Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 09:19
Static task
static1
Behavioral task
behavioral1
Sample
e_win.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
e_win.exe
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
e_win.exe
-
Size
79KB
-
MD5
92832ae49373b56748817cb5398ed706
-
SHA1
61e4505d605882b809d9c7f3dcbf163ff1678382
-
SHA256
1e24560100d010c27cc19c59f9fe1531e4286ecb21fe53763165f30c5f58dc90
-
SHA512
398ef0e5ffb6f914a2d1df23f12561153ef52ea28d345232cbb2daa84c43d1f1934be0c40d00b2502c2437c2733d0cdf75d24be6a8b47fc69648ad16c0bb4858
Score
10/10
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 18 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
e_win.exedescription ioc Process File opened for modification C:\Users\Admin\Pictures\UndoUnlock.tif.babyk e_win.exe File renamed C:\Users\Admin\Pictures\SuspendTest.crw => C:\Users\Admin\Pictures\SuspendTest.crw.babyk e_win.exe File renamed C:\Users\Admin\Pictures\TraceSearch.tif => C:\Users\Admin\Pictures\TraceSearch.tif.babyk e_win.exe File opened for modification C:\Users\Admin\Pictures\LockSelect.tif.babyk e_win.exe File opened for modification C:\Users\Admin\Pictures\EnterSwitch.tiff e_win.exe File renamed C:\Users\Admin\Pictures\LockSelect.tif => C:\Users\Admin\Pictures\LockSelect.tif.babyk e_win.exe File opened for modification C:\Users\Admin\Pictures\TraceSearch.tif.babyk e_win.exe File opened for modification C:\Users\Admin\Pictures\DisableCompress.tiff e_win.exe File opened for modification C:\Users\Admin\Pictures\EnterSwitch.tiff.babyk e_win.exe File renamed C:\Users\Admin\Pictures\InvokeStart.tif => C:\Users\Admin\Pictures\InvokeStart.tif.babyk e_win.exe File renamed C:\Users\Admin\Pictures\MeasureUnlock.tif => C:\Users\Admin\Pictures\MeasureUnlock.tif.babyk e_win.exe File opened for modification C:\Users\Admin\Pictures\MeasureUnlock.tif.babyk e_win.exe File opened for modification C:\Users\Admin\Pictures\SuspendTest.crw.babyk e_win.exe File renamed C:\Users\Admin\Pictures\EnterSwitch.tiff => C:\Users\Admin\Pictures\EnterSwitch.tiff.babyk e_win.exe File opened for modification C:\Users\Admin\Pictures\DisableCompress.tiff.babyk e_win.exe File opened for modification C:\Users\Admin\Pictures\InvokeStart.tif.babyk e_win.exe File renamed C:\Users\Admin\Pictures\UndoUnlock.tif => C:\Users\Admin\Pictures\UndoUnlock.tif.babyk e_win.exe File renamed C:\Users\Admin\Pictures\DisableCompress.tiff => C:\Users\Admin\Pictures\DisableCompress.tiff.babyk e_win.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e_win.exedescription ioc Process File opened (read-only) \??\Z: e_win.exe File opened (read-only) \??\V: e_win.exe File opened (read-only) \??\M: e_win.exe File opened (read-only) \??\Q: e_win.exe File opened (read-only) \??\R: e_win.exe File opened (read-only) \??\A: e_win.exe File opened (read-only) \??\J: e_win.exe File opened (read-only) \??\N: e_win.exe File opened (read-only) \??\E: e_win.exe File opened (read-only) \??\Y: e_win.exe File opened (read-only) \??\H: e_win.exe File opened (read-only) \??\B: e_win.exe File opened (read-only) \??\K: e_win.exe File opened (read-only) \??\L: e_win.exe File opened (read-only) \??\X: e_win.exe File opened (read-only) \??\W: e_win.exe File opened (read-only) \??\I: e_win.exe File opened (read-only) \??\F: e_win.exe File opened (read-only) \??\G: e_win.exe File opened (read-only) \??\S: e_win.exe File opened (read-only) \??\T: e_win.exe File opened (read-only) \??\U: e_win.exe File opened (read-only) \??\O: e_win.exe File opened (read-only) \??\P: e_win.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid Process 1488 vssadmin.exe 1996 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e_win.exepid Process 760 e_win.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid Process Token: SeBackupPrivilege 620 vssvc.exe Token: SeRestorePrivilege 620 vssvc.exe Token: SeAuditPrivilege 620 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e_win.execmd.execmd.exedescription pid Process procid_target PID 760 wrote to memory of 380 760 e_win.exe 27 PID 760 wrote to memory of 380 760 e_win.exe 27 PID 760 wrote to memory of 380 760 e_win.exe 27 PID 760 wrote to memory of 380 760 e_win.exe 27 PID 380 wrote to memory of 1488 380 cmd.exe 29 PID 380 wrote to memory of 1488 380 cmd.exe 29 PID 380 wrote to memory of 1488 380 cmd.exe 29 PID 760 wrote to memory of 1196 760 e_win.exe 33 PID 760 wrote to memory of 1196 760 e_win.exe 33 PID 760 wrote to memory of 1196 760 e_win.exe 33 PID 760 wrote to memory of 1196 760 e_win.exe 33 PID 1196 wrote to memory of 1996 1196 cmd.exe 35 PID 1196 wrote to memory of 1996 1196 cmd.exe 35 PID 1196 wrote to memory of 1996 1196 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\e_win.exe"C:\Users\Admin\AppData\Local\Temp\e_win.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1996
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:620