Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-02-2022 14:31
Static task
static1
Behavioral task
behavioral1
Sample
babuk.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
babuk.exe
Resource
win10v2004-en-20220112
General
-
Target
babuk.exe
-
Size
79KB
-
MD5
92832ae49373b56748817cb5398ed706
-
SHA1
61e4505d605882b809d9c7f3dcbf163ff1678382
-
SHA256
1e24560100d010c27cc19c59f9fe1531e4286ecb21fe53763165f30c5f58dc90
-
SHA512
398ef0e5ffb6f914a2d1df23f12561153ef52ea28d345232cbb2daa84c43d1f1934be0c40d00b2502c2437c2733d0cdf75d24be6a8b47fc69648ad16c0bb4858
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 26 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
babuk.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompleteRestart.tiff => C:\Users\Admin\Pictures\CompleteRestart.tiff.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\ResolveExit.tiff babuk.exe File opened for modification C:\Users\Admin\Pictures\InstallConvertTo.raw.babyk babuk.exe File renamed C:\Users\Admin\Pictures\JoinDeny.crw => C:\Users\Admin\Pictures\JoinDeny.crw.babyk babuk.exe File renamed C:\Users\Admin\Pictures\MeasureStep.raw => C:\Users\Admin\Pictures\MeasureStep.raw.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\StopSet.tiff babuk.exe File opened for modification C:\Users\Admin\Pictures\UnlockCheckpoint.tiff babuk.exe File renamed C:\Users\Admin\Pictures\ResolveExit.tiff => C:\Users\Admin\Pictures\ResolveExit.tiff.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\ResolveExit.tiff.babyk babuk.exe File renamed C:\Users\Admin\Pictures\StopSet.tiff => C:\Users\Admin\Pictures\StopSet.tiff.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\UnlockCheckpoint.tiff.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\WatchSet.tiff.babyk babuk.exe File renamed C:\Users\Admin\Pictures\BackupResolve.png => C:\Users\Admin\Pictures\BackupResolve.png.babyk babuk.exe File renamed C:\Users\Admin\Pictures\InstallConvertTo.raw => C:\Users\Admin\Pictures\InstallConvertTo.raw.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\JoinDeny.crw.babyk babuk.exe File renamed C:\Users\Admin\Pictures\PushRemove.tiff => C:\Users\Admin\Pictures\PushRemove.tiff.babyk babuk.exe File renamed C:\Users\Admin\Pictures\UnlockCheckpoint.tiff => C:\Users\Admin\Pictures\UnlockCheckpoint.tiff.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\StopSet.tiff.babyk babuk.exe File renamed C:\Users\Admin\Pictures\WatchSet.tiff => C:\Users\Admin\Pictures\WatchSet.tiff.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\CompleteRestart.tiff.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\CompleteRestart.tiff babuk.exe File opened for modification C:\Users\Admin\Pictures\BackupResolve.png.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\PushRemove.tiff babuk.exe File opened for modification C:\Users\Admin\Pictures\MeasureStep.raw.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\PushRemove.tiff.babyk babuk.exe File opened for modification C:\Users\Admin\Pictures\WatchSet.tiff babuk.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
babuk.exedescription ioc process File opened (read-only) \??\R: babuk.exe File opened (read-only) \??\P: babuk.exe File opened (read-only) \??\A: babuk.exe File opened (read-only) \??\V: babuk.exe File opened (read-only) \??\Q: babuk.exe File opened (read-only) \??\E: babuk.exe File opened (read-only) \??\G: babuk.exe File opened (read-only) \??\X: babuk.exe File opened (read-only) \??\N: babuk.exe File opened (read-only) \??\W: babuk.exe File opened (read-only) \??\F: babuk.exe File opened (read-only) \??\J: babuk.exe File opened (read-only) \??\B: babuk.exe File opened (read-only) \??\I: babuk.exe File opened (read-only) \??\H: babuk.exe File opened (read-only) \??\U: babuk.exe File opened (read-only) \??\O: babuk.exe File opened (read-only) \??\S: babuk.exe File opened (read-only) \??\K: babuk.exe File opened (read-only) \??\L: babuk.exe File opened (read-only) \??\Z: babuk.exe File opened (read-only) \??\T: babuk.exe File opened (read-only) \??\Y: babuk.exe File opened (read-only) \??\M: babuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 776 vssadmin.exe 1708 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
babuk.exepid process 1340 babuk.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1988 vssvc.exe Token: SeRestorePrivilege 1988 vssvc.exe Token: SeAuditPrivilege 1988 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
babuk.execmd.execmd.exedescription pid process target process PID 1340 wrote to memory of 1068 1340 babuk.exe cmd.exe PID 1340 wrote to memory of 1068 1340 babuk.exe cmd.exe PID 1340 wrote to memory of 1068 1340 babuk.exe cmd.exe PID 1340 wrote to memory of 1068 1340 babuk.exe cmd.exe PID 1068 wrote to memory of 776 1068 cmd.exe vssadmin.exe PID 1068 wrote to memory of 776 1068 cmd.exe vssadmin.exe PID 1068 wrote to memory of 776 1068 cmd.exe vssadmin.exe PID 1340 wrote to memory of 1980 1340 babuk.exe cmd.exe PID 1340 wrote to memory of 1980 1340 babuk.exe cmd.exe PID 1340 wrote to memory of 1980 1340 babuk.exe cmd.exe PID 1340 wrote to memory of 1980 1340 babuk.exe cmd.exe PID 1980 wrote to memory of 1708 1980 cmd.exe vssadmin.exe PID 1980 wrote to memory of 1708 1980 cmd.exe vssadmin.exe PID 1980 wrote to memory of 1708 1980 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\babuk.exe"C:\Users\Admin\AppData\Local\Temp\babuk.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1708
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988