babuk | 006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8

General

Target

006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
Size

79KB
MD5

2023e84c9a5810a991e60ac9b81bece1
SHA1

7f3e50e8aa05499d006c8141633aee5f78031c37
SHA256

006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8
SHA512

7e22fbfb1cf70d20caeb3809ff00399b0ec6595c1538b4fee14df6370eae5d6c6b600d28085407b139d7523de15ebffff6810817d51e11e2920cb235d667dc91

Score

10^/10

babuk ransomware

Malware Config

Extracted

Path

C:\odt\How To Restore Your Files.txt

Ransom Note

What Happened to My Computer? Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without Can I Recover My Files? Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled. Also, if you don't pay in 7 days, you won't be able to recover your files forever. How Do I Pay? Payment is accepted in Monero only. If you don't know what Monero is, please Google for information on how to buy and pay for Monero. Send $10000 worth of monero to this address: 88w1ijCZgdKW7aM8a6eNerd8p5ZSDCWD76HNCe1TTbKQMczjeqc78idSUH8Qesz7tVQExowELg7bQUA8yrfRr1zC2ZiC5rY Your encrypted ID:eXt1a60JmqREPRDdf2xqleWGQxeBwU After the payment is completed, please send the payment picture and ID to email. Email address:[email protected] After we confirm your payment amount, we will reply to the decryption program to your email address. Warning: Don't try to decrypt by yourself, you may permanently damage your files. If not decrypted after seven days, your data will be published on the Internet.

Emails

address:[email protected]

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RenameClose.tif => C:\Users\Admin\Pictures\RenameClose.tif.babyk	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened for modification	C:\Users\Admin\Pictures\ReadUnlock.tif.babyk	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File renamed	C:\Users\Admin\Pictures\ShowRequest.crw => C:\Users\Admin\Pictures\ShowRequest.crw.babyk	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened for modification	C:\Users\Admin\Pictures\ShowRequest.crw.babyk	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File renamed	C:\Users\Admin\Pictures\OptimizeNew.tif => C:\Users\Admin\Pictures\OptimizeNew.tif.babyk	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened for modification	C:\Users\Admin\Pictures\OptimizeNew.tif.babyk	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File renamed	C:\Users\Admin\Pictures\ReadUnlock.tif => C:\Users\Admin\Pictures\ReadUnlock.tif.babyk	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File renamed	C:\Users\Admin\Pictures\CompressMerge.png => C:\Users\Admin\Pictures\CompressMerge.png.babyk	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened for modification	C:\Users\Admin\Pictures\CompressMerge.png.babyk	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened for modification	C:\Users\Admin\Pictures\RenameClose.tif.babyk	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\Y:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\U:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\Z:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\M:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\N:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\I:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\H:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\K:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\X:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\V:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\B:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\Q:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\R:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\T:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\O:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\F:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\J:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\W:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\P:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\A:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\S:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\G:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
File opened (read-only)	\??\L:	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4376	vssadmin.exe
3976	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1440	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
1440	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1972	vssvc.exe
Token: SeRestorePrivilege	1972	vssvc.exe
Token: SeAuditPrivilege	1972	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 1648	1440	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe	83
PID 1440 wrote to memory of 1648	1440	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe	83
PID 1648 wrote to memory of 3976	1648	cmd.exe	85
PID 1648 wrote to memory of 3976	1648	cmd.exe	85
PID 1440 wrote to memory of 4328	1440	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe	93
PID 1440 wrote to memory of 4328	1440	006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe	93
PID 4328 wrote to memory of 4376	4328	cmd.exe	95
PID 4328 wrote to memory of 4376	4328	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe
"C:\Users\Admin\AppData\Local\Temp\006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4376