5339981168dfcefb874dc7e82563fa7aca047f17b1184ae8db9336a2335473a9

Analysis

max time kernel
89s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

exe.ransomware.babuk/02/E9/88/02E9883501635DA9B501E715BB827A0B9D0C265991F1263F073EB6C5D9B335C3/02E98.exe
Size

79KB
MD5

c7ec4e7022f26949ed39033616efe894
SHA1

0e4da1fa8b3bc8b2f410cfd7230b9fc70dc10670
SHA256

02e9883501635da9b501e715bb827a0b9d0c265991f1263f073eb6c5d9b335c3
SHA512

04976b2e50e5f7f7a067b0dc07072f22c607d8ae6c33b4ec4e65a851b71bef939725f29fdeaa7a943033a9aa6b5f9a09f1d029860a0dbd6184be768754982aff
SSDEEP

1536:/hkWBeGnwEvWsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:LBevwWsrQLOJgY8Zp8LHD4XWaNH71dLc

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

02E98.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 02E98.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	02E98.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

02E98.exe

description	ioc	process
File opened (read-only)	\??\R:	02E98.exe
File opened (read-only)	\??\U:	02E98.exe
File opened (read-only)	\??\J:	02E98.exe
File opened (read-only)	\??\L:	02E98.exe
File opened (read-only)	\??\Z:	02E98.exe
File opened (read-only)	\??\M:	02E98.exe
File opened (read-only)	\??\N:	02E98.exe
File opened (read-only)	\??\T:	02E98.exe
File opened (read-only)	\??\I:	02E98.exe
File opened (read-only)	\??\O:	02E98.exe
File opened (read-only)	\??\P:	02E98.exe
File opened (read-only)	\??\A:	02E98.exe
File opened (read-only)	\??\F:	02E98.exe
File opened (read-only)	\??\W:	02E98.exe
File opened (read-only)	\??\E:	02E98.exe
File opened (read-only)	\??\G:	02E98.exe
File opened (read-only)	\??\H:	02E98.exe
File opened (read-only)	\??\X:	02E98.exe
File opened (read-only)	\??\B:	02E98.exe
File opened (read-only)	\??\Q:	02E98.exe
File opened (read-only)	\??\Y:	02E98.exe
File opened (read-only)	\??\S:	02E98.exe
File opened (read-only)	\??\K:	02E98.exe
File opened (read-only)	\??\V:	02E98.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

824 vssadmin.exe
4380 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

02E98.exe

pid process

4860 02E98.exe
4860 02E98.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2296 vssvc.exe
Token: SeRestorePrivilege 2296 vssvc.exe
Token: SeAuditPrivilege 2296 vssvc.exe

pid	process
824	vssadmin.exe
4380	vssadmin.exe

pid	process
4860	02E98.exe
4860	02E98.exe

description	pid	process
Token: SeBackupPrivilege	2296	vssvc.exe
Token: SeRestorePrivilege	2296	vssvc.exe
Token: SeAuditPrivilege	2296	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

02E98.execmd.execmd.exe

description	pid	process	target process
PID 4860 wrote to memory of 2984	4860	02E98.exe	cmd.exe
PID 4860 wrote to memory of 2984	4860	02E98.exe	cmd.exe
PID 2984 wrote to memory of 4380	2984	cmd.exe	vssadmin.exe
PID 2984 wrote to memory of 4380	2984	cmd.exe	vssadmin.exe
PID 4860 wrote to memory of 3732	4860	02E98.exe	cmd.exe
PID 4860 wrote to memory of 3732	4860	02E98.exe	cmd.exe
PID 3732 wrote to memory of 824	3732	cmd.exe	vssadmin.exe
PID 3732 wrote to memory of 824	3732	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\02\E9\88\02E9883501635DA9B501E715BB827A0B9D0C265991F1263F073EB6C5D9B335C3\02E98.exe
"C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\02\E9\88\02E9883501635DA9B501E715BB827A0B9D0C265991F1263F073EB6C5D9B335C3\02E98.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/824-135-0x0000000000000000-mapping.dmp

Download
memory/2984-132-0x0000000000000000-mapping.dmp

Download
memory/3732-134-0x0000000000000000-mapping.dmp

Download
memory/4380-133-0x0000000000000000-mapping.dmp

Download