Analysis
-
max time kernel
4294182s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
27-03-2022 11:05
Static task
static1
Behavioral task
behavioral1
Sample
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
Resource
win10v2004-20220310-en
General
-
Target
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
-
Size
79KB
-
MD5
2023e84c9a5810a991e60ac9b81bece1
-
SHA1
7f3e50e8aa05499d006c8141633aee5f78031c37
-
SHA256
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8
-
SHA512
7e22fbfb1cf70d20caeb3809ff00399b0ec6595c1538b4fee14df6370eae5d6c6b600d28085407b139d7523de15ebffff6810817d51e11e2920cb235d667dc91
Malware Config
Extracted
C:\How To Restore Your Files.txt
address:edcvbghjikm@protonmail.com
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExitRestore.png => C:\Users\Admin\Pictures\ExitRestore.png.babyk 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened for modification C:\Users\Admin\Pictures\ExitRestore.png.babyk 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File renamed C:\Users\Admin\Pictures\InitializeMount.crw => C:\Users\Admin\Pictures\InitializeMount.crw.babyk 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened for modification C:\Users\Admin\Pictures\InitializeMount.crw.babyk 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File renamed C:\Users\Admin\Pictures\InvokeGrant.raw => C:\Users\Admin\Pictures\InvokeGrant.raw.babyk 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened for modification C:\Users\Admin\Pictures\InvokeGrant.raw.babyk 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exedescription ioc process File opened (read-only) \??\G: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\H: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\Z: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\Q: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\E: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\U: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\A: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\S: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\K: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\V: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\B: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\X: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\N: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\M: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\T: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\I: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\O: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\P: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\F: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\W: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\R: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\Y: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\J: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\L: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 576 vssadmin.exe 1324 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exepid process 1940 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 796 vssvc.exe Token: SeRestorePrivilege 796 vssvc.exe Token: SeAuditPrivilege 796 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.execmd.execmd.exedescription pid process target process PID 1940 wrote to memory of 1680 1940 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe cmd.exe PID 1940 wrote to memory of 1680 1940 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe cmd.exe PID 1940 wrote to memory of 1680 1940 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe cmd.exe PID 1940 wrote to memory of 1680 1940 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe cmd.exe PID 1680 wrote to memory of 576 1680 cmd.exe vssadmin.exe PID 1680 wrote to memory of 576 1680 cmd.exe vssadmin.exe PID 1680 wrote to memory of 576 1680 cmd.exe vssadmin.exe PID 1940 wrote to memory of 1540 1940 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe cmd.exe PID 1940 wrote to memory of 1540 1940 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe cmd.exe PID 1940 wrote to memory of 1540 1940 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe cmd.exe PID 1940 wrote to memory of 1540 1940 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe cmd.exe PID 1540 wrote to memory of 1324 1540 cmd.exe vssadmin.exe PID 1540 wrote to memory of 1324 1540 cmd.exe vssadmin.exe PID 1540 wrote to memory of 1324 1540 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe"C:\Users\Admin\AppData\Local\Temp\006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/576-56-0x0000000000000000-mapping.dmp
-
memory/1324-58-0x0000000000000000-mapping.dmp
-
memory/1540-57-0x0000000000000000-mapping.dmp
-
memory/1680-55-0x0000000000000000-mapping.dmp
-
memory/1940-54-0x0000000076BC1000-0x0000000076BC3000-memory.dmpFilesize
8KB