantees? ----------------------------------------------------- We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ----------------------------------------------------- !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!
Wallets

1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1980
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1992
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2004

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/916-60-0x0000000075011000-0x0000000075013000-memory.dmp

    Filesize

    8KB

  • memory/1096-63-0x0000000000000000-mapping.dmp

  • memory/1936-61-0x0000000000000000-mapping.dmp

  • memory/1980-62-0x0000000000000000-mapping.dmp

  • memory/1992-64-0x0000000000000000-mapping.dmp