Analysis

  • max time kernel
    216s
  • max time network
    288s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 05:59

General

  • Target

    exe.ransomware.babuk/04/9E/53/049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8/049E5.exe

  • Size

    79KB

  • MD5

    643c8c25fbe8c3cc7576bc8e7bcd8a68

  • SHA1

    5440796acedc3d0d847c8a812e5e647460ae3a27

  • SHA256

    049e53f72c8afa5ccb850429d55a00e2fbe799e68247fd13f5058146cf0f4cf8

  • SHA512

    d2042c4a908a53b59e52cc3ebf4c13fd7c537761de8fe33a65a664a055b13b6c58fbb482824e68764a09299affe1b592e72b6c846d8a65ddb1ace6a396bc371c

  • SSDEEP

    1536:4dikWBeG/LEq1srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Osf:HBeMJ1srQLOJgY8Zp8LHD4XWaNH71dLT

Score
10/10

Malware Config

Extracted

Path

C:\PerfLogs\Restore Your Files.txt

Ransom Note
[+] What has happened? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ".chernobyl". You can restore everything, but you need to follow our instructions. Otherwise, you can never return your data. And that shouldn't be the only worry on you mind, since we downloaded sensitive information from your network prior to it's encryption. If our demands are not met, we'd be forced to release it publicly. Some highly valuable information will be sold to other cybercriminals who would be commiting financial fraud for the upcoming month with the personal data of your employees [+] Guarantees [+] To restore your network and secure the personal information of your company - you should pay the ransom. We guarantee that we will restore your network, delete all your data from our servers, it will not be leaked nor sold anywhere. That is our promise and business model In addition we will provide you with instructions on patching vulnerabilities in the network so that you would be secure in the future. Consider it a cybersecurity expenditure, and us - consulting/auditing company, albeit illegal but very professional one Now to the main agenda: we demand 60 thousands EUR in bitcoin, it's a very modest price compared to what you'd be asked for network restoration or hiring cybersecurity company to deal with vulnerabilities(and I promise you, they can't recover your data - usually they just receive hefty payment, pay the asked ransom from it and save the cut, they're real crooks :D) Also this sum includes dissuasion to sell your data, which would damage your reputation. If you pay - nothing will be leaked nor sold [+] How to pay/negotiate [+] Our contact details are as follows: chernobylransomware@protonmail.com Btc wallet for payment: 1PbjpEYvCK7GCB4FmaZEewMjhT7N6rWnn2 You can google how to buy bitcoins, it's fairly straightforward and easy nowadays. As soon as the payment done, we will send you the decryption keys along with instructions on how to use it. Additionally we will provide you with guidance on how to fix vulnerabilities or answer any of your questions on the topic, feel free to contact us ----------------------------------------------------------------------------------------- We advise against using any sofware to restore your files. You will certainly not succeed but you might damage them so that further restoration will be impossible. On our part, we guarantee help ----------------------------------------------------------------------------------------- With regards, Valeriy Legasov, CTO of Chernobyl Group
Emails

chernobylransomware@protonmail.com

Wallets

1PbjpEYvCK7GCB4FmaZEewMjhT7N6rWnn2

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\04\9E\53\049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8\049E5.exe
    "C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\04\9E\53\049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8\049E5.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3332
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4044
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:428
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Deletion

2
T1107

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/428-135-0x0000000000000000-mapping.dmp
  • memory/1868-132-0x0000000000000000-mapping.dmp
  • memory/1976-134-0x0000000000000000-mapping.dmp
  • memory/4044-133-0x0000000000000000-mapping.dmp