Analysis
-
max time kernel
127s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
04-02-2022 13:59
Static task
static1
Behavioral task
behavioral1
Sample
babuk.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
babuk.exe
Resource
win10v2004-en-20220112
General
-
Target
babuk.exe
-
Size
79KB
-
MD5
92832ae49373b56748817cb5398ed706
-
SHA1
61e4505d605882b809d9c7f3dcbf163ff1678382
-
SHA256
1e24560100d010c27cc19c59f9fe1531e4286ecb21fe53763165f30c5f58dc90
-
SHA512
398ef0e5ffb6f914a2d1df23f12561153ef52ea28d345232cbb2daa84c43d1f1934be0c40d00b2502c2437c2733d0cdf75d24be6a8b47fc69648ad16c0bb4858
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
babuk.exedescription ioc process File renamed C:\Users\Admin\Pictures\PingShow.png => C:\Users\Admin\Pictures\PingShow.png.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\PingShow.png.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\RepairEdit.tiff.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\StopSync.crw.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\RestoreSwitch.png.babyk babuk.exe File renamed C:\Users\Admin\Pictures\TestPing.tiff => C:\Users\Admin\Pictures\TestPing.tiff.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\RepairEdit.tiff babuk.exe File opened for modification C:\Users\Admin\Pictures\TestPing.tiff babuk.exe File renamed C:\Users\Admin\Pictures\RepairEdit.tiff => C:\Users\Admin\Pictures\RepairEdit.tiff.babyk babuk.exe File renamed C:\Users\Admin\Pictures\StopSync.crw => C:\Users\Admin\Pictures\StopSync.crw.babyk babuk.exe File renamed C:\Users\Admin\Pictures\RestoreSwitch.png => C:\Users\Admin\Pictures\RestoreSwitch.png.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\TestPing.tiff.babyk babuk.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
babuk.exedescription ioc process File opened (read-only) \??\Z: babuk.exe File opened (read-only) \??\V: babuk.exe File opened (read-only) \??\I: babuk.exe File opened (read-only) \??\O: babuk.exe File opened (read-only) \??\P: babuk.exe File opened (read-only) \??\G: babuk.exe File opened (read-only) \??\F: babuk.exe File opened (read-only) \??\L: babuk.exe File opened (read-only) \??\B: babuk.exe File opened (read-only) \??\W: babuk.exe File opened (read-only) \??\R: babuk.exe File opened (read-only) \??\T: babuk.exe File opened (read-only) \??\U: babuk.exe File opened (read-only) \??\E: babuk.exe File opened (read-only) \??\J: babuk.exe File opened (read-only) \??\H: babuk.exe File opened (read-only) \??\K: babuk.exe File opened (read-only) \??\X: babuk.exe File opened (read-only) \??\N: babuk.exe File opened (read-only) \??\Q: babuk.exe File opened (read-only) \??\Y: babuk.exe File opened (read-only) \??\A: babuk.exe File opened (read-only) \??\S: babuk.exe File opened (read-only) \??\M: babuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 952 vssadmin.exe 1992 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
babuk.exepid process 964 babuk.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1860 vssvc.exe Token: SeRestorePrivilege 1860 vssvc.exe Token: SeAuditPrivilege 1860 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
babuk.execmd.execmd.exedescription pid process target process PID 964 wrote to memory of 1160 964 babuk.exe cmd.exe PID 964 wrote to memory of 1160 964 babuk.exe cmd.exe PID 964 wrote to memory of 1160 964 babuk.exe cmd.exe PID 964 wrote to memory of 1160 964 babuk.exe cmd.exe PID 1160 wrote to memory of 952 1160 cmd.exe vssadmin.exe PID 1160 wrote to memory of 952 1160 cmd.exe vssadmin.exe PID 1160 wrote to memory of 952 1160 cmd.exe vssadmin.exe PID 964 wrote to memory of 396 964 babuk.exe cmd.exe PID 964 wrote to memory of 396 964 babuk.exe cmd.exe PID 964 wrote to memory of 396 964 babuk.exe cmd.exe PID 964 wrote to memory of 396 964 babuk.exe cmd.exe PID 396 wrote to memory of 1992 396 cmd.exe vssadmin.exe PID 396 wrote to memory of 1992 396 cmd.exe vssadmin.exe PID 396 wrote to memory of 1992 396 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\babuk.exe"C:\Users\Admin\AppData\Local\Temp\babuk.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1992
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860