Overview

overview

10

Static

static

8

0099963e72...79.exe

windows7_x64

9

0099963e72...79.exe

windows10_x64

9

028facff67...fc.exe

windows7_x64

10

028facff67...fc.exe

windows10_x64

10

0294114d5f...59.exe

windows7_x64

10

0294114d5f...59.exe

windows10_x64

10

02e9883501...c3.exe

windows7_x64

9

02e9883501...c3.exe

windows10_x64

9

03110baa5a...d7.exe

windows7_x64

10

03110baa5a...d7.exe

windows10_x64

10

0b93a024b5...2f.exe

windows7_x64

10

0b93a024b5...2f.exe

windows10_x64

10

12c561ac82...f8.exe

windows7_x64

10

12c561ac82...f8.exe

windows10_x64

10

15656e1825...d3.exe

windows7_x64

10

15656e1825...d3.exe

windows10_x64

10

18e282e680...5f.exe

windows7_x64

10

18e282e680...5f.exe

windows10_x64

10

1ab45a508d...38.exe

windows7_x64

10

1ab45a508d...38.exe

windows10_x64

10

1d40f42fa3...94.exe

windows7_x64

10

1d40f42fa3...94.exe

windows10_x64

10

1deb1efad2...02.exe

windows7_x64

10

1deb1efad2...02.exe

windows10_x64

10

1e24560100...90.exe

windows7_x64

10

1e24560100...90.exe

windows10_x64

10

63b6a51be7...85.exe

windows7_x64

10

63b6a51be7...85.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    15-12-2021 06:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59.exe

  • Size

    79KB

  • MD5

    d3c83232b0e85485724c4029e8b93dc1

  • SHA1

    2cfe3762a2e0c7e9a15bd617e693076f47d84028

  • SHA256

    0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59

  • SHA512

    07d83a9b09452eab085bec3819a1bd5353e2364c134cf87fe0c1a6770ed447d32cb954c98337ca6121fce2db1dff05a5ea5518239f4bb02ca50dabee02cab490

Score
10/10
babukransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
----------- [ Hello world! ] -------------> ****BY BABUK LOCKER**** Ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. Now that we got your attention, lets make it short... -WHAT HAPPENED? ----------------------------------------------Some bad news... -All the files on your computer/network have been encrypted with SHA-256, ChaCha8 and ECC algorithms-translated, you can't open/decrypt your files on your own. -All your files such as customers info, scans, billing, insurance, passports... are in our hands now and we might decide to sell/make them public if you dont contact us. -Dont forget about GDPR ) ----------------------------------------------Some good news... -Contact us with the information below and you will recover all your data with our universal decryptor and we will permanently delete your info from our servers. WHAT GUARANTEES? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. Just google us, we have the decryption keys and we never leaked information of any paying company. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. Also information on how all this happened and further information to help you increase your network security, so this won't happen again. How to contact us? Good decision) ---------------------------------------------- -Send us an email: iamunknown@keemail.me babyk@mail2tor.com make sure you check your spam folder for our reply. -qTox for instant support, download TOX (https://tox.chat/download.html): our tox ID: 81B2B719AB9BDDCE9116776FA01956C2D4BB8A7CA5464592593F9A25DA1F91174391480C6DC0 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!! Customer ID: S01E01AMS-DB7
Emails

iamunknown@keemail.me

babyk@mail2tor.com
URLs

https://tox.chat/download.html

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59.exe
    "C:\Users\Admin\AppData\Local\Temp\0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:660
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1324
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:612
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1232
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/612-117-0x0000000000000000-mapping.dmp
    Download
  • memory/1232-118-0x0000000000000000-mapping.dmp
    Download
  • memory/1324-116-0x0000000000000000-mapping.dmp
    Download
  • memory/2892-115-0x0000000000000000-mapping.dmp
    Download