Overview

overview

10

Static

static

006ac52f96...c8.exe

windows7_x64

10

006ac52f96...c8.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8

  • Size

    79KB

  • Sample

    220327-m622dsggd8

  • MD5

    2023e84c9a5810a991e60ac9b81bece1

  • SHA1

    7f3e50e8aa05499d006c8141633aee5f78031c37

  • SHA256

    006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8

  • SHA512

    7e22fbfb1cf70d20caeb3809ff00399b0ec6595c1538b4fee14df6370eae5d6c6b600d28085407b139d7523de15ebffff6810817d51e11e2920cb235d667dc91

Score
10/10
babukransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
What Happened to My Computer? Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without Can I Recover My Files? Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled. Also, if you don't pay in 7 days, you won't be able to recover your files forever. How Do I Pay? Payment is accepted in Monero only. If you don't know what Monero is, please Google for information on how to buy and pay for Monero. Send $10000 worth of monero to this address: 88w1ijCZgdKW7aM8a6eNerd8p5ZSDCWD76HNCe1TTbKQMczjeqc78idSUH8Qesz7tVQExowELg7bQUA8yrfRr1zC2ZiC5rY Your encrypted ID:eXt1a60JmqREPRDdf2xqleWGQxeBwU After the payment is completed, please send the payment picture and ID to email. Email address:[email protected] After we confirm your payment amount, we will reply to the decryption program to your email address. Warning: Don't try to decrypt by yourself, you may permanently damage your files. If not decrypted after seven days, your data will be published on the Internet.
Emails

Targets

    • Target

      006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8

    • Size

      79KB

    • MD5

      2023e84c9a5810a991e60ac9b81bece1

    • SHA1

      7f3e50e8aa05499d006c8141633aee5f78031c37

    • SHA256

      006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8

    • SHA512

      7e22fbfb1cf70d20caeb3809ff00399b0ec6595c1538b4fee14df6370eae5d6c6b600d28085407b139d7523de15ebffff6810817d51e11e2920cb235d667dc91

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks