Overview

overview

10

Static

static

ab8eee432f...d2.exe

windows7-x64

10

ab8eee432f...d2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    37s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2022 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab8eee432fa636360b3c6724fe6851e9cf8eeae1ee9da6fc576bee1cd5d7fad2.exe

  • Size

    79KB

  • MD5

    fa758e45dae3e8a7506f6b7663ccb4b4

  • SHA1

    ecdcc9bc595e93dfedbe26352d7a954a69d4a8ea

  • SHA256

    ab8eee432fa636360b3c6724fe6851e9cf8eeae1ee9da6fc576bee1cd5d7fad2

  • SHA512

    01598cfbde622afbc52ba17d406b459f4cb4c8db6a15eaa3f906eba9ea3ba920e61632383e35117c7c4fb1757c3aab9a291507228570b5cfdcac94de684cbe3c

  • SSDEEP

    1536:4pykWBeG/vEbmsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:ZBeQsmsrQLOJgY8Zp8LHD4XWaNH71dLc

Score
10/10
babukransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
What Happened to My Computer? Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. Can I Recover My Files? Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time. You can decrypt some of your files for free. But if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled. Also, if you don't pay in 7 days, you won't be able to recover your files forever. How Do I Pay? Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some bitcoins. And send the correct amount to the address in this. Once the payment is checked, you can start decrypting your files immediately. Contact If you need our assistance, send a message by Telegram. We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will not be able to recover your files even if you pay! Bitcoin address bc1q5jcrkhupyahwqhqa8fjngftp6r4mz6r0wputkd Amount 10 bitcoin Telegram https://t.me/bbkte4m
URLs

https://t.me/bbkte4m

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab8eee432fa636360b3c6724fe6851e9cf8eeae1ee9da6fc576bee1cd5d7fad2.exe
    "C:\Users\Admin\AppData\Local\Temp\ab8eee432fa636360b3c6724fe6851e9cf8eeae1ee9da6fc576bee1cd5d7fad2.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1004
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1684
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:560
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1224
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/560-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1004-54-0x0000000075211000-0x0000000075213000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1224-58-0x0000000000000000-mapping.dmp

    Download

  • memory/1632-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1684-56-0x0000000000000000-mapping.dmp

    Download