Analysis
-
max time kernel
115s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
27-03-2022 11:05
Static task
static1
Behavioral task
behavioral1
Sample
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
Resource
win10v2004-20220310-en
General
-
Target
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
-
Size
79KB
-
MD5
2023e84c9a5810a991e60ac9b81bece1
-
SHA1
7f3e50e8aa05499d006c8141633aee5f78031c37
-
SHA256
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8
-
SHA512
7e22fbfb1cf70d20caeb3809ff00399b0ec6595c1538b4fee14df6370eae5d6c6b600d28085407b139d7523de15ebffff6810817d51e11e2920cb235d667dc91
Malware Config
Extracted
C:\odt\How To Restore Your Files.txt
address:edcvbghjikm@protonmail.com
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exedescription ioc process File renamed C:\Users\Admin\Pictures\RenameClose.tif => C:\Users\Admin\Pictures\RenameClose.tif.babyk 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened for modification C:\Users\Admin\Pictures\ReadUnlock.tif.babyk 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File renamed C:\Users\Admin\Pictures\ShowRequest.crw => C:\Users\Admin\Pictures\ShowRequest.crw.babyk 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened for modification C:\Users\Admin\Pictures\ShowRequest.crw.babyk 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File renamed C:\Users\Admin\Pictures\OptimizeNew.tif => C:\Users\Admin\Pictures\OptimizeNew.tif.babyk 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened for modification C:\Users\Admin\Pictures\OptimizeNew.tif.babyk 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File renamed C:\Users\Admin\Pictures\ReadUnlock.tif => C:\Users\Admin\Pictures\ReadUnlock.tif.babyk 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File renamed C:\Users\Admin\Pictures\CompressMerge.png => C:\Users\Admin\Pictures\CompressMerge.png.babyk 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened for modification C:\Users\Admin\Pictures\CompressMerge.png.babyk 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened for modification C:\Users\Admin\Pictures\RenameClose.tif.babyk 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exedescription ioc process File opened (read-only) \??\E: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\Y: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\U: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\Z: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\M: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\N: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\I: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\H: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\K: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\X: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\V: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\B: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\Q: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\R: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\T: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\O: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\F: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\J: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\W: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\P: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\A: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\S: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\G: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe File opened (read-only) \??\L: 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4376 vssadmin.exe 3976 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exepid process 1440 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe 1440 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1972 vssvc.exe Token: SeRestorePrivilege 1972 vssvc.exe Token: SeAuditPrivilege 1972 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.execmd.execmd.exedescription pid process target process PID 1440 wrote to memory of 1648 1440 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe cmd.exe PID 1440 wrote to memory of 1648 1440 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe cmd.exe PID 1648 wrote to memory of 3976 1648 cmd.exe vssadmin.exe PID 1648 wrote to memory of 3976 1648 cmd.exe vssadmin.exe PID 1440 wrote to memory of 4328 1440 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe cmd.exe PID 1440 wrote to memory of 4328 1440 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe cmd.exe PID 4328 wrote to memory of 4376 4328 cmd.exe vssadmin.exe PID 4328 wrote to memory of 4376 4328 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe"C:\Users\Admin\AppData\Local\Temp\006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken