Overview

overview

10

Static

static

8

0099963e72...79.exe

windows7_x64

9

0099963e72...79.exe

windows10_x64

9

028facff67...fc.exe

windows7_x64

10

028facff67...fc.exe

windows10_x64

10

0294114d5f...59.exe

windows7_x64

10

0294114d5f...59.exe

windows10_x64

10

02e9883501...c3.exe

windows7_x64

9

02e9883501...c3.exe

windows10_x64

9

03110baa5a...d7.exe

windows7_x64

10

03110baa5a...d7.exe

windows10_x64

10

0b93a024b5...2f.exe

windows7_x64

10

0b93a024b5...2f.exe

windows10_x64

10

12c561ac82...f8.exe

windows7_x64

10

12c561ac82...f8.exe

windows10_x64

10

15656e1825...d3.exe

windows7_x64

10

15656e1825...d3.exe

windows10_x64

10

18e282e680...5f.exe

windows7_x64

10

18e282e680...5f.exe

windows10_x64

10

1ab45a508d...38.exe

windows7_x64

10

1ab45a508d...38.exe

windows10_x64

10

1d40f42fa3...94.exe

windows7_x64

10

1d40f42fa3...94.exe

windows10_x64

10

1deb1efad2...02.exe

windows7_x64

10

1deb1efad2...02.exe

windows10_x64

10

1e24560100...90.exe

windows7_x64

10

1e24560100...90.exe

windows10_x64

10

63b6a51be7...85.exe

windows7_x64

10

63b6a51be7...85.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    15-12-2021 06:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402.exe

  • Size

    79KB

  • MD5

    d24e9b0c3a81e884e14596d6047e31be

  • SHA1

    0557ae0a95e11e10fe9a33742f8b258b35c0aae6

  • SHA256

    1deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402

  • SHA512

    5f9cfaf495d186c599ffe8fd63b7bf1c775313e38f0397f4f422d0944cfabf1c497b8cf81514d2a5d1ed2631d00f9356d8013fd90efea1bb29d17d7bae2a2ccd

Score
10/10
babukransomware

Malware Config

Extracted

Path

C:\MSOCache\How To Restore Your Files.txt

Ransom Note
############## [ babuk ransomware greeings you ] ############## Introduction ---------------------------------------------- Congratulations! If you see this note, your company've been randomly chosen for security audit and your company haven't passed it. Unfortunately your servers are encrypted, backups are encrtypted too or deleted. Our enctyption algorythms are strong and it's impossible to decrypt your stuff without our help. Only one method to restore all your network and systems is - to buy our universal decryption software. Follow simple steps that discribed down below and your data will be saved. In case you ignore this situation, the consequences could me much serious, than you can imagine. Guarantees ---------------------------------------------- The hack and system encryption wasn't compromised by your competitors or any other 3rd party, this is just and only our initiative and only thing we interested is profit. Accurding the previous sentence We are very much value of our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We guarantee full support and help through the all decryption process. As the proof of our abilities and honesty, we can decrypt few small files for free, check the link provided and ask any questions. Contact ---------------------------------------------- 1) Download tor browser: https://www.torproject.org/download/ 2) Open it 3) Follow this link in tor browser: http://tsu2dpiiv4zjzfyq73eibemit2qyrimbbb6lhpm6n5ihgallom5lhdyd.onion/08deb1f2411fcdd93d524213ee3063b9719716e6813e886cb80f21df4a0d3ad5 * 6 simple steps do minimize harm from ransomware. ----------------------------------------------------------------------------------------------------------------- Thousands of companies around the world are struggling on ransomware these days, and the most of companies are making the same mistakes again and again. Let’s figure out how to minimize harm and do not be a dumb and pathetic donkey which will make fun for journalists and so on.. 1. If you see small fella malicious .exe file never load it to virustotal.com or any other virus researching website. Otherwise the info about the hack is not a secret anymore. The fact that your company is under ransomware attack is already known by filthy predators data security agents who will post in their pity twitters the fresh known news “OMG ANOTHER RANSOMWARE NOW IT’S “Your company name LLC!!!!! We are all gonna die aaaaaa halp” 2. No any public announcements about the hack or data leakage. And do not applicate to law enforcement. If you commit this actions, more serious consequences can occur and you pay much more than a ransom amount. Law structures like GDPR in this case can oblige you to pay huge fine. 3. As soon as you see your network compromised, follow the link inside any note and follow instructions. 4. Calm your employees. Explain them that this is a drill. And you test your network security systems. 5. If you decide to hire the data recovery company, obligate them to do not inform anyone and any third party about details of the attack. We strongly do not recommend to cooperate with data recovery company, because they do absolutely nothing that you can do by yourself and take money for it. all communications with hackers could be conducted by your it department indipendently without any extra payments. 6. Do not try to decrypt your data via 3rd party software. Most of ransomware use strong encryption algorythm and you can harm your files by using 3rd party decryption software.
URLs

http://tsu2dpiiv4zjzfyq73eibemit2qyrimbbb6lhpm6n5ihgallom5lhdyd.onion/08deb1f2411fcdd93d524213ee3063b9719716e6813e886cb80f21df4a0d3ad5

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402.exe
    "C:\Users\Admin\AppData\Local\Temp\1deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1360
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:592
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1728
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/520-56-0x0000000000000000-mapping.dmp
    Download
  • memory/592-58-0x0000000000000000-mapping.dmp
    Download
  • memory/744-55-0x00000000763B1000-0x00000000763B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1360-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1728-59-0x0000000000000000-mapping.dmp
    Download