babuk | e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c

General

Target

e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
Size

79KB
MD5

13662706c856d1c853a6f365094daf12
SHA1

a1530c0b0d04187bde9df1482dec9c9b93925932
SHA256

e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c
SHA512

32534aa723f87216fde47c3532f9c73f0e24c89aa4cf6eefc68561e40b6f1b1759b5da14f78792e69c61cfb641568ec771df69956ac9749791f1e3d4592cd3ec
SSDEEP

1536:G6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:AhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

Score

10^/10

babuk ransomware

Malware Config

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\AddNew.tiff.babyk	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File renamed	C:\Users\Admin\Pictures\HideConnect.crw => C:\Users\Admin\Pictures\HideConnect.crw.babyk	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened for modification	C:\Users\Admin\Pictures\HideConnect.crw.babyk	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File renamed	C:\Users\Admin\Pictures\MoveDismount.tif => C:\Users\Admin\Pictures\MoveDismount.tif.babyk	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened for modification	C:\Users\Admin\Pictures\AddNew.tiff	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened for modification	C:\Users\Admin\Pictures\MoveDismount.tif.babyk	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File renamed	C:\Users\Admin\Pictures\PublishEnable.raw => C:\Users\Admin\Pictures\PublishEnable.raw.babyk	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened for modification	C:\Users\Admin\Pictures\PublishEnable.raw.babyk	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File renamed	C:\Users\Admin\Pictures\AddNew.tiff => C:\Users\Admin\Pictures\AddNew.tiff.babyk	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe

description	ioc	process
File opened (read-only)	\??\G:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\J:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\K:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\L:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\W:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\T:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\P:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\A:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\X:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\M:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\E:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\R:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\S:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\Z:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\N:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\Y:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\U:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\F:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\H:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\B:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\Q:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\I:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\O:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
File opened (read-only)	\??\V:	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2788 vssadmin.exe
720 vssadmin.exe

pid	process
2788	vssadmin.exe
720	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe

pid	process
4748	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
4748	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2088 vssvc.exe
Token: SeRestorePrivilege 2088 vssvc.exe
Token: SeAuditPrivilege 2088 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2088	vssvc.exe
Token: SeRestorePrivilege	2088	vssvc.exe
Token: SeAuditPrivilege	2088	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.execmd.execmd.exe

description	pid	process	target process
PID 4748 wrote to memory of 336	4748	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe	cmd.exe
PID 4748 wrote to memory of 336	4748	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe	cmd.exe
PID 336 wrote to memory of 720	336	cmd.exe	vssadmin.exe
PID 336 wrote to memory of 720	336	cmd.exe	vssadmin.exe
PID 4748 wrote to memory of 3712	4748	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe	cmd.exe
PID 4748 wrote to memory of 3712	4748	e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe	cmd.exe
PID 3712 wrote to memory of 2788	3712	cmd.exe	vssadmin.exe
PID 3712 wrote to memory of 2788	3712	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe
"C:\Users\Admin\AppData\Local\Temp\e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1072

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\How To Restore Your Files.txt
1⤵
PID:4668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\How To Restore Your Files.txt
Filesize
132B

MD5
5bcf8213c4f32ff2739696be4f2d6323

SHA1
ae5a7c6a65e993efe2fcf9512f2cb8de946a6182

SHA256
0d80e9031513c9bd5fc9f13e7786ded8f54bd8ddfe3944948f7e55880365a98c

SHA512
7348a510a5209d7b75667b8367c1b4d6137c3757638ffb34b17f7158da48d264f11785885fd7fc30535f765e20667f8533f56073ac3a59eb42a940bd6313c164

Download Submit
memory/336-132-0x0000000000000000-mapping.dmp

Download
memory/720-133-0x0000000000000000-mapping.dmp

Download
memory/2788-135-0x0000000000000000-mapping.dmp

Download
memory/3712-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads