Overview

overview

10

Static

static

1957c3be12...d6.exe

windows7_x64

10

1957c3be12...d6.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-06-2022 10:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1957c3be12da913243a370f30e478579daa0ef966577c0eac23f9da581cb5ad6.exe

  • Size

    413KB

  • MD5

    73ba54e1bf3cef8f2a46bbc2ed73cfb9

  • SHA1

    3c9587ea9dc8039735398548fbc17ee50cf1b8b7

  • SHA256

    1957c3be12da913243a370f30e478579daa0ef966577c0eac23f9da581cb5ad6

  • SHA512

    e71eb7e2afe93855e448f270c3e8847ac7d46865cbd2d106de9b39567a163af0059c8ff8889a3dfe1b4c717f90f7f483e48fb421c3ea1bc9f6608be8edad950a

Score
10/10
babukransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
You are probably wondering why you are receiving a message from me. Yesterday, duncanregional.com got breached. You are probably not aware, but over the past few days we have been exfiltrating all of your data that we could get our hands on. We took over 150GB data + patient userdata from dba servers. What happened to your files? Your network was been penetrated. All of your files were encrypted using AES-256-CTR with ChaCha8 Cipher. WARNING: Don't try to decrypt your files, shadow copies were removed, recovery methods can lead to the impossibility of recovery of the certain files. We exclusively have decryption software for your situation, no decryption software is available in the public. Pay 60,000 (USD) in XMR (Monero) to this address: 4BExj4Z7n73316oWSd6k3Wj7A12PFVUSeHoobSPpaCJVdH6Z1oRBBssemrpwW5GyRt7xi3SQCeJzUa1uFoWWNySYCxoHv13 How do you buy XMR? https://bisq.network/ to buy XMR using fiat. Alternatively use a Cryptocurrency exchange to buy XMR: https://www.kraken.com/ Use this guide: https://www.getmonero.org/ After sending the specified amount to our wallet we will provide you with the decryption keys to unlock your files. If you do not respond (24 hour deadline, starting now), or we do not receive a response from you we will start the data to our potential buyers, and leak a partial, All of your clients (patients / employers) will be informed and given proof that their data has been compromised and publish everything in a public way in multiple places and outlets to get more customers interested in buying the data and also reporting the availability of this data to the appropriate news platforms. Contact: telegram: @redeyeg0d email: yourd34d@ctemplar.com
Emails

yourd34d@ctemplar.com

URLs

https://bisq.network/

https://www.getmonero.org/

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1957c3be12da913243a370f30e478579daa0ef966577c0eac23f9da581cb5ad6.exe
    "C:\Users\Admin\AppData\Local\Temp\1957c3be12da913243a370f30e478579daa0ef966577c0eac23f9da581cb5ad6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
      "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Checks computer location settings
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4952
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:4464
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:5064
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    Filesize

    42KB

    MD5

    9827ff3cdf4b83f9c86354606736ca9c

    SHA1

    e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

    SHA256

    c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

    SHA512

    8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

    Download Submit
  • memory/1840-146-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1840-144-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1840-142-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1840-140-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1840-136-0x0000000000000000-mapping.dmp
    Download
  • memory/1840-137-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2536-145-0x0000000000000000-mapping.dmp
    Download
  • memory/4464-143-0x0000000000000000-mapping.dmp
    Download
  • memory/4948-135-0x0000000008090000-0x00000000080B2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4948-134-0x00000000054E0000-0x00000000054EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4948-130-0x00000000003C0000-0x000000000042C000-memory.dmp
    Filesize

    432KB

    Download
  • memory/4948-133-0x0000000004E90000-0x0000000004F2C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4948-132-0x0000000004DF0000-0x0000000004E82000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4948-131-0x0000000005510000-0x0000000005AB4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4952-141-0x0000000000000000-mapping.dmp
    Download
  • memory/5064-147-0x0000000000000000-mapping.dmp
    Download