Analysis
-
max time kernel
70s -
max time network
42s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
04-02-2022 15:15
Static task
static1
Behavioral task
behavioral1
Sample
babuk.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
babuk.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
babuk.exe
-
Size
79KB
-
MD5
92832ae49373b56748817cb5398ed706
-
SHA1
61e4505d605882b809d9c7f3dcbf163ff1678382
-
SHA256
1e24560100d010c27cc19c59f9fe1531e4286ecb21fe53763165f30c5f58dc90
-
SHA512
398ef0e5ffb6f914a2d1df23f12561153ef52ea28d345232cbb2daa84c43d1f1934be0c40d00b2502c2437c2733d0cdf75d24be6a8b47fc69648ad16c0bb4858
Score
10/10
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
babuk.exedescription ioc Process File renamed C:\Users\Admin\Pictures\OpenUnpublish.raw => C:\Users\Admin\Pictures\OpenUnpublish.raw.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\UnprotectRead.png.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\CheckpointDismount.raw.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\CompareWait.crw.babyk babuk.exe File renamed C:\Users\Admin\Pictures\CompleteResolve.tif => C:\Users\Admin\Pictures\CompleteResolve.tif.babyk babuk.exe File renamed C:\Users\Admin\Pictures\ExportOpen.tif => C:\Users\Admin\Pictures\ExportOpen.tif.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\ExportOpen.tif.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\FormatLock.crw.babyk babuk.exe File renamed C:\Users\Admin\Pictures\CompareWait.crw => C:\Users\Admin\Pictures\CompareWait.crw.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\CompleteResolve.tif.babyk babuk.exe File renamed C:\Users\Admin\Pictures\ResolveEnable.png => C:\Users\Admin\Pictures\ResolveEnable.png.babyk babuk.exe File renamed C:\Users\Admin\Pictures\CheckpointDismount.raw => C:\Users\Admin\Pictures\CheckpointDismount.raw.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\ResolveEnable.png.babyk babuk.exe File renamed C:\Users\Admin\Pictures\UnprotectRead.png => C:\Users\Admin\Pictures\UnprotectRead.png.babyk babuk.exe File renamed C:\Users\Admin\Pictures\FormatLock.crw => C:\Users\Admin\Pictures\FormatLock.crw.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\OpenUnpublish.raw.babyk babuk.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
babuk.exedescription ioc Process File opened (read-only) \??\U: babuk.exe File opened (read-only) \??\O: babuk.exe File opened (read-only) \??\A: babuk.exe File opened (read-only) \??\B: babuk.exe File opened (read-only) \??\E: babuk.exe File opened (read-only) \??\R: babuk.exe File opened (read-only) \??\T: babuk.exe File opened (read-only) \??\Y: babuk.exe File opened (read-only) \??\K: babuk.exe File opened (read-only) \??\V: babuk.exe File opened (read-only) \??\X: babuk.exe File opened (read-only) \??\Q: babuk.exe File opened (read-only) \??\W: babuk.exe File opened (read-only) \??\I: babuk.exe File opened (read-only) \??\P: babuk.exe File opened (read-only) \??\H: babuk.exe File opened (read-only) \??\J: babuk.exe File opened (read-only) \??\Z: babuk.exe File opened (read-only) \??\S: babuk.exe File opened (read-only) \??\F: babuk.exe File opened (read-only) \??\G: babuk.exe File opened (read-only) \??\L: babuk.exe File opened (read-only) \??\N: babuk.exe File opened (read-only) \??\M: babuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid Process 1140 vssadmin.exe 1156 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
babuk.exepid Process 1440 babuk.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid Process Token: SeBackupPrivilege 980 vssvc.exe Token: SeRestorePrivilege 980 vssvc.exe Token: SeAuditPrivilege 980 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
babuk.execmd.execmd.exedescription pid Process procid_target PID 1440 wrote to memory of 1300 1440 babuk.exe 27 PID 1440 wrote to memory of 1300 1440 babuk.exe 27 PID 1440 wrote to memory of 1300 1440 babuk.exe 27 PID 1440 wrote to memory of 1300 1440 babuk.exe 27 PID 1300 wrote to memory of 1140 1300 cmd.exe 29 PID 1300 wrote to memory of 1140 1300 cmd.exe 29 PID 1300 wrote to memory of 1140 1300 cmd.exe 29 PID 1440 wrote to memory of 1848 1440 babuk.exe 33 PID 1440 wrote to memory of 1848 1440 babuk.exe 33 PID 1440 wrote to memory of 1848 1440 babuk.exe 33 PID 1440 wrote to memory of 1848 1440 babuk.exe 33 PID 1848 wrote to memory of 1156 1848 cmd.exe 35 PID 1848 wrote to memory of 1156 1848 cmd.exe 35 PID 1848 wrote to memory of 1156 1848 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\babuk.exe"C:\Users\Admin\AppData\Local\Temp\babuk.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1156
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:980