Analysis

  • max time kernel
    119s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    15-12-2021 06:21

General

  • Target

    0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59.exe

  • Size

    79KB

  • MD5

    d3c83232b0e85485724c4029e8b93dc1

  • SHA1

    2cfe3762a2e0c7e9a15bd617e693076f47d84028

  • SHA256

    0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59

  • SHA512

    07d83a9b09452eab085bec3819a1bd5353e2364c134cf87fe0c1a6770ed447d32cb954c98337ca6121fce2db1dff05a5ea5518239f4bb02ca50dabee02cab490

Score
10/10

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
----------- [ Hello world! ] -------------> ****BY BABUK LOCKER**** Ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. Now that we got your attention, lets make it short... -WHAT HAPPENED? ----------------------------------------------Some bad news... -All the files on your computer/network have been encrypted with SHA-256, ChaCha8 and ECC algorithms-translated, you can't open/decrypt your files on your own. -All your files such as customers info, scans, billing, insurance, passports... are in our hands now and we might decide to sell/make them public if you dont contact us. -Dont forget about GDPR ) ----------------------------------------------Some good news... -Contact us with the information below and you will recover all your data with our universal decryptor and we will permanently delete your info from our servers. WHAT GUARANTEES? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. Just google us, we have the decryption keys and we never leaked information of any paying company. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. Also information on how all this happened and further information to help you increase your network security, so this won't happen again. How to contact us? Good decision) ---------------------------------------------- -Send us an email: [email protected] [email protected] make sure you check your spam folder for our reply. -qTox for instant support, download TOX (https://tox.chat/download.html): our tox ID: 81B2B719AB9BDDCE9116776FA01956C2D4BB8A7CA5464592593F9A25DA1F91174391480C6DC0 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!! Customer ID: S01E01AMS-DB7
URLs

https://tox.chat/download.html

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59.exe
    "C:\Users\Admin\AppData\Local\Temp\0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:660
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1324
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:612
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1232
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:956

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/612-117-0x0000000000000000-mapping.dmp

  • memory/1232-118-0x0000000000000000-mapping.dmp

  • memory/1324-116-0x0000000000000000-mapping.dmp

  • memory/2892-115-0x0000000000000000-mapping.dmp