5339981168dfcefb874dc7e82563fa7aca047f17b1184ae8db9336a2335473a9

Analysis

max time kernel
40s
max time network
61s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

exe.ransomware.babuk/04/9E/53/049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8/049E5.exe
Size

79KB
MD5

643c8c25fbe8c3cc7576bc8e7bcd8a68
SHA1

5440796acedc3d0d847c8a812e5e647460ae3a27
SHA256

049e53f72c8afa5ccb850429d55a00e2fbe799e68247fd13f5058146cf0f4cf8
SHA512

d2042c4a908a53b59e52cc3ebf4c13fd7c537761de8fe33a65a664a055b13b6c58fbb482824e68764a09299affe1b592e72b6c846d8a65ddb1ace6a396bc371c
SSDEEP

1536:4dikWBeG/LEq1srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Osf:HBeMJ1srQLOJgY8Zp8LHD4XWaNH71dLT

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Restore Your Files.txt

Ransom Note

[+] What has happened? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ".chernobyl". You can restore everything, but you need to follow our instructions. Otherwise, you can never return your data. And that shouldn't be the only worry on you mind, since we downloaded sensitive information from your network prior to it's encryption. If our demands are not met, we'd be forced to release it publicly. Some highly valuable information will be sold to other cybercriminals who would be commiting financial fraud for the upcoming month with the personal data of your employees [+] Guarantees [+] To restore your network and secure the personal information of your company - you should pay the ransom. We guarantee that we will restore your network, delete all your data from our servers, it will not be leaked nor sold anywhere. That is our promise and business model In addition we will provide you with instructions on patching vulnerabilities in the network so that you would be secure in the future. Consider it a cybersecurity expenditure, and us - consulting/auditing company, albeit illegal but very professional one Now to the main agenda: we demand 60 thousands EUR in bitcoin, it's a very modest price compared to what you'd be asked for network restoration or hiring cybersecurity company to deal with vulnerabilities(and I promise you, they can't recover your data - usually they just receive hefty payment, pay the asked ransom from it and save the cut, they're real crooks :D) Also this sum includes dissuasion to sell your data, which would damage your reputation. If you pay - nothing will be leaked nor sold [+] How to pay/negotiate [+] Our contact details are as follows: [email protected] Btc wallet for payment: 1PbjpEYvCK7GCB4FmaZEewMjhT7N6rWnn2 You can google how to buy bitcoins, it's fairly straightforward and easy nowadays. As soon as the payment done, we will send you the decryption keys along with instructions on how to use it. Additionally we will provide you with guidance on how to fix vulnerabilities or answer any of your questions on the topic, feel free to contact us ----------------------------------------------------------------------------------------- We advise against using any sofware to restore your files. You will certainly not succeed but you might damage them so that further restoration will be impossible. On our part, we guarantee help ----------------------------------------------------------------------------------------- With regards, Valeriy Legasov, CTO of Chernobyl Group

Emails

[email protected]

Wallets

1PbjpEYvCK7GCB4FmaZEewMjhT7N6rWnn2

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

049E5.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SelectReceive.tif => C:\Users\Admin\Pictures\SelectReceive.tif.chernobyl	049E5.exe
File renamed	C:\Users\Admin\Pictures\SuspendTest.tif => C:\Users\Admin\Pictures\SuspendTest.tif.chernobyl	049E5.exe
File renamed	C:\Users\Admin\Pictures\UseStop.raw => C:\Users\Admin\Pictures\UseStop.raw.chernobyl	049E5.exe
File opened for modification	C:\Users\Admin\Pictures\EnablePush.tiff	049E5.exe
File renamed	C:\Users\Admin\Pictures\ExitSync.crw => C:\Users\Admin\Pictures\ExitSync.crw.chernobyl	049E5.exe
File opened for modification	C:\Users\Admin\Pictures\ExitSync.crw.chernobyl	049E5.exe
File renamed	C:\Users\Admin\Pictures\DebugSelect.raw => C:\Users\Admin\Pictures\DebugSelect.raw.chernobyl	049E5.exe
File renamed	C:\Users\Admin\Pictures\EnablePush.tiff => C:\Users\Admin\Pictures\EnablePush.tiff.chernobyl	049E5.exe
File opened for modification	C:\Users\Admin\Pictures\DebugSelect.raw.chernobyl	049E5.exe
File opened for modification	C:\Users\Admin\Pictures\EnablePush.tiff.chernobyl	049E5.exe
File opened for modification	C:\Users\Admin\Pictures\SelectReceive.tif.chernobyl	049E5.exe
File opened for modification	C:\Users\Admin\Pictures\SuspendTest.tif.chernobyl	049E5.exe
File opened for modification	C:\Users\Admin\Pictures\UseStop.raw.chernobyl	049E5.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

