Analysis
-
max time kernel
167s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
01-12-2022 05:59
General
-
Target
exe.ransomware.babuk/0C/55/C4/0C55C4FB23178948E0DF495158B290CCE676BC93C5927E8EA57D93B3128972F5/0C55C.exe
-
Size
79KB
-
MD5
a55fa9c010416b233a1f8e63b658ecbc
-
SHA1
75a580aa9cc3f4901e229843411f6e2669256525
-
SHA256
0c55c4fb23178948e0df495158b290cce676bc93c5927e8ea57d93b3128972f5
-
SHA512
71889ebe24f6836c08db83f36f54dc53b4ef8d2d3f31a1e42e68e40eb74f6ffaa4456a3876a4dd2f7da9e4783c41c768f964d50c8da0d96748fe06257d07dacf
-
SSDEEP
1536:n6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:bhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 22 IoCs
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\0C\55\C4\0C55C4FB23178948E0DF495158B290CCE676BC93C5927E8EA57D93B3128972F5\0C55C.exe"C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\0C\55\C4\0C55C4FB23178948E0DF495158B290CCE676BC93C5927E8EA57D93B3128972F5\0C55C.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
-
Filesize
8KB
-
-