5339981168dfcefb874dc7e82563fa7aca047f17b1184ae8db9336a2335473a9

Analysis

max time kernel
39s
max time network
59s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

exe.ransomware.babuk/04/12/6B/04126B30C1C2663CDF2B6386781AEDBFCE2EF418A0B01DE510BD536903F577E3/04126.exe
Size

72KB
MD5

1b1285367305da0324daf76b0d524086
SHA1

61bae11359a57fb4238374da269c05232068a6db
SHA256

04126b30c1c2663cdf2b6386781aedbfce2ef418a0b01de510bd536903f577e3
SHA512

c1f655f665008cf40c1a8222f56b44a9bdf8959d913eb5dc0cff8a9c4ac5db8b35f6ea9828748e344c13337bd618956494c7ff4c4347df6d02525b0e9376909d
SSDEEP

1536:3rM/TWBeGB3yKNQETsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2905:3Be1asrQLOJgY8Zp8LHD4XWaNH71dLdH

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note

----------- [ Hello! ] -------------> ****BY NAME LOCKER**** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to contact us? ---------------------------------------------- support: [email protected] admin: [email protected] !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 20 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

04126.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\PingWatch.tiff	04126.exe
File renamed	C:\Users\Admin\Pictures\PingWatch.tiff => C:\Users\Admin\Pictures\PingWatch.tiff.crypt	04126.exe
File opened for modification	C:\Users\Admin\Pictures\PingWatch.tiff.crypt	04126.exe
File renamed	C:\Users\Admin\Pictures\RemoveStep.raw => C:\Users\Admin\Pictures\RemoveStep.raw.crypt	04126.exe
File renamed	C:\Users\Admin\Pictures\CloseImport.raw => C:\Users\Admin\Pictures\CloseImport.raw.crypt	04126.exe
File opened for modification	C:\Users\Admin\Pictures\GrantFind.tif.crypt	04126.exe
File opened for modification	C:\Users\Admin\Pictures\LimitWait.png.crypt	04126.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeEnter.tiff	04126.exe
File opened for modification	C:\Users\Admin\Pictures\NewUnblock.raw.crypt	04126.exe
File opened for modification	C:\Users\Admin\Pictures\OutCompress.raw.crypt	04126.exe
File renamed	C:\Users\Admin\Pictures\ResumeEnter.tiff => C:\Users\Admin\Pictures\ResumeEnter.tiff.crypt	04126.exe
File renamed	C:\Users\Admin\Pictures\UseRestore.raw => C:\Users\Admin\Pictures\UseRestore.raw.crypt	04126.exe
File opened for modification	C:\Users\Admin\Pictures\CloseImport.raw.crypt	04126.exe
File renamed	C:\Users\Admin\Pictures\GrantFind.tif => C:\Users\Admin\Pictures\GrantFind.tif.crypt	04126.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveStep.raw.crypt	04126.exe
File opened for modification	C:\Users\Admin\Pictures\UseRestore.raw.crypt	04126.exe
File renamed	C:\Users\Admin\Pictures\NewUnblock.raw => C:\Users\Admin\Pictures\NewUnblock.raw.crypt	04126.exe
File renamed	C:\Users\Admin\Pictures\OutCompress.raw => C:\Users\Admin\Pictures\OutCompress.raw.crypt	04126.exe
File renamed	C:\Users\Admin\Pictures\LimitWait.png => C:\Users\Admin\Pictures\LimitWait.png.crypt	04126.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeEnter.tiff.crypt	04126.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

04126.exe

description	ioc	process
File opened (read-only)	\??\E:	04126.exe
File opened (read-only)	\??\T:	04126.exe
File opened (read-only)	\??\O:	04126.exe
File opened (read-only)	\??\P:	04126.exe
File opened (read-only)	\??\F:	04126.exe
File opened (read-only)	\??\K:	04126.exe
File opened (read-only)	\??\L:	04126.exe
File opened (read-only)	\??\N:	04126.exe
File opened (read-only)	\??\M:	04126.exe
File opened (read-only)	\??\Q:	04126.exe
File opened (read-only)	\??\A:	04126.exe
File opened (read-only)	\??\X:	04126.exe
File opened (read-only)	\??\W:	04126.exe
File opened (read-only)	\??\I:	04126.exe
File opened (read-only)	\??\G:	04126.exe
File opened (read-only)	\??\J:	04126.exe
File opened (read-only)	\??\V:	04126.exe
File opened (read-only)	\??\B:	04126.exe
File opened (read-only)	\??\R:	04126.exe
File opened (read-only)	\??\Y:	04126.exe
File opened (read-only)	\??\U:	04126.exe
File opened (read-only)	\??\S:	04126.exe
File opened (read-only)	\??\H:	04126.exe
File opened (read-only)	\??\Z:	04126.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

908 vssadmin.exe
592 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

04126.exe

pid process

1748 04126.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1912 vssvc.exe
Token: SeRestorePrivilege 1912 vssvc.exe
Token: SeAuditPrivilege 1912 vssvc.exe

pid	process
908	vssadmin.exe
592	vssadmin.exe

pid	process
1748	04126.exe

description	pid	process
Token: SeBackupPrivilege	1912	vssvc.exe
Token: SeRestorePrivilege	1912	vssvc.exe
Token: SeAuditPrivilege	1912	vssvc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

04126.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1748 wrote to memory of 1736	1748	04126.exe	cmd.exe
PID 1748 wrote to memory of 1736	1748	04126.exe	cmd.exe
PID 1748 wrote to memory of 1736	1748	04126.exe	cmd.exe
PID 1748 wrote to memory of 1736	1748	04126.exe	cmd.exe
PID 1748 wrote to memory of 1472	1748	04126.exe	cmd.exe
PID 1748 wrote to memory of 1472	1748	04126.exe	cmd.exe
PID 1748 wrote to memory of 1472	1748	04126.exe	cmd.exe
PID 1748 wrote to memory of 1472	1748	04126.exe	cmd.exe
PID 1736 wrote to memory of 592	1736	cmd.exe	vssadmin.exe
PID 1736 wrote to memory of 592	1736	cmd.exe	vssadmin.exe
PID 1736 wrote to memory of 592	1736	cmd.exe	vssadmin.exe
PID 1472 wrote to memory of 700	1472	cmd.exe	powershell.exe
PID 1472 wrote to memory of 700	1472	cmd.exe	powershell.exe
PID 1472 wrote to memory of 700	1472	cmd.exe	powershell.exe
PID 1748 wrote to memory of 1268	1748	04126.exe	cmd.exe
PID 1748 wrote to memory of 1268	1748	04126.exe	cmd.exe
PID 1748 wrote to memory of 1268	1748	04126.exe	cmd.exe
PID 1748 wrote to memory of 1268	1748	04126.exe	cmd.exe
PID 1748 wrote to memory of 1772	1748	04126.exe	cmd.exe
PID 1748 wrote to memory of 1772	1748	04126.exe	cmd.exe
PID 1748 wrote to memory of 1772	1748	04126.exe	cmd.exe
PID 1748 wrote to memory of 1772	1748	04126.exe	cmd.exe
PID 1772 wrote to memory of 1848	1772	cmd.exe	powershell.exe
PID 1772 wrote to memory of 1848	1772	cmd.exe	powershell.exe
PID 1772 wrote to memory of 1848	1772	cmd.exe	powershell.exe
PID 1268 wrote to memory of 908	1268	cmd.exe	vssadmin.exe
PID 1268 wrote to memory of 908	1268	cmd.exe	vssadmin.exe
PID 1268 wrote to memory of 908	1268	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\04\12\6B\04126B30C1C2663CDF2B6386781AEDBFCE2EF418A0B01DE510BD536903F577E3\04126.exe
"C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\04\12\6B\04126B30C1C2663CDF2B6386781AEDBFCE2EF418A0B01DE510BD536903F577E3\04126.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell Get - WmiObject Win32_Shadowcopy | ForEach - Object{ $_.Delete();
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get - WmiObject Win32_Shadowcopy
    3⤵
    PID:700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell Get - WmiObject Win32_Shadowcopy | ForEach - Object{ $_.Delete();
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get - WmiObject Win32_Shadowcopy
    3⤵
    PID:1848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-57-0x0000000000000000-mapping.dmp

Download
memory/700-58-0x0000000000000000-mapping.dmp

Download
memory/908-62-0x0000000000000000-mapping.dmp

Download
memory/1268-59-0x0000000000000000-mapping.dmp

Download
memory/1472-56-0x0000000000000000-mapping.dmp

Download
memory/1736-55-0x0000000000000000-mapping.dmp

Download
memory/1748-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1772-60-0x0000000000000000-mapping.dmp

Download
memory/1848-61-0x0000000000000000-mapping.dmp

Download