049E5.exe

description	ioc	process
File opened (read-only)	\??\I:	049E5.exe
File opened (read-only)	\??\O:	049E5.exe
File opened (read-only)	\??\S:	049E5.exe
File opened (read-only)	\??\V:	049E5.exe
File opened (read-only)	\??\W:	049E5.exe
File opened (read-only)	\??\R:	049E5.exe
File opened (read-only)	\??\U:	049E5.exe
File opened (read-only)	\??\M:	049E5.exe
File opened (read-only)	\??\Q:	049E5.exe
File opened (read-only)	\??\A:	049E5.exe
File opened (read-only)	\??\N:	049E5.exe
File opened (read-only)	\??\K:	049E5.exe
File opened (read-only)	\??\T:	049E5.exe
File opened (read-only)	\??\Y:	049E5.exe
File opened (read-only)	\??\H:	049E5.exe
File opened (read-only)	\??\G:	049E5.exe
File opened (read-only)	\??\J:	049E5.exe
File opened (read-only)	\??\L:	049E5.exe
File opened (read-only)	\??\Z:	049E5.exe
File opened (read-only)	\??\X:	049E5.exe
File opened (read-only)	\??\E:	049E5.exe
File opened (read-only)	\??\P:	049E5.exe
File opened (read-only)	\??\F:	049E5.exe
File opened (read-only)	\??\B:	049E5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1484 vssadmin.exe
1052 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

049E5.exe

pid process

1584 049E5.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1060 vssvc.exe
Token: SeRestorePrivilege 1060 vssvc.exe
Token: SeAuditPrivilege 1060 vssvc.exe

pid	process
1484	vssadmin.exe
1052	vssadmin.exe

pid	process
1584	049E5.exe

description	pid	process
Token: SeBackupPrivilege	1060	vssvc.exe
Token: SeRestorePrivilege	1060	vssvc.exe
Token: SeAuditPrivilege	1060	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

049E5.execmd.execmd.exe

description	pid	process	target process
PID 1584 wrote to memory of 552	1584	049E5.exe	cmd.exe
PID 1584 wrote to memory of 552	1584	049E5.exe	cmd.exe
PID 1584 wrote to memory of 552	1584	049E5.exe	cmd.exe
PID 1584 wrote to memory of 552	1584	049E5.exe	cmd.exe
PID 552 wrote to memory of 1484	552	cmd.exe	vssadmin.exe
PID 552 wrote to memory of 1484	552	cmd.exe	vssadmin.exe
PID 552 wrote to memory of 1484	552	cmd.exe	vssadmin.exe
PID 1584 wrote to memory of 1296	1584	049E5.exe	cmd.exe
PID 1584 wrote to memory of 1296	1584	049E5.exe	cmd.exe
PID 1584 wrote to memory of 1296	1584	049E5.exe	cmd.exe
PID 1584 wrote to memory of 1296	1584	049E5.exe	cmd.exe
PID 1296 wrote to memory of 1052	1296	cmd.exe	vssadmin.exe
PID 1296 wrote to memory of 1052	1296	cmd.exe	vssadmin.exe
PID 1296 wrote to memory of 1052	1296	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\04\9E\53\049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8\049E5.exe
"C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\04\9E\53\049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8\049E5.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/552-55-0x0000000000000000-mapping.dmp

Download
memory/1052-58-0x0000000000000000-mapping.dmp

Download
memory/1296-57-0x0000000000000000-mapping.dmp

Download
memory/1484-56-0x0000000000000000-mapping.dmp

Download
memory/1584-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download