babuk | 704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320

General

Target

704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
Size

38KB
MD5

8b9a0b44b738c7884e6a14f4cb18afff
SHA1

9d9c33493aa0e1a12efe472e7cfc74bebec9a270
SHA256

704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320
SHA512

727ead654637728a3addc1e8004d1f86174918f77137ef49af970e480567a3295c40b9aa6b1f8bb8e1b23708db852f7aec4742acc0d8b14ab18e73aa58fd6d0e

Score

10^/10

babuk ransomware

Malware Config

Extracted

Path

C:\MSOCache\How To Restore Your Files.txt

Ransom Note

----------- [ Hello, Schauer Agrotronic ] -------------> ****BY BABUK LOCKER**** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. What information compromised? ---------------------------------------------- We copied more than 50 gb from your internal network, here are some proofs, for additional confirmations, please chat with us In cases of ignoring us, the information will be released to the public. How to contact us? ---------------------------------------------- Using TOR Browser ( https://www.torproject.org/download/ ): http://babukq4e2p4wu4iq.onion/login.php?id=p9gFgBg5TsdcO3mV9mf2RJlJoI0iy1 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!

URLs

http://babukq4e2p4wu4iq.onion/login.php?id=p9gFgBg5TsdcO3mV9mf2RJlJoI0iy1

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ResetStart.tif => C:\Users\Admin\Pictures\ResetStart.tif.babyk	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File renamed	C:\Users\Admin\Pictures\SetJoin.tif => C:\Users\Admin\Pictures\SetJoin.tif.babyk	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File renamed	C:\Users\Admin\Pictures\ShowInvoke.png => C:\Users\Admin\Pictures\ShowInvoke.png.babyk	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File renamed	C:\Users\Admin\Pictures\StepMount.crw => C:\Users\Admin\Pictures\StepMount.crw.babyk	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe

description	ioc	process
File opened (read-only)	\??\A:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\K:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\X:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\V:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\B:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\W:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\R:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\I:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\J:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\L:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\Z:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\T:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\O:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\G:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\U:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\P:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\F:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\N:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\M:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\Q:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\E:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\Y:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\S:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
File opened (read-only)	\??\H:	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

552 vssadmin.exe
1076 vssadmin.exe

pid	process
552	vssadmin.exe
1076	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe

pid	process
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1620 vssvc.exe
Token: SeRestorePrivilege 1620 vssvc.exe
Token: SeAuditPrivilege 1620 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1620	vssvc.exe
Token: SeRestorePrivilege	1620	vssvc.exe
Token: SeAuditPrivilege	1620	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.execmd.execmd.exe

description	pid	process	target process
PID 1776 wrote to memory of 904	1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe	cmd.exe
PID 1776 wrote to memory of 904	1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe	cmd.exe
PID 1776 wrote to memory of 904	1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe	cmd.exe
PID 1776 wrote to memory of 904	1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe	cmd.exe
PID 904 wrote to memory of 552	904	cmd.exe	vssadmin.exe
PID 904 wrote to memory of 552	904	cmd.exe	vssadmin.exe
PID 904 wrote to memory of 552	904	cmd.exe	vssadmin.exe
PID 1776 wrote to memory of 1596	1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe	cmd.exe
PID 1776 wrote to memory of 1596	1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe	cmd.exe
PID 1776 wrote to memory of 1596	1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe	cmd.exe
PID 1776 wrote to memory of 1596	1776	704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe	cmd.exe
PID 1596 wrote to memory of 1076	1596	cmd.exe	vssadmin.exe
PID 1596 wrote to memory of 1076	1596	cmd.exe	vssadmin.exe
PID 1596 wrote to memory of 1076	1596	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe
"C:\Users\Admin\AppData\Local\Temp\704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1076