Analysis Overview
SHA256
9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd
Threat Level: Known bad
The file 9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Babuk Locker
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Deletes shadow copies
Downloads MZ/PE file
Executes dropped EXE
Modifies extensions of user files
Themida packer
Checks BIOS information in registry
Reads user/profile data of web browsers
Deletes itself
Enumerates connected drives
Checks installed software on the system
Checks whether UAC is enabled
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Interacts with shadow copies
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-26 08:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-26 08:49
Reported
2021-08-26 11:16
Platform
win10v20210410
Max time kernel
152s
Max time network
153s
Command Line
Signatures
Babuk Locker
SmokeLoader
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BA8B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\MeasureWait.raw => C:\Users\Admin\Pictures\MeasureWait.raw.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SearchInstall.tiff | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\BlockComplete.tiff | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DebugUpdate.png => C:\Users\Admin\Pictures\DebugUpdate.png.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MeasureWait.raw.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PushRequest.png.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SkipConfirm.png => C:\Users\Admin\Pictures\SkipConfirm.png.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DebugUpdate.png.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MoveUnregister.png.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PushRequest.png => C:\Users\Admin\Pictures\PushRequest.png.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SearchInstall.tiff => C:\Users\Admin\Pictures\SearchInstall.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BlockComplete.tiff => C:\Users\Admin\Pictures\BlockComplete.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\BlockComplete.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MoveUnregister.png => C:\Users\Admin\Pictures\MoveUnregister.png.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SearchInstall.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SkipConfirm.png.babyk | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\BA8B.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\BA8B.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\BA8B.exe | N/A |
Enumerates connected drives
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BA8B.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2692 set thread context of 3152 | N/A | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | C:\Users\Admin\AppData\Local\Temp\AudioB.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BA8B.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AudioB.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe
"C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe"
C:\Users\Admin\AppData\Local\Temp\BA8B.exe
C:\Users\Admin\AppData\Local\Temp\BA8B.exe
C:\Users\Admin\AppData\Local\Temp\AudioB.exe
"C:\Users\Admin\AppData\Local\Temp\AudioB.exe"
C:\Users\Admin\AppData\Local\Temp\AudioB.exe
"C:\Users\Admin\AppData\Local\Temp\AudioB.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | aucmoney.com | udp |
| N/A | 8.8.8.8:53 | thegymmum.com | udp |
| N/A | 8.8.8.8:53 | atvcampingtrips.com | udp |
| N/A | 218.51.156.7:80 | atvcampingtrips.com | tcp |
| N/A | 218.51.156.7:80 | atvcampingtrips.com | tcp |
| N/A | 218.51.156.7:80 | atvcampingtrips.com | tcp |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 218.51.156.7:80 | atvcampingtrips.com | tcp |
| N/A | 218.51.156.7:80 | atvcampingtrips.com | tcp |
| N/A | 218.51.156.7:80 | atvcampingtrips.com | tcp |
| N/A | 51.254.68.139:15009 | tcp | |
| N/A | 218.51.156.7:80 | atvcampingtrips.com | tcp |
| N/A | 218.51.156.7:80 | atvcampingtrips.com | tcp |
| N/A | 218.51.156.7:80 | atvcampingtrips.com | tcp |
| N/A | 218.51.156.7:80 | atvcampingtrips.com | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 218.51.156.7:80 | atvcampingtrips.com | tcp |
| N/A | 218.51.156.7:80 | atvcampingtrips.com | tcp |
| N/A | 218.51.156.7:80 | atvcampingtrips.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 218.51.156.7:80 | atvcampingtrips.com | tcp |
| N/A | 218.51.156.7:80 | atvcampingtrips.com | tcp |
| N/A | 218.51.156.7:80 | atvcampingtrips.com | tcp |
Files
memory/2256-114-0x0000000002CC0000-0x0000000002E0A000-memory.dmp
memory/2256-115-0x0000000000400000-0x0000000002CBB000-memory.dmp
memory/3040-116-0x0000000001200000-0x0000000001216000-memory.dmp
memory/2696-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA8B.exe
| MD5 | eeb0f28c077d4b7f9740232aa95d93b4 |
| SHA1 | 61d50d4d4c1eee0c8fe9e17bcf78a4f43e482967 |
| SHA256 | 3662c3ba063379af8bca502364807bf88752a36b5ca83671c02ea48fbb0b06af |
| SHA512 | 6034043269af32b2633e1c2b46dfb766d342dbd64337e868c703090c9b8aa9f4ab7a692d1e5e6eeecbef31b2a77d28183a8ec24b75caabb870219f27b5eae73c |
C:\Users\Admin\AppData\Local\Temp\BA8B.exe
| MD5 | eeb0f28c077d4b7f9740232aa95d93b4 |
| SHA1 | 61d50d4d4c1eee0c8fe9e17bcf78a4f43e482967 |
| SHA256 | 3662c3ba063379af8bca502364807bf88752a36b5ca83671c02ea48fbb0b06af |
| SHA512 | 6034043269af32b2633e1c2b46dfb766d342dbd64337e868c703090c9b8aa9f4ab7a692d1e5e6eeecbef31b2a77d28183a8ec24b75caabb870219f27b5eae73c |
memory/2696-121-0x0000000077000000-0x000000007718E000-memory.dmp
memory/2696-122-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
memory/2696-124-0x0000000005FD0000-0x0000000005FD1000-memory.dmp
memory/2696-125-0x0000000003690000-0x0000000003691000-memory.dmp
memory/2696-126-0x00000000059C0000-0x00000000059C1000-memory.dmp
memory/2696-127-0x0000000005810000-0x0000000005811000-memory.dmp
memory/2696-128-0x0000000005850000-0x0000000005851000-memory.dmp
memory/2696-129-0x00000000059B0000-0x00000000059B1000-memory.dmp
memory/2696-130-0x0000000007220000-0x0000000007221000-memory.dmp
memory/2696-131-0x0000000007920000-0x0000000007921000-memory.dmp
memory/2696-132-0x0000000007E50000-0x0000000007E51000-memory.dmp
memory/2696-133-0x00000000073F0000-0x00000000073F1000-memory.dmp
memory/2696-134-0x0000000007510000-0x0000000007511000-memory.dmp
memory/2696-135-0x00000000077F0000-0x00000000077F1000-memory.dmp
memory/2696-136-0x0000000007890000-0x0000000007891000-memory.dmp
memory/2692-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AudioB.exe
| MD5 | cf88599048145e4911915215a91527f4 |
| SHA1 | f4ba5c7117736388c4de3442b1d6e4f84628c15d |
| SHA256 | 9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0 |
| SHA512 | 254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7 |
C:\Users\Admin\AppData\Local\Temp\AudioB.exe
| MD5 | cf88599048145e4911915215a91527f4 |
| SHA1 | f4ba5c7117736388c4de3442b1d6e4f84628c15d |
| SHA256 | 9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0 |
| SHA512 | 254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7 |
memory/2692-140-0x0000000000A70000-0x0000000000A71000-memory.dmp
memory/2692-144-0x0000000005540000-0x0000000005541000-memory.dmp
memory/2692-145-0x0000000005420000-0x0000000005421000-memory.dmp
memory/2692-146-0x0000000005490000-0x0000000005491000-memory.dmp
memory/2692-147-0x0000000005390000-0x0000000005422000-memory.dmp
memory/2692-148-0x0000000009A70000-0x0000000009A81000-memory.dmp
memory/2692-149-0x0000000009CB0000-0x0000000009D4C000-memory.dmp
memory/2692-150-0x000000000C580000-0x000000000C5B1000-memory.dmp
memory/3152-151-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3152-152-0x000000000040ABC0-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AudioB.exe
| MD5 | cf88599048145e4911915215a91527f4 |
| SHA1 | f4ba5c7117736388c4de3442b1d6e4f84628c15d |
| SHA256 | 9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0 |
| SHA512 | 254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7 |
memory/2380-154-0x0000000000000000-mapping.dmp
memory/3148-155-0x0000000000000000-mapping.dmp
memory/3152-156-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3628-157-0x0000000000000000-mapping.dmp
memory/2192-158-0x0000000000000000-mapping.dmp