Overview

overview

10

Static

static

URLScan

urlscan

1

https://transfer.sh/...

windows7_x64

10

https://transfer.sh/...

windows10_x64

10

Analysis

  • max time kernel
    215s
  • max time network
    184s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    23-01-2022 12:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://transfer.sh/45dIVs/worstgeneration.exe

Score
10/10
babukransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
You are probably wondering why you are receiving a message from me. Yesterday, duncanregional.com got breached. You are probably not aware, but over the past few days we have been exfiltrating all of your data that we could get our hands on. We took over 150GB data + patient userdata from dba servers. What happened to your files? Your network was been penetrated. All of your files were encrypted using AES-256-CTR with ChaCha8 Cipher. WARNING: Don't try to decrypt your files, shadow copies were removed, recovery methods can lead to the impossibility of recovery of the certain files. We exclusively have decryption software for your situation, no decryption software is available in the public. Pay 60,000 (USD) in XMR (Monero) to this address: 4BExj4Z7n73316oWSd6k3Wj7A12PFVUSeHoobSPpaCJVdH6Z1oRBBssemrpwW5GyRt7xi3SQCeJzUa1uFoWWNySYCxoHv13 How do you buy XMR? https://bisq.network/ to buy XMR using fiat. Alternatively use a Cryptocurrency exchange to buy XMR: https://www.kraken.com/ Use this guide: https://www.getmonero.org/ After sending the specified amount to our wallet we will provide you with the decryption keys to unlock your files. If you do not respond (24 hour deadline, starting now), or we do not receive a response from you we will start the data to our potential buyers, and leak a partial, All of your clients (patients / employers) will be informed and given proof that their data has been compromised and publish everything in a public way in multiple places and outlets to get more customers interested in buying the data and also reporting the availability of this data to the appropriate news platforms. Contact: telegram: @redeyeg0d email: yourd34d@ctemplar.com
Emails

yourd34d@ctemplar.com

URLs

https://bisq.network/

https://www.getmonero.org/

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 19 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://transfer.sh/45dIVs/worstgeneration.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1088
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3UFND3CH\worstgeneration.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3UFND3CH\worstgeneration.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1852
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1448
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:624
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:1736
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    3155c3c9e5aaa1e74a8fcb117ff94672

    SHA1

    2c63253616ad64c052e08f48223fdbc25c484eed

    SHA256

    4a921825386e618862db5eac0c0bcf06c962785b14a07e4559a03fa2e4c1014f

    SHA512

    0daba3d92ed08d747b7b7911911aab6ebbcc05089729e8122b2518a2a265b9367d9f7b65815122d5499ac57409e16f12a0a46b648cc5df976ef3cd2e234df2a5

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\o5rwqiw\imagestore.dat
    MD5

    15f216175114ed62a734e1e38d32b396

    SHA1

    d0774371a47f93797de0918e4c73b5cc9c441493

    SHA256

    49359724701ffbeefa2e9624b139e0a4c616948d56e25b1a2009c892a3028754

    SHA512

    1605a8343dc0294de9d893ac0914cde44e71dbcc3ac6630936daea298453bf79625d19bf544bd9f65d36eadb56b30738fdca93b1bb9bce2b71d7f98dccb8cf1e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3UFND3CH\worstgeneration.exe
    MD5

    4dc689389054b8aae01c162fb7fec051

    SHA1

    fd4356fd980f837a813515321fe5f54d5625258b

    SHA256

    e69149c02a0f24731559d5bec3c1bdbe916cd2829751025845fe48ea01966b82

    SHA512

    e924f802421f24447ace77bce1ff7f24f11ea852ae00cc624d17bec6f6e675eb258923cd7897f5307c3346b1f08d9cea978dd980344c8905b14b1b88631895c1

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3UFND3CH\worstgeneration.exe.w1lz7su.partial
    MD5

    4dc689389054b8aae01c162fb7fec051

    SHA1

    fd4356fd980f837a813515321fe5f54d5625258b

    SHA256

    e69149c02a0f24731559d5bec3c1bdbe916cd2829751025845fe48ea01966b82

    SHA512

    e924f802421f24447ace77bce1ff7f24f11ea852ae00cc624d17bec6f6e675eb258923cd7897f5307c3346b1f08d9cea978dd980344c8905b14b1b88631895c1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OEEFWG3J.txt
    MD5

    0cdf3277491f0d4a1af45538ed1da204

    SHA1

    3ed6dab373027500e5432752ac96fc5c01fbe2bd

    SHA256

    9ef963e8286af4b50cbfad933ad42a3f22024e1ef233084b2b683e2557d2b54a

    SHA512

    3f18e3740ec1fff7d1680f8a9edd8ce781e91e022475212716271e1b342b8dfdad5a69fcf3fda19340df691eec06707c0cb824217b343e19246ec9ccd561dc58

    Download Submit
  • \Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit
  • memory/920-57-0x00000000001C0000-0x000000000022C000-memory.dmp
    Filesize

    432KB

    Download
  • memory/920-62-0x0000000001E10000-0x0000000001E16000-memory.dmp
    Filesize

    24KB

    Download
  • memory/920-61-0x0000000000850000-0x000000000086A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/920-60-0x0000000004E30000-0x0000000004E31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/920-59-0x00000000004E0000-0x00000000004F6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/920-58-0x00000000004B0000-0x00000000004E2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/920-70-0x0000000004E31000-0x0000000004E32000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1852-64-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1852-69-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1852-68-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1852-71-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1852-67-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1852-73-0x0000000075471000-0x0000000075473000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1852-74-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1852-66-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1852-65-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download