Analysis
-
max time kernel
216s -
max time network
288s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
01-12-2022 05:59
General
-
Target
exe.ransomware.babuk/04/9E/53/049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8/049E5.exe
-
Size
79KB
-
MD5
643c8c25fbe8c3cc7576bc8e7bcd8a68
-
SHA1
5440796acedc3d0d847c8a812e5e647460ae3a27
-
SHA256
049e53f72c8afa5ccb850429d55a00e2fbe799e68247fd13f5058146cf0f4cf8
-
SHA512
d2042c4a908a53b59e52cc3ebf4c13fd7c537761de8fe33a65a664a055b13b6c58fbb482824e68764a09299affe1b592e72b6c846d8a65ddb1ace6a396bc371c
-
SSDEEP
1536:4dikWBeG/LEq1srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Osf:HBeMJ1srQLOJgY8Zp8LHD4XWaNH71dLT
Score
10/10
Malware Config
Extracted
Path
C:\PerfLogs\Restore Your Files.txt
Ransom Note
[+] What has happened? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ".chernobyl".
You can restore everything, but you need to follow our instructions. Otherwise, you can never return your data.
And that shouldn't be the only worry on you mind, since we downloaded sensitive information from your network prior to it's encryption.
If our demands are not met, we'd be forced to release it publicly. Some highly valuable information will be sold to other cybercriminals who would be commiting financial fraud for the upcoming month with the personal data of your employees
[+] Guarantees [+]
To restore your network and secure the personal information of your company - you should pay the ransom. We guarantee that we will restore your network, delete all your data from our servers, it will not be leaked nor sold anywhere. That is our promise and business model
In addition we will provide you with instructions on patching vulnerabilities in the network so that you would be secure in the future. Consider it a cybersecurity expenditure, and us - consulting/auditing company, albeit illegal but very professional one
Now to the main agenda: we demand 60 thousands EUR in bitcoin, it's a very modest price compared to what you'd be asked for network restoration or hiring cybersecurity company to deal with vulnerabilities(and I promise you, they can't recover your data - usually they just receive hefty payment, pay the asked ransom from it and save the cut, they're real crooks :D)
Also this sum includes dissuasion to sell your data, which would damage your reputation. If you pay - nothing will be leaked nor sold
[+] How to pay/negotiate [+]
Our contact details are as follows: [email protected]
Btc wallet for payment: 1PbjpEYvCK7GCB4FmaZEewMjhT7N6rWnn2
You can google how to buy bitcoins, it's fairly straightforward and easy nowadays. As soon as the payment done, we will send you the decryption keys along with instructions on how to use it. Additionally we will provide you with guidance on how to fix vulnerabilities or answer any of your questions on the topic, feel free to contact us
-----------------------------------------------------------------------------------------
We advise against using any sofware to restore your files. You will certainly not succeed but you might damage them so that further restoration will be impossible. On our part, we guarantee help
-----------------------------------------------------------------------------------------
With regards,
Valeriy Legasov, CTO of Chernobyl Group
Emails
Wallets
1PbjpEYvCK7GCB4FmaZEewMjhT7N6rWnn2
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\04\9E\53\049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8\049E5.exe"C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\04\9E\53\049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8\049E5.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken