Analysis
-
max time kernel
18s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-08-2021 00:23
Static task
static1
Behavioral task
behavioral1
Sample
e_win.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
e_win.bin.exe
Resource
win10v20210408
General
-
Target
e_win.bin.exe
-
Size
79KB
-
MD5
6ce7f33dc923d162788aa3236483701c
-
SHA1
97395d6f9474638c0d97596a0613aaea04daa547
-
SHA256
e2dc8fb92ff49643931fe736d002d42f2fb86ba5642ebf44ecbec674a77d8227
-
SHA512
0d5ac1d3e3e1ee34c94af6288f82ae663f32fb1383aa6b85f16a6691a139743e16f5a25cfcabbc8428d564cb297d90a381a2863c162a01876779c017ae2141df
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
e_win.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\ImportSync.png => C:\Users\Admin\Pictures\ImportSync.png.babyk e_win.bin.exe File opened for modification C:\Users\Admin\Pictures\ImportSync.png.babyk e_win.bin.exe File opened for modification C:\Users\Admin\Pictures\InitializeFormat.tiff e_win.bin.exe File renamed C:\Users\Admin\Pictures\InitializeFormat.tiff => C:\Users\Admin\Pictures\InitializeFormat.tiff.babyk e_win.bin.exe File opened for modification C:\Users\Admin\Pictures\InitializeFormat.tiff.babyk e_win.bin.exe File renamed C:\Users\Admin\Pictures\RestoreMove.png => C:\Users\Admin\Pictures\RestoreMove.png.babyk e_win.bin.exe File opened for modification C:\Users\Admin\Pictures\RestoreMove.png.babyk e_win.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e_win.bin.exedescription ioc process File opened (read-only) \??\I: e_win.bin.exe File opened (read-only) \??\P: e_win.bin.exe File opened (read-only) \??\H: e_win.bin.exe File opened (read-only) \??\W: e_win.bin.exe File opened (read-only) \??\L: e_win.bin.exe File opened (read-only) \??\N: e_win.bin.exe File opened (read-only) \??\A: e_win.bin.exe File opened (read-only) \??\E: e_win.bin.exe File opened (read-only) \??\S: e_win.bin.exe File opened (read-only) \??\F: e_win.bin.exe File opened (read-only) \??\G: e_win.bin.exe File opened (read-only) \??\Z: e_win.bin.exe File opened (read-only) \??\B: e_win.bin.exe File opened (read-only) \??\M: e_win.bin.exe File opened (read-only) \??\Q: e_win.bin.exe File opened (read-only) \??\T: e_win.bin.exe File opened (read-only) \??\Y: e_win.bin.exe File opened (read-only) \??\U: e_win.bin.exe File opened (read-only) \??\O: e_win.bin.exe File opened (read-only) \??\J: e_win.bin.exe File opened (read-only) \??\K: e_win.bin.exe File opened (read-only) \??\X: e_win.bin.exe File opened (read-only) \??\R: e_win.bin.exe File opened (read-only) \??\V: e_win.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3560 vssadmin.exe 4008 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e_win.bin.exepid process 3492 e_win.bin.exe 3492 e_win.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 200 vssvc.exe Token: SeRestorePrivilege 200 vssvc.exe Token: SeAuditPrivilege 200 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e_win.bin.execmd.execmd.exedescription pid process target process PID 3492 wrote to memory of 2560 3492 e_win.bin.exe cmd.exe PID 3492 wrote to memory of 2560 3492 e_win.bin.exe cmd.exe PID 2560 wrote to memory of 3560 2560 cmd.exe vssadmin.exe PID 2560 wrote to memory of 3560 2560 cmd.exe vssadmin.exe PID 3492 wrote to memory of 3760 3492 e_win.bin.exe cmd.exe PID 3492 wrote to memory of 3760 3492 e_win.bin.exe cmd.exe PID 3760 wrote to memory of 4008 3760 cmd.exe vssadmin.exe PID 3760 wrote to memory of 4008 3760 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe"C:\Users\Admin\AppData\Local\Temp\e_win.bin.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4008
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:200