Overview
overview
10Static
static
80099963e72...79.exe
windows7_x64
90099963e72...79.exe
windows10_x64
9028facff67...fc.exe
windows7_x64
10028facff67...fc.exe
windows10_x64
100294114d5f...59.exe
windows7_x64
100294114d5f...59.exe
windows10_x64
1002e9883501...c3.exe
windows7_x64
902e9883501...c3.exe
windows10_x64
903110baa5a...d7.exe
windows7_x64
1003110baa5a...d7.exe
windows10_x64
100b93a024b5...2f.exe
windows7_x64
100b93a024b5...2f.exe
windows10_x64
1012c561ac82...f8.exe
windows7_x64
1012c561ac82...f8.exe
windows10_x64
1015656e1825...d3.exe
windows7_x64
1015656e1825...d3.exe
windows10_x64
1018e282e680...5f.exe
windows7_x64
1018e282e680...5f.exe
windows10_x64
101ab45a508d...38.exe
windows7_x64
101ab45a508d...38.exe
windows10_x64
101d40f42fa3...94.exe
windows7_x64
101d40f42fa3...94.exe
windows10_x64
101deb1efad2...02.exe
windows7_x64
101deb1efad2...02.exe
windows10_x64
101e24560100...90.exe
windows7_x64
101e24560100...90.exe
windows10_x64
1063b6a51be7...85.exe
windows7_x64
1063b6a51be7...85.exe
windows10_x64
10Analysis
-
max time kernel
121s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-12-2021 06:21
Static task
static1
Behavioral task
behavioral1
Sample
0099963e7285aeafc09e4214a45a6a210253d514cbd0d4b0c3997647a0afe879.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0099963e7285aeafc09e4214a45a6a210253d514cbd0d4b0c3997647a0afe879.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59.exe
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
02e9883501635da9b501e715bb827a0b9d0c265991f1263f073eb6c5d9b335c3.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
02e9883501635da9b501e715bb827a0b9d0c265991f1263f073eb6c5d9b335c3.exe
Resource
win10-en-20211208
Behavioral task
behavioral9
Sample
03110baa5aad9d01610293f2b8cd21b44cc7efa0a465e677d6b3f92510a4b1d7.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
03110baa5aad9d01610293f2b8cd21b44cc7efa0a465e677d6b3f92510a4b1d7.exe
Resource
win10-en-20211208
Behavioral task
behavioral11
Sample
0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe
Resource
win10-en-20211208
Behavioral task
behavioral13
Sample
12c561ac827c3f79afff026b0b1d3ddec7c4b591946e2b794a4d00c423b1c8f8.exe
Resource
win7-en-20211208
Behavioral task
behavioral14
Sample
12c561ac827c3f79afff026b0b1d3ddec7c4b591946e2b794a4d00c423b1c8f8.exe
Resource
win10-en-20211208
Behavioral task
behavioral15
Sample
15656e1825383c4749fadcc46f9825df6262ca2f1f98d895d64c840febe3d9d3.exe
Resource
win7-en-20211208
Behavioral task
behavioral16
Sample
15656e1825383c4749fadcc46f9825df6262ca2f1f98d895d64c840febe3d9d3.exe
Resource
win10-en-20211208
Behavioral task
behavioral17
Sample
18e282e6806903ff00a78b91f6d0ad1bc3aae4b4846d6a5705c036a88138605f.exe
Resource
win7-en-20211208
Behavioral task
behavioral18
Sample
18e282e6806903ff00a78b91f6d0ad1bc3aae4b4846d6a5705c036a88138605f.exe
Resource
win10-en-20211208
Behavioral task
behavioral19
Sample
1ab45a508da655ef755ad4394f869c664f664b3ac111875704a583e9485f2238.exe
Resource
win7-en-20211208
Behavioral task
behavioral20
Sample
1ab45a508da655ef755ad4394f869c664f664b3ac111875704a583e9485f2238.exe
Resource
win10-en-20211208
Behavioral task
behavioral21
Sample
1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe
Resource
win7-en-20211208
Behavioral task
behavioral22
Sample
1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe
Resource
win10-en-20211208
Behavioral task
behavioral23
Sample
1deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402.exe
Resource
win7-en-20211208
Behavioral task
behavioral24
Sample
1deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402.exe
Resource
win10-en-20211208
Behavioral task
behavioral25
Sample
1e24560100d010c27cc19c59f9fe1531e4286ecb21fe53763165f30c5f58dc90.exe
Resource
win7-en-20211208
Behavioral task
behavioral26
Sample
1e24560100d010c27cc19c59f9fe1531e4286ecb21fe53763165f30c5f58dc90.exe
Resource
win10-en-20211208
Behavioral task
behavioral27
Sample
63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe
Resource
win7-en-20211208
Behavioral task
behavioral28
Sample
63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe
Resource
win10-en-20211208
General
-
Target
0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe
-
Size
79KB
-
MD5
2245c35306910a280961d356e4b5ab94
-
SHA1
0ca5cc08a4f5226332d2ce49a9131216ac32bec2
-
SHA256
0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f
-
SHA512
09342308aebf1f5bcf494904b00eba2df9faa75c1d884dd8f2e706e4429905244e269bedc28c71d692348a87a257a4b00b12aa79e9a9b7f7498a441a73344ac4
