Analysis
-
max time kernel
133s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
04-02-2022 15:30
Static task
static1
Behavioral task
behavioral1
Sample
babuk.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
babuk.exe
Resource
win10v2004-en-20220112
General
-
Target
babuk.exe
-
Size
79KB
-
MD5
92832ae49373b56748817cb5398ed706
-
SHA1
61e4505d605882b809d9c7f3dcbf163ff1678382
-
SHA256
1e24560100d010c27cc19c59f9fe1531e4286ecb21fe53763165f30c5f58dc90
-
SHA512
398ef0e5ffb6f914a2d1df23f12561153ef52ea28d345232cbb2daa84c43d1f1934be0c40d00b2502c2437c2733d0cdf75d24be6a8b47fc69648ad16c0bb4858
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
babuk.exedescription ioc Process File opened for modification C:\Users\Admin\Pictures\UnlockSubmit.png.babyk babuk.exe File renamed C:\Users\Admin\Pictures\HideConvert.tif => C:\Users\Admin\Pictures\HideConvert.tif.babyk babuk.exe File renamed C:\Users\Admin\Pictures\InstallRequest.png => C:\Users\Admin\Pictures\InstallRequest.png.babyk babuk.exe File renamed C:\Users\Admin\Pictures\MountDisable.crw => C:\Users\Admin\Pictures\MountDisable.crw.babyk babuk.exe File renamed C:\Users\Admin\Pictures\RepairTest.crw => C:\Users\Admin\Pictures\RepairTest.crw.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\InstallRequest.png.babyk babuk.exe File renamed C:\Users\Admin\Pictures\SubmitLimit.tiff => C:\Users\Admin\Pictures\SubmitLimit.tiff.babyk babuk.exe File renamed C:\Users\Admin\Pictures\UnlockSubmit.png => C:\Users\Admin\Pictures\UnlockSubmit.png.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\SuspendSkip.tif.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\HideConvert.tif.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\SubmitLimit.tiff.babyk babuk.exe File renamed C:\Users\Admin\Pictures\SuspendSkip.tif => C:\Users\Admin\Pictures\SuspendSkip.tif.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\MountDisable.crw.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\RepairTest.crw.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\SubmitLimit.tiff babuk.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
babuk.exedescription ioc Process File opened (read-only) \??\Y: babuk.exe File opened (read-only) \??\O: babuk.exe File opened (read-only) \??\G: babuk.exe File opened (read-only) \??\W: babuk.exe File opened (read-only) \??\T: babuk.exe File opened (read-only) \??\P: babuk.exe File opened (read-only) \??\A: babuk.exe File opened (read-only) \??\H: babuk.exe File opened (read-only) \??\K: babuk.exe File opened (read-only) \??\L: babuk.exe File opened (read-only) \??\M: babuk.exe File opened (read-only) \??\E: babuk.exe File opened (read-only) \??\R: babuk.exe File opened (read-only) \??\S: babuk.exe File opened (read-only) \??\J: babuk.exe File opened (read-only) \??\Q: babuk.exe File opened (read-only) \??\I: babuk.exe File opened (read-only) \??\Z: babuk.exe File opened (read-only) \??\X: babuk.exe File opened (read-only) \??\V: babuk.exe File opened (read-only) \??\B: babuk.exe File opened (read-only) \??\N: babuk.exe File opened (read-only) \??\U: babuk.exe File opened (read-only) \??\F: babuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid Process 1536 vssadmin.exe 1032 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
babuk.exepid Process 1252 babuk.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid Process Token: SeBackupPrivilege 1688 vssvc.exe Token: SeRestorePrivilege 1688 vssvc.exe Token: SeAuditPrivilege 1688 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
babuk.execmd.execmd.exedescription pid Process procid_target PID 1252 wrote to memory of 1464 1252 babuk.exe 27 PID 1252 wrote to memory of 1464 1252 babuk.exe 27 PID 1252 wrote to memory of 1464 1252 babuk.exe 27 PID 1252 wrote to memory of 1464 1252 babuk.exe 27 PID 1464 wrote to memory of 1536 1464 cmd.exe 29 PID 1464 wrote to memory of 1536 1464 cmd.exe 29 PID 1464 wrote to memory of 1536 1464 cmd.exe 29 PID 1252 wrote to memory of 300 1252 babuk.exe 33 PID 1252 wrote to memory of 300 1252 babuk.exe 33 PID 1252 wrote to memory of 300 1252 babuk.exe 33 PID 1252 wrote to memory of 300 1252 babuk.exe 33 PID 300 wrote to memory of 1032 300 cmd.exe 35 PID 300 wrote to memory of 1032 300 cmd.exe 35 PID 300 wrote to memory of 1032 300 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\babuk.exe"C:\Users\Admin\AppData\Local\Temp\babuk.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1032
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688