Overview
overview
10Static
static
80099963e72...79.exe
windows7_x64
90099963e72...79.exe
windows10_x64
9028facff67...fc.exe
windows7_x64
10028facff67...fc.exe
windows10_x64
100294114d5f...59.exe
windows7_x64
100294114d5f...59.exe
windows10_x64
1002e9883501...c3.exe
windows7_x64
902e9883501...c3.exe
windows10_x64
903110baa5a...d7.exe
windows7_x64
1003110baa5a...d7.exe
windows10_x64
100b93a024b5...2f.exe
windows7_x64
100b93a024b5...2f.exe
windows10_x64
1012c561ac82...f8.exe
windows7_x64
1012c561ac82...f8.exe
windows10_x64
1015656e1825...d3.exe
windows7_x64
1015656e1825...d3.exe
windows10_x64
1018e282e680...5f.exe
windows7_x64
1018e282e680...5f.exe
windows10_x64
101ab45a508d...38.exe
windows7_x64
101ab45a508d...38.exe
windows10_x64
101d40f42fa3...94.exe
windows7_x64
101d40f42fa3...94.exe
windows10_x64
101deb1efad2...02.exe
windows7_x64
101deb1efad2...02.exe
windows10_x64
101e24560100...90.exe
windows7_x64
101e24560100...90.exe
windows10_x64
1063b6a51be7...85.exe
windows7_x64
1063b6a51be7...85.exe
windows10_x64
10Analysis
-
max time kernel
120s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-12-2021 06:21
Static task
static1
Behavioral task
behavioral1
Sample
0099963e7285aeafc09e4214a45a6a210253d514cbd0d4b0c3997647a0afe879.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0099963e7285aeafc09e4214a45a6a210253d514cbd0d4b0c3997647a0afe879.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59.exe
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
02e9883501635da9b501e715bb827a0b9d0c265991f1263f073eb6c5d9b335c3.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
02e9883501635da9b501e715bb827a0b9d0c265991f1263f073eb6c5d9b335c3.exe
Resource
win10-en-20211208
Behavioral task
behavioral9
Sample
03110baa5aad9d01610293f2b8cd21b44cc7efa0a465e677d6b3f92510a4b1d7.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
03110baa5aad9d01610293f2b8cd21b44cc7efa0a465e677d6b3f92510a4b1d7.exe
Resource
win10-en-20211208
Behavioral task
behavioral11
Sample
0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe
Resource
win10-en-20211208
Behavioral task
behavioral13
Sample
12c561ac827c3f79afff026b0b1d3ddec7c4b591946e2b794a4d00c423b1c8f8.exe
Resource
win7-en-20211208
Behavioral task
behavioral14
Sample
12c561ac827c3f79afff026b0b1d3ddec7c4b591946e2b794a4d00c423b1c8f8.exe
Resource
win10-en-20211208
Behavioral task
behavioral15
Sample
15656e1825383c4749fadcc46f9825df6262ca2f1f98d895d64c840febe3d9d3.exe
Resource
win7-en-20211208
Behavioral task
behavioral16
Sample
15656e1825383c4749fadcc46f9825df6262ca2f1f98d895d64c840febe3d9d3.exe
Resource
win10-en-20211208
Behavioral task
behavioral17
Sample
18e282e6806903ff00a78b91f6d0ad1bc3aae4b4846d6a5705c036a88138605f.exe
Resource
win7-en-20211208
Behavioral task
behavioral18
Sample
18e282e6806903ff00a78b91f6d0ad1bc3aae4b4846d6a5705c036a88138605f.exe
Resource
win10-en-20211208
Behavioral task
behavioral19
Sample
1ab45a508da655ef755ad4394f869c664f664b3ac111875704a583e9485f2238.exe
Resource
win7-en-20211208
Behavioral task
behavioral20
Sample
1ab45a508da655ef755ad4394f869c664f664b3ac111875704a583e9485f2238.exe
Resource
win10-en-20211208
Behavioral task
behavioral21
Sample
1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe
Resource
win7-en-20211208
Behavioral task
behavioral22
Sample
1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe
Resource
win10-en-20211208
Behavioral task
behavioral23
Sample
1deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402.exe
Resource
win7-en-20211208
Behavioral task
behavioral24
Sample
1deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402.exe
Resource
win10-en-20211208
Behavioral task
behavioral25
Sample
1e24560100d010c27cc19c59f9fe1531e4286ecb21fe53763165f30c5f58dc90.exe
Resource
win7-en-20211208
Behavioral task
behavioral26
Sample
1e24560100d010c27cc19c59f9fe1531e4286ecb21fe53763165f30c5f58dc90.exe
Resource
win10-en-20211208
Behavioral task
behavioral27
Sample
63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe
Resource
win7-en-20211208
Behavioral task
behavioral28
Sample
63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe
Resource
win10-en-20211208
General
-
Target
1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe
-
Size
79KB
-
MD5
38bf2b92a281f885e964a549575a5804
-
SHA1
0150c32d9de1fc49e8a2cd80031c561748e8cca7
-
SHA256
1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994
-
SHA512
99464b0867a297877eb88e0e322de1d4d613f75a2a420ea573e89a1798580f32ea0faac65752114223ff0ab684ae46fe4b0fcb629beb48077a949fac1ffe7d76
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\CompareReset.tif.babyk 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened for modification C:\Users\Admin\Pictures\DenyRegister.crw.babyk 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File renamed C:\Users\Admin\Pictures\ExpandReceive.raw => C:\Users\Admin\Pictures\ExpandReceive.raw.babyk 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened for modification C:\Users\Admin\Pictures\ExpandReceive.raw.babyk 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File renamed C:\Users\Admin\Pictures\UnlockCompress.crw => C:\Users\Admin\Pictures\UnlockCompress.crw.babyk 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File renamed C:\Users\Admin\Pictures\CompareReset.tif => C:\Users\Admin\Pictures\CompareReset.tif.babyk 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File renamed C:\Users\Admin\Pictures\DenyRegister.crw => C:\Users\Admin\Pictures\DenyRegister.crw.babyk 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File renamed C:\Users\Admin\Pictures\ExpandInstall.png => C:\Users\Admin\Pictures\ExpandInstall.png.babyk 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened for modification C:\Users\Admin\Pictures\ExpandInstall.png.babyk 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened for modification C:\Users\Admin\Pictures\UnlockCompress.crw.babyk 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exedescription ioc process File opened (read-only) \??\Q: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\P: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\A: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\H: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\W: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\E: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\Y: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\U: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\R: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\T: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\G: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\J: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\V: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\M: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\I: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\O: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\S: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\F: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\K: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\L: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\Z: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\X: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\B: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe File opened (read-only) \??\N: 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 640 vssadmin.exe 1508 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exepid process 2704 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe 2704 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1492 vssvc.exe Token: SeRestorePrivilege 1492 vssvc.exe Token: SeAuditPrivilege 1492 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.execmd.execmd.exedescription pid process target process PID 2704 wrote to memory of 3264 2704 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe cmd.exe PID 2704 wrote to memory of 3264 2704 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe cmd.exe PID 3264 wrote to memory of 640 3264 cmd.exe vssadmin.exe PID 3264 wrote to memory of 640 3264 cmd.exe vssadmin.exe PID 2704 wrote to memory of 1716 2704 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe cmd.exe PID 2704 wrote to memory of 1716 2704 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe cmd.exe PID 1716 wrote to memory of 1508 1716 cmd.exe vssadmin.exe PID 1716 wrote to memory of 1508 1716 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe"C:\Users\Admin\AppData\Local\Temp\1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:640
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1508
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492