babuk | 2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce

General

Target

2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe
Size

189KB
MD5

3abc424623ccc9beb2521af2cf398bcc
SHA1

8411b13100ce1128a0d7672d18b7eb4f605ed20f
SHA256

2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce
SHA512

273c21f0ef47228ac0db7fc317a5b6916627461c29d503d68d28670d86a5fda6a39f55124218380a60002da520bf7ad1c4cd9f63dd1e74e628459184f45ce33a

Score

10^/10

babuk ransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note

*************************** * AstraLocker * *************************** What happend? ---------------------------------------------- All Your files has been succesfully encrypted by AstraRansomware. What is AstraLocker? ---------------------------------------------- AstraLocker is a modifiend version of a BabukLocker More about BabukLocker: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/ Can I get My files back? ---------------------------------------------- Sure! But You dont have much time for this. Your computer is infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without my help. What can I do to get my files back? ---------------------------------------------- You can buy my decryption software, this software will allow you to recover all of your data and remove the Ransomware from your computer. The price for the software is about 50$ (USD). Payment can be made in Monero, or Bitcoin (Cryptocurrency) only. What guarantees? ---------------------------------------------- I value my reputation. If i do not do my work and liabilities, nobody will pay me. This is not in my interests. All my decryption software is perfectly tested and will decrypt your data. How do I pay, where do I get Monero or Bitcoin? ---------------------------------------------- Purchasing Monero or Bitcoin varies from country to country, you are best advised to do a quick Google search yourself to find out how to buy Monero or Bitcoin. Amount of Bitcoin to pay: 0,00111 BTC (Bitcoin) or Amount of Monero to pay: 0.20 XMR (Monero) Where i can pay? ---------------------------------------------- Monero Address: 47moe29QP2xF2myDYaaMCJHpLGsXLPw14aDK6F7pVSp7Nes4XDPMmNUgTeCPQi5arDUe4gP8h4w4pXCtX1gg7SpGAgh6qqS Bitcoin Addres: bc1qel4nlvycjftvvnw32e05mhhxfzy7hjqkjh82ez Contact ---------------------------------------------- After payment contact: [email protected] to get the decryptor !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !! *************************** * AstraLocker * ***************************

Emails

[email protected]

Wallets

bc1qel4nlvycjftvvnw32e05mhhxfzy7hjqkjh82ez

URLs

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

E_WIN.EXE

pid process

696 E_WIN.EXE

pid	process
696	E_WIN.EXE

Modifies extensions of user files 26 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

E_WIN.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\DenyUnlock.tiff.babyk	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\MountStart.png.babyk	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\SendConvertFrom.png => C:\Users\Admin\Pictures\SendConvertFrom.png.babyk	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\StepUnpublish.raw => C:\Users\Admin\Pictures\StepUnpublish.raw.babyk	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\SetStep.tiff.babyk	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\MountStart.png => C:\Users\Admin\Pictures\MountStart.png.babyk	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\PushExit.tiff => C:\Users\Admin\Pictures\PushExit.tiff.babyk	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\SetUnlock.tiff	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\SetUnlock.tiff => C:\Users\Admin\Pictures\SetUnlock.tiff.babyk	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\SendConvertFrom.png.babyk	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\UnprotectApprove.tif => C:\Users\Admin\Pictures\UnprotectApprove.tif.babyk	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\StepUnpublish.raw.babyk	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\AddUnlock.tif => C:\Users\Admin\Pictures\AddUnlock.tif.babyk	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\AddUnlock.tif.babyk	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\DenyUnlock.tiff	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\MoveExport.tif => C:\Users\Admin\Pictures\MoveExport.tif.babyk	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\MoveExport.tif.babyk	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\PushExit.tiff	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\ReadAdd.raw.babyk	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\DenyUnlock.tiff => C:\Users\Admin\Pictures\DenyUnlock.tiff.babyk	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\ReadAdd.raw => C:\Users\Admin\Pictures\ReadAdd.raw.babyk	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\PushExit.tiff.babyk	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\SetStep.tiff	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\SetStep.tiff => C:\Users\Admin\Pictures\SetStep.tiff.babyk	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\SetUnlock.tiff.babyk	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\UnprotectApprove.tif.babyk	E_WIN.EXE

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

E_WIN.EXE

description	ioc	process
File opened (read-only)	\??\F:	E_WIN.EXE
File opened (read-only)	\??\H:	E_WIN.EXE
File opened (read-only)	\??\X:	E_WIN.EXE
File opened (read-only)	\??\Q:	E_WIN.EXE
File opened (read-only)	\??\E:	E_WIN.EXE
File opened (read-only)	\??\I:	E_WIN.EXE
File opened (read-only)	\??\O:	E_WIN.EXE
File opened (read-only)	\??\S:	E_WIN.EXE
File opened (read-only)	\??\B:	E_WIN.EXE
File opened (read-only)	\??\W:	E_WIN.EXE
File opened (read-only)	\??\Y:	E_WIN.EXE
File opened (read-only)	\??\P:	E_WIN.EXE
File opened (read-only)	\??\K:	E_WIN.EXE
File opened (read-only)	\??\Z:	E_WIN.EXE
File opened (read-only)	\??\N:	E_WIN.EXE
File opened (read-only)	\??\R:	E_WIN.EXE
File opened (read-only)	\??\U:	E_WIN.EXE
File opened (read-only)	\??\A:	E_WIN.EXE
File opened (read-only)	\??\G:	E_WIN.EXE
File opened (read-only)	\??\J:	E_WIN.EXE
File opened (read-only)	\??\T:	E_WIN.EXE
File opened (read-only)	\??\L:	E_WIN.EXE
File opened (read-only)	\??\V:	E_WIN.EXE
File opened (read-only)	\??\M:	E_WIN.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1844 vssadmin.exe
3960 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

E_WIN.EXE

pid process

696 E_WIN.EXE
696 E_WIN.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2156 vssvc.exe
Token: SeRestorePrivilege 2156 vssvc.exe
Token: SeAuditPrivilege 2156 vssvc.exe

pid	process
1844	vssadmin.exe
3960	vssadmin.exe

pid	process
696	E_WIN.EXE
696	E_WIN.EXE

description	pid	process
Token: SeBackupPrivilege	2156	vssvc.exe
Token: SeRestorePrivilege	2156	vssvc.exe
Token: SeAuditPrivilege	2156	vssvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exeE_WIN.EXEcmd.execmd.exe

description	pid	process	target process
PID 808 wrote to memory of 696	808	2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe	E_WIN.EXE
PID 808 wrote to memory of 696	808	2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe	E_WIN.EXE
PID 808 wrote to memory of 696	808	2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe	E_WIN.EXE
PID 696 wrote to memory of 1184	696	E_WIN.EXE	cmd.exe
PID 696 wrote to memory of 1184	696	E_WIN.EXE	cmd.exe
PID 1184 wrote to memory of 1844	1184	cmd.exe	vssadmin.exe
PID 1184 wrote to memory of 1844	1184	cmd.exe	vssadmin.exe
PID 696 wrote to memory of 4024	696	E_WIN.EXE	cmd.exe
PID 696 wrote to memory of 4024	696	E_WIN.EXE	cmd.exe
PID 4024 wrote to memory of 3960	4024	cmd.exe	vssadmin.exe
PID 4024 wrote to memory of 3960	4024	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe
"C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
  "C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1844
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE

MD5
8d622a6f37a1fb60dec715e05516b508

SHA1
2a002f331c7356fccc2bf42c2ed2f3d3efd7767f

SHA256
e9f18a0183e31653d43ef1124eba7710d9d6d0675b48a715896001fd88526ef9

SHA512
21e5782df789be73861e2c0687a2e01b2a41dfd2c39f56039eda739635ad307a1c3caa06310c5878dc48e6b53ed0714e1130cca70983bbd13c84f306a66254fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE

MD5
8d622a6f37a1fb60dec715e05516b508

SHA1
2a002f331c7356fccc2bf42c2ed2f3d3efd7767f

SHA256
e9f18a0183e31653d43ef1124eba7710d9d6d0675b48a715896001fd88526ef9

SHA512
21e5782df789be73861e2c0687a2e01b2a41dfd2c39f56039eda739635ad307a1c3caa06310c5878dc48e6b53ed0714e1130cca70983bbd13c84f306a66254fa

Download Submit
memory/696-114-0x0000000000000000-mapping.dmp

Download
memory/1184-117-0x0000000000000000-mapping.dmp

Download
memory/1844-118-0x0000000000000000-mapping.dmp

Download
memory/3960-120-0x0000000000000000-mapping.dmp

Download
memory/4024-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads