Overview

overview

10

Static

static

2f5f29192f...ce.exe

windows7_x64

10

2f5f29192f...ce.exe

windows10_x64

10

Analysis

  • max time kernel
    76s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-en-20210916
  • submitted
    17-09-2021 13:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe

  • Size

    189KB

  • MD5

    3abc424623ccc9beb2521af2cf398bcc

  • SHA1

    8411b13100ce1128a0d7672d18b7eb4f605ed20f

  • SHA256

    2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce

  • SHA512

    273c21f0ef47228ac0db7fc317a5b6916627461c29d503d68d28670d86a5fda6a39f55124218380a60002da520bf7ad1c4cd9f63dd1e74e628459184f45ce33a

Score
10/10
babukransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
*************************** * AstraLocker * *************************** What happend? ---------------------------------------------- All Your files has been succesfully encrypted by AstraRansomware. What is AstraLocker? ---------------------------------------------- AstraLocker is a modifiend version of a BabukLocker More about BabukLocker: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/ Can I get My files back? ---------------------------------------------- Sure! But You dont have much time for this. Your computer is infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without my help. What can I do to get my files back? ---------------------------------------------- You can buy my decryption software, this software will allow you to recover all of your data and remove the Ransomware from your computer. The price for the software is about 50$ (USD). Payment can be made in Monero, or Bitcoin (Cryptocurrency) only. What guarantees? ---------------------------------------------- I value my reputation. If i do not do my work and liabilities, nobody will pay me. This is not in my interests. All my decryption software is perfectly tested and will decrypt your data. How do I pay, where do I get Monero or Bitcoin? ---------------------------------------------- Purchasing Monero or Bitcoin varies from country to country, you are best advised to do a quick Google search yourself to find out how to buy Monero or Bitcoin. Amount of Bitcoin to pay: 0,00111 BTC (Bitcoin) or Amount of Monero to pay: 0.20 XMR (Monero) Where i can pay? ---------------------------------------------- Monero Address: 47moe29QP2xF2myDYaaMCJHpLGsXLPw14aDK6F7pVSp7Nes4XDPMmNUgTeCPQi5arDUe4gP8h4w4pXCtX1gg7SpGAgh6qqS Bitcoin Addres: bc1qel4nlvycjftvvnw32e05mhhxfzy7hjqkjh82ez Contact ---------------------------------------------- After payment contact: [email protected] to get the decryptor !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !! *************************** * AstraLocker * ***************************
Wallets

bc1qel4nlvycjftvvnw32e05mhhxfzy7hjqkjh82ez

URLs

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe
    "C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
      "C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:568
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1324
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:1512
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:692
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1880
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\How To Restore Your Files.txt
    1⤵
      PID:468

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
      MD5

      8d622a6f37a1fb60dec715e05516b508

      SHA1

      2a002f331c7356fccc2bf42c2ed2f3d3efd7767f

      SHA256

      e9f18a0183e31653d43ef1124eba7710d9d6d0675b48a715896001fd88526ef9

      SHA512

      21e5782df789be73861e2c0687a2e01b2a41dfd2c39f56039eda739635ad307a1c3caa06310c5878dc48e6b53ed0714e1130cca70983bbd13c84f306a66254fa

      Download Submit

    • C:\Users\Public\Desktop\How To Restore Your Files.txt
      MD5

      00a5956169037088a772613dba6f8c79

      SHA1

      66e27513dd1d87ba64002e834c1cf296198656bb

      SHA256

      f5d91ab8838d0ad26e364940281e55d2d7be7551671c47cf653b4df80539f3a1

      SHA512

      47bdd65a129ee40c5f7dd9ef48ccddcc5a1cc6059018de32e4beb6bffe66e5934e42aa33743387cd7d9e95f41310a29cd5d1b113aecbb3c9b8f42531f1cf1bbf

      Download Submit

    • \Users\Admin\AppData\Local\Temp\E_WIN.EXE
      MD5

      8d622a6f37a1fb60dec715e05516b508

      SHA1

      2a002f331c7356fccc2bf42c2ed2f3d3efd7767f

      SHA256

      e9f18a0183e31653d43ef1124eba7710d9d6d0675b48a715896001fd88526ef9

      SHA512

      21e5782df789be73861e2c0687a2e01b2a41dfd2c39f56039eda739635ad307a1c3caa06310c5878dc48e6b53ed0714e1130cca70983bbd13c84f306a66254fa

      Download Submit

    • \Users\Admin\AppData\Local\Temp\E_WIN.EXE
      MD5

      8d622a6f37a1fb60dec715e05516b508

      SHA1

      2a002f331c7356fccc2bf42c2ed2f3d3efd7767f

      SHA256

      e9f18a0183e31653d43ef1124eba7710d9d6d0675b48a715896001fd88526ef9

      SHA512

      21e5782df789be73861e2c0687a2e01b2a41dfd2c39f56039eda739635ad307a1c3caa06310c5878dc48e6b53ed0714e1130cca70983bbd13c84f306a66254fa

      Download Submit

    • memory/468-63-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

      Filesize

      8KB

      Download

    • memory/568-56-0x0000000000000000-mapping.dmp

      Download

    • memory/692-62-0x0000000000000000-mapping.dmp

      Download

    • memory/1324-59-0x0000000000000000-mapping.dmp

      Download

    • memory/1512-60-0x0000000000000000-mapping.dmp

      Download

    • memory/1868-53-0x0000000074AC1000-0x0000000074AC3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2044-61-0x0000000000000000-mapping.dmp

      Download