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\UninstallExit.tiff.babyk 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened for modification C:\Users\Admin\Pictures\ExpandExport.tiff 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File renamed C:\Users\Admin\Pictures\ShowConvertFrom.crw => C:\Users\Admin\Pictures\ShowConvertFrom.crw.babyk 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File renamed C:\Users\Admin\Pictures\TestConfirm.raw => C:\Users\Admin\Pictures\TestConfirm.raw.babyk 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened for modification C:\Users\Admin\Pictures\UninstallExit.tiff 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened for modification C:\Users\Admin\Pictures\TestConfirm.raw.babyk 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File renamed C:\Users\Admin\Pictures\UninstallExit.tiff => C:\Users\Admin\Pictures\UninstallExit.tiff.babyk 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File renamed C:\Users\Admin\Pictures\ExpandExport.tiff => C:\Users\Admin\Pictures\ExpandExport.tiff.babyk 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened for modification C:\Users\Admin\Pictures\ExpandExport.tiff.babyk 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened for modification C:\Users\Admin\Pictures\ShowConvertFrom.crw.babyk 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File renamed C:\Users\Admin\Pictures\SendUndo.raw => C:\Users\Admin\Pictures\SendUndo.raw.babyk 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened for modification C:\Users\Admin\Pictures\SendUndo.raw.babyk 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exedescription ioc process File opened (read-only) \??\W: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\R: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\O: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\Q: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\Y: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\P: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\F: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\B: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\M: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\T: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\U: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\G: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\H: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\J: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\Z: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\V: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\E: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\I: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\A: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\S: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\K: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\L: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\X: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe File opened (read-only) \??\N: 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 452 vssadmin.exe 1528 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exepid process 944 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1432 vssvc.exe Token: SeRestorePrivilege 1432 vssvc.exe Token: SeAuditPrivilege 1432 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.execmd.execmd.exedescription pid process target process PID 944 wrote to memory of 1644 944 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe cmd.exe PID 944 wrote to memory of 1644 944 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe cmd.exe PID 944 wrote to memory of 1644 944 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe cmd.exe PID 944 wrote to memory of 1644 944 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe cmd.exe PID 1644 wrote to memory of 452 1644 cmd.exe vssadmin.exe PID 1644 wrote to memory of 452 1644 cmd.exe vssadmin.exe PID 1644 wrote to memory of 452 1644 cmd.exe vssadmin.exe PID 944 wrote to memory of 1156 944 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe cmd.exe PID 944 wrote to memory of 1156 944 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe cmd.exe PID 944 wrote to memory of 1156 944 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe cmd.exe PID 944 wrote to memory of 1156 944 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe cmd.exe PID 1156 wrote to memory of 1528 1156 cmd.exe vssadmin.exe PID 1156 wrote to memory of 1528 1156 cmd.exe vssadmin.exe PID 1156 wrote to memory of 1528 1156 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe"C:\Users\Admin\AppData\Local\Temp\0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1528
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432