Overview

overview

10

Static

static

e69149c02a...82.exe

windows7_x64

10

e69149c02a...82.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-06-2022 10:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e69149c02a0f24731559d5bec3c1bdbe916cd2829751025845fe48ea01966b82.exe

  • Size

    410KB

  • MD5

    4dc689389054b8aae01c162fb7fec051

  • SHA1

    fd4356fd980f837a813515321fe5f54d5625258b

  • SHA256

    e69149c02a0f24731559d5bec3c1bdbe916cd2829751025845fe48ea01966b82

  • SHA512

    e924f802421f24447ace77bce1ff7f24f11ea852ae00cc624d17bec6f6e675eb258923cd7897f5307c3346b1f08d9cea978dd980344c8905b14b1b88631895c1

Score
10/10
babukransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
You are probably wondering why you are receiving a message from me. Yesterday, duncanregional.com got breached. You are probably not aware, but over the past few days we have been exfiltrating all of your data that we could get our hands on. We took over 150GB data + patient userdata from dba servers. What happened to your files? Your network was been penetrated. All of your files were encrypted using AES-256-CTR with ChaCha8 Cipher. WARNING: Don't try to decrypt your files, shadow copies were removed, recovery methods can lead to the impossibility of recovery of the certain files. We exclusively have decryption software for your situation, no decryption software is available in the public. Pay 60,000 (USD) in XMR (Monero) to this address: 4BExj4Z7n73316oWSd6k3Wj7A12PFVUSeHoobSPpaCJVdH6Z1oRBBssemrpwW5GyRt7xi3SQCeJzUa1uFoWWNySYCxoHv13 How do you buy XMR? https://bisq.network/ to buy XMR using fiat. Alternatively use a Cryptocurrency exchange to buy XMR: https://www.kraken.com/ Use this guide: https://www.getmonero.org/ After sending the specified amount to our wallet we will provide you with the decryption keys to unlock your files. If you do not respond (24 hour deadline, starting now), or we do not receive a response from you we will start the data to our potential buyers, and leak a partial, All of your clients (patients / employers) will be informed and given proof that their data has been compromised and publish everything in a public way in multiple places and outlets to get more customers interested in buying the data and also reporting the availability of this data to the appropriate news platforms. Contact: telegram: @redeyeg0d email: yourd34d@ctemplar.com
Emails

yourd34d@ctemplar.com

URLs

https://bisq.network/

https://www.getmonero.org/

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 25 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e69149c02a0f24731559d5bec3c1bdbe916cd2829751025845fe48ea01966b82.exe
    "C:\Users\Admin\AppData\Local\Temp\e69149c02a0f24731559d5bec3c1bdbe916cd2829751025845fe48ea01966b82.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5108
    • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
      "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Checks computer location settings
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4608
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:4488
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:4932
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    Filesize

    42KB

    MD5

    9827ff3cdf4b83f9c86354606736ca9c

    SHA1

    e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

    SHA256

    c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

    SHA512

    8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

    Download Submit
  • memory/904-143-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/904-137-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/904-146-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/904-144-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/904-140-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/904-136-0x0000000000000000-mapping.dmp
    Download
  • memory/1932-145-0x0000000000000000-mapping.dmp
    Download
  • memory/4488-142-0x0000000000000000-mapping.dmp
    Download
  • memory/4608-141-0x0000000000000000-mapping.dmp
    Download
  • memory/4932-147-0x0000000000000000-mapping.dmp
    Download
  • memory/5108-132-0x0000000005240000-0x00000000052D2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/5108-131-0x0000000005750000-0x0000000005CF4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/5108-135-0x0000000008520000-0x0000000008542000-memory.dmp
    Filesize

    136KB

    Download
  • memory/5108-130-0x00000000007E0000-0x000000000084C000-memory.dmp
    Filesize

    432KB

    Download
  • memory/5108-134-0x00000000056B0000-0x00000000056BA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/5108-133-0x00000000052E0000-0x000000000537C000-memory.dmp
    Filesize

    624KB

    Download