Analysis Overview
SHA256
2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce
Threat Level: Known bad
The file 2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce was found to be: Known bad.
Malicious Activity Summary
Babuk Locker
Deletes shadow copies
Modifies extensions of user files
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-17 13:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-17 13:47
Reported
2021-09-17 13:50
Platform
win7-en-20210916
Max time kernel
76s
Max time network
35s
Command Line
Signatures
Babuk Locker
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\SkipBlock.tiff | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File renamed | C:\Users\Admin\Pictures\ReadOpen.png => C:\Users\Admin\Pictures\ReadOpen.png.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ReadOpen.png.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File renamed | C:\Users\Admin\Pictures\RepairEdit.tif => C:\Users\Admin\Pictures\RepairEdit.tif.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RepairEdit.tif.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File renamed | C:\Users\Admin\Pictures\SkipBlock.tiff => C:\Users\Admin\Pictures\SkipBlock.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SkipBlock.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe
"C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe"
C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
"C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\How To Restore Your Files.txt
Network
Files
memory/1868-53-0x0000000074AC1000-0x0000000074AC3000-memory.dmp
memory/568-56-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\E_WIN.EXE
| MD5 | 8d622a6f37a1fb60dec715e05516b508 |
| SHA1 | 2a002f331c7356fccc2bf42c2ed2f3d3efd7767f |
| SHA256 | e9f18a0183e31653d43ef1124eba7710d9d6d0675b48a715896001fd88526ef9 |
| SHA512 | 21e5782df789be73861e2c0687a2e01b2a41dfd2c39f56039eda739635ad307a1c3caa06310c5878dc48e6b53ed0714e1130cca70983bbd13c84f306a66254fa |
\Users\Admin\AppData\Local\Temp\E_WIN.EXE
| MD5 | 8d622a6f37a1fb60dec715e05516b508 |
| SHA1 | 2a002f331c7356fccc2bf42c2ed2f3d3efd7767f |
| SHA256 | e9f18a0183e31653d43ef1124eba7710d9d6d0675b48a715896001fd88526ef9 |
| SHA512 | 21e5782df789be73861e2c0687a2e01b2a41dfd2c39f56039eda739635ad307a1c3caa06310c5878dc48e6b53ed0714e1130cca70983bbd13c84f306a66254fa |
C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
| MD5 | 8d622a6f37a1fb60dec715e05516b508 |
| SHA1 | 2a002f331c7356fccc2bf42c2ed2f3d3efd7767f |
| SHA256 | e9f18a0183e31653d43ef1124eba7710d9d6d0675b48a715896001fd88526ef9 |
| SHA512 | 21e5782df789be73861e2c0687a2e01b2a41dfd2c39f56039eda739635ad307a1c3caa06310c5878dc48e6b53ed0714e1130cca70983bbd13c84f306a66254fa |
memory/1324-59-0x0000000000000000-mapping.dmp
memory/1512-60-0x0000000000000000-mapping.dmp
memory/2044-61-0x0000000000000000-mapping.dmp
memory/692-62-0x0000000000000000-mapping.dmp
memory/468-63-0x000007FEFB571000-0x000007FEFB573000-memory.dmp
C:\Users\Public\Desktop\How To Restore Your Files.txt
| MD5 | 00a5956169037088a772613dba6f8c79 |
| SHA1 | 66e27513dd1d87ba64002e834c1cf296198656bb |
| SHA256 | f5d91ab8838d0ad26e364940281e55d2d7be7551671c47cf653b4df80539f3a1 |
| SHA512 | 47bdd65a129ee40c5f7dd9ef48ccddcc5a1cc6059018de32e4beb6bffe66e5934e42aa33743387cd7d9e95f41310a29cd5d1b113aecbb3c9b8f42531f1cf1bbf |
Analysis: behavioral2
Detonation Overview
Submitted
2021-09-17 13:47
Reported
2021-09-17 13:50
Platform
win10v20210408
Max time kernel
96s
Max time network
98s
Command Line
Signatures
Babuk Locker
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\DenyUnlock.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MountStart.png.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File renamed | C:\Users\Admin\Pictures\SendConvertFrom.png => C:\Users\Admin\Pictures\SendConvertFrom.png.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File renamed | C:\Users\Admin\Pictures\StepUnpublish.raw => C:\Users\Admin\Pictures\StepUnpublish.raw.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SetStep.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File renamed | C:\Users\Admin\Pictures\MountStart.png => C:\Users\Admin\Pictures\MountStart.png.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File renamed | C:\Users\Admin\Pictures\PushExit.tiff => C:\Users\Admin\Pictures\PushExit.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SetUnlock.tiff | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File renamed | C:\Users\Admin\Pictures\SetUnlock.tiff => C:\Users\Admin\Pictures\SetUnlock.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SendConvertFrom.png.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File renamed | C:\Users\Admin\Pictures\UnprotectApprove.tif => C:\Users\Admin\Pictures\UnprotectApprove.tif.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\StepUnpublish.raw.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File renamed | C:\Users\Admin\Pictures\AddUnlock.tif => C:\Users\Admin\Pictures\AddUnlock.tif.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\AddUnlock.tif.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DenyUnlock.tiff | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File renamed | C:\Users\Admin\Pictures\MoveExport.tif => C:\Users\Admin\Pictures\MoveExport.tif.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MoveExport.tif.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PushExit.tiff | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ReadAdd.raw.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File renamed | C:\Users\Admin\Pictures\DenyUnlock.tiff => C:\Users\Admin\Pictures\DenyUnlock.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File renamed | C:\Users\Admin\Pictures\ReadAdd.raw => C:\Users\Admin\Pictures\ReadAdd.raw.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PushExit.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SetStep.tiff | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File renamed | C:\Users\Admin\Pictures\SetStep.tiff => C:\Users\Admin\Pictures\SetStep.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SetUnlock.tiff.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnprotectApprove.tif.babyk | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe
"C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe"
C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
"C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
Files
memory/696-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
| MD5 | 8d622a6f37a1fb60dec715e05516b508 |
| SHA1 | 2a002f331c7356fccc2bf42c2ed2f3d3efd7767f |
| SHA256 | e9f18a0183e31653d43ef1124eba7710d9d6d0675b48a715896001fd88526ef9 |
| SHA512 | 21e5782df789be73861e2c0687a2e01b2a41dfd2c39f56039eda739635ad307a1c3caa06310c5878dc48e6b53ed0714e1130cca70983bbd13c84f306a66254fa |
C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
| MD5 | 8d622a6f37a1fb60dec715e05516b508 |
| SHA1 | 2a002f331c7356fccc2bf42c2ed2f3d3efd7767f |
| SHA256 | e9f18a0183e31653d43ef1124eba7710d9d6d0675b48a715896001fd88526ef9 |
| SHA512 | 21e5782df789be73861e2c0687a2e01b2a41dfd2c39f56039eda739635ad307a1c3caa06310c5878dc48e6b53ed0714e1130cca70983bbd13c84f306a66254fa |
memory/1184-117-0x0000000000000000-mapping.dmp
memory/1844-118-0x0000000000000000-mapping.dmp
memory/4024-119-0x0000000000000000-mapping.dmp
memory/3960-120-0x0000000000000000-mapping.dmp