Overview

overview

10

Static

static

c94a81fdf6...24.exe

windows7_x64

10

c94a81fdf6...24.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    127s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    10-04-2022 03:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c94a81fdf688d220827320e88cc0b89af8690142abe5c602131b6659297c7d24.exe

  • Size

    308KB

  • MD5

    75a6690d9a4a89bd0cf6ceebcffd3c41

  • SHA1

    678ddaaaa14fcd7b90bfa2b673221378e032fdbf

  • SHA256

    c94a81fdf688d220827320e88cc0b89af8690142abe5c602131b6659297c7d24

  • SHA512

    37273a97459d3624e77c8b586acbed6836a88d9c4975625a654f55eccdabeb9d4dcd55598779ec7bfe3e682e725597468ef59fee9e18263a3a00c86bf962e526

Score
10/10
babukransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
--------------- Hello --------------- *** By BABUCK LOCKER *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0,006 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to babuckransom@tutanota.com 3) Launch decryptor.exe, which our support will send you through email What guarantees? ----------------------------------------------------- We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ----------------------------------------------------- !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!
Emails

babuckransom@tutanota.com

Wallets

1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 18 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c94a81fdf688d220827320e88cc0b89af8690142abe5c602131b6659297c7d24.exe
    "C:\Users\Admin\AppData\Local\Temp\c94a81fdf688d220827320e88cc0b89af8690142abe5c602131b6659297c7d24.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2880
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4132
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1372
      2⤵
      • Program crash
      PID:3740
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2412
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3932 -ip 3932
    1⤵
      PID:972

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    File Deletion

    2
    T1107

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    2
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2880-139-0x0000000000000000-mapping.dmp
      Download
    • memory/3932-134-0x00000000007B9000-0x00000000007CA000-memory.dmp
      Filesize

      68KB

      Download
    • memory/3932-135-0x00000000007B9000-0x00000000007CA000-memory.dmp
      Filesize

      68KB

      Download
    • memory/3932-136-0x00000000006F0000-0x0000000000705000-memory.dmp
      Filesize

      84KB

      Download
    • memory/3932-137-0x0000000000400000-0x0000000000455000-memory.dmp
      Filesize

      340KB

      Download
    • memory/4132-141-0x0000000000000000-mapping.dmp
      Download
    • memory/4372-138-0x0000000000000000-mapping.dmp
      Download
    • memory/4716-140-0x0000000000000000-mapping.dmp
      Download