Analysis
-
max time kernel
18s -
max time network
44s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe
Resource
win10v20210410
General
-
Target
2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe
-
Size
79KB
-
MD5
d0cf60b2779a45bc9160e3bffcdf82d6
-
SHA1
5f4f54f118ed571e91012ab61e9dbcee40515338
-
SHA256
2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9
-
SHA512
879b805d8eb16777c2db7607c6fa4d34e5853aeabf870420b774027ab78e0ec6f6b63c705e0d84c992ac4ee7d2904f0f4c2eab92a00ed4f261eb8d8662539629
Malware Config
Extracted
C:\How To Restore Your Files.txt
1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exedescription ioc Process File renamed C:\Users\Admin\Pictures\SplitJoin.tif => C:\Users\Admin\Pictures\SplitJoin.tif.babyk 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened for modification C:\Users\Admin\Pictures\ReceiveCompare.crw.babyk 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened for modification C:\Users\Admin\Pictures\UnpublishSync.raw.babyk 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened for modification C:\Users\Admin\Pictures\RenameHide.tiff 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File renamed C:\Users\Admin\Pictures\RenameHide.tiff => C:\Users\Admin\Pictures\RenameHide.tiff.babyk 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File renamed C:\Users\Admin\Pictures\ReceiveCompare.crw => C:\Users\Admin\Pictures\ReceiveCompare.crw.babyk 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened for modification C:\Users\Admin\Pictures\RenameHide.tiff.babyk 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened for modification C:\Users\Admin\Pictures\SplitJoin.tif.babyk 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File renamed C:\Users\Admin\Pictures\UnblockSuspend.raw => C:\Users\Admin\Pictures\UnblockSuspend.raw.babyk 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File renamed C:\Users\Admin\Pictures\UnpublishSync.raw => C:\Users\Admin\Pictures\UnpublishSync.raw.babyk 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened for modification C:\Users\Admin\Pictures\UnblockSuspend.raw.babyk 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exedescription ioc Process File opened (read-only) \??\T: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\O: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\P: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\Z: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\V: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\M: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\E: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\H: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\L: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\X: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\N: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\I: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\Y: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\U: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\S: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\G: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\K: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\R: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\W: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\A: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\F: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\J: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\B: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe File opened (read-only) \??\Q: 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid Process 1980 vssadmin.exe 1992 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exepid Process 916 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid Process Token: SeBackupPrivilege 2004 vssvc.exe Token: SeRestorePrivilege 2004 vssvc.exe Token: SeAuditPrivilege 2004 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.execmd.execmd.exedescription pid Process procid_target PID 916 wrote to memory of 1936 916 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe 26 PID 916 wrote to memory of 1936 916 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe 26 PID 916 wrote to memory of 1936 916 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe 26 PID 916 wrote to memory of 1936 916 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe 26 PID 1936 wrote to memory of 1980 1936 cmd.exe 28 PID 1936 wrote to memory of 1980 1936 cmd.exe 28 PID 1936 wrote to memory of 1980 1936 cmd.exe 28 PID 916 wrote to memory of 1096 916 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe 35 PID 916 wrote to memory of 1096 916 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe 35 PID 916 wrote to memory of 1096 916 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe 35 PID 916 wrote to memory of 1096 916 2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe 35 PID 1096 wrote to memory of 1992 1096 cmd.exe 37 PID 1096 wrote to memory of 1992 1096 cmd.exe 37 PID 1096 wrote to memory of 1992 1096 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe"C:\Users\Admin\AppData\Local\Temp\2ae5895f6a5f1fe6ee1d5b060b600de7d11655c69c27ad3fbcd348759b7160c9.sample.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1992
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004