Analysis

  • max time kernel
    80s
  • max time network
    83s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-05-2022 15:53

General

  • Target

    admin-panel.exe

  • Size

    79KB

  • MD5

    566b19ddc6c735e6b8bd24d766b27d95

  • SHA1

    18cf7b695f958a48fb54fe8faca8c72e9709bc40

  • SHA256

    1a8cc49359906456588745440b5378bcaeaf606b1fe52128d46aacb2658985f8

  • SHA512

    570f1ae1e156965dbad7f37afe05b6f5db55e716964452f73cc5f3fef81e5e90e8d55b1539ab6545462a05dbef47b9b7bf0d319eecd1414666d3ae8563fa38c6

Score
10/10

Malware Config

Signatures 10

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

  • Deletes shadow copies ⋅ 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files ⋅ 17 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings ⋅ 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives ⋅ 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies ⋅ 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 3 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 8 IoCs

Processes 6

  • C:\Users\Admin\AppData\Local\Temp\admin-panel.exe
    "C:\Users\Admin\AppData\Local\Temp\admin-panel.exe"
    Modifies extensions of user files
    Checks computer location settings
    Enumerates connected drives
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      Suspicious use of WriteProcessMemory
      PID:4840
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        Interacts with shadow copies
        PID:408
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      Suspicious use of WriteProcessMemory
      PID:492
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        Interacts with shadow copies
        PID:212
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:3112

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • memory/212-133-0x0000000000000000-mapping.dmp
                    • memory/408-131-0x0000000000000000-mapping.dmp
                    • memory/492-132-0x0000000000000000-mapping.dmp
                    • memory/4840-130-0x0000000000000000-mapping.dmp