Analysis
-
max time kernel
89s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
01-12-2022 05:59
General
-
Target
exe.ransomware.babuk/02/E9/88/02E9883501635DA9B501E715BB827A0B9D0C265991F1263F073EB6C5D9B335C3/02E98.exe
-
Size
79KB
-
MD5
c7ec4e7022f26949ed39033616efe894
-
SHA1
0e4da1fa8b3bc8b2f410cfd7230b9fc70dc10670
-
SHA256
02e9883501635da9b501e715bb827a0b9d0c265991f1263f073eb6c5d9b335c3
-
SHA512
04976b2e50e5f7f7a067b0dc07072f22c607d8ae6c33b4ec4e65a851b71bef939725f29fdeaa7a943033a9aa6b5f9a09f1d029860a0dbd6184be768754982aff
-
SSDEEP
1536:/hkWBeGnwEvWsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:LBevwWsrQLOJgY8Zp8LHD4XWaNH71dLc
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\02\E9\88\02E9883501635DA9B501E715BB827A0B9D0C265991F1263F073EB6C5D9B335C3\02E98.exe"C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\02\E9\88\02E9883501635DA9B501E715BB827A0B9D0C265991F1263F073EB6C5D9B335C3\02E98.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken