Overview

overview

10

Static

static

10

5665f10896...86.exe

windows7_x64

10

5665f10896...86.exe

windows10_x64

7

Analysis

  • max time kernel
    94s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    27-08-2021 04:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5665f108965c55a2d3ebcbbb50b03786.exe

  • Size

    107KB

  • MD5

    5665f108965c55a2d3ebcbbb50b03786

  • SHA1

    5f3500c5d5f646383e06033fb0650d9b83da98a8

  • SHA256

    a32770d46ee2ee5b91cc36e5159868ec3ff7f847e7516d7bcb952f7a94e347a2

  • SHA512

    cb6e052712ace47f371efdc93309ecc3bc7e85d897dc64e85c8fac3e436a3a714ffd140d465daf87a3f911f89bfbf4db90fe1bd7f579f5d108de51ace342b0fb

Score
10/10
babukdiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
Hi, friend. Your files are encrypted. And you can't do anything with them. If you want to restore them, contact us via telegram @username312321 Price - 350 $ You can pay with BTC - bc1qd53hpk76zutapw8tsgnnkeuuuhuk4ecr2wrd93
Wallets

bc1qd53hpk76zutapw8tsgnnkeuuuhuk4ecr2wrd93

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 21 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5665f108965c55a2d3ebcbbb50b03786.exe
    "C:\Users\Admin\AppData\Local\Temp\5665f108965c55a2d3ebcbbb50b03786.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Users\Admin\AppData\Local\Temp\AudioB.exe
      "C:\Users\Admin\AppData\Local\Temp\AudioB.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Users\Admin\AppData\Local\Temp\AudioB.exe
        "C:\Users\Admin\AppData\Local\Temp\AudioB.exe"
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:828
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:2028
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1060
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:524
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1928

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/748-80-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/748-76-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/748-79-0x0000000075801000-0x0000000075803000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1360-73-0x0000000008260000-0x00000000082FC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1360-67-0x0000000000010000-0x0000000000011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1360-74-0x0000000001FB0000-0x0000000001FE1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1360-69-0x0000000004D70000-0x0000000004D71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1360-72-0x0000000001E20000-0x0000000001E31000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1360-71-0x0000000004D71000-0x0000000004D72000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1360-70-0x0000000000340000-0x0000000000341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1832-60-0x0000000000C70000-0x0000000000C71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1832-62-0x0000000004810000-0x0000000004811000-memory.dmp

    Filesize

    4KB

    Download