Overview
overview
10Static
static
10exe.ransom...99.exe
windows7-x64
9exe.ransom...99.exe
windows10-2004-x64
9exe.ransom...55.exe
windows7-x64
10exe.ransom...55.exe
windows10-2004-x64
10exe.ransom...FA.exe
windows7-x64
10exe.ransom...FA.exe
windows10-2004-x64
10exe.ransom...41.exe
windows7-x64
10exe.ransom...41.exe
windows10-2004-x64
10exe.ransom...98.exe
windows7-x64
9exe.ransom...98.exe
windows10-2004-x64
9exe.ransom...10.exe
windows7-x64
10exe.ransom...10.exe
windows10-2004-x64
10exe.ransom...26.exe
windows7-x64
10exe.ransom...26.exe
windows10-2004-x64
10exe.ransom...E5.exe
windows7-x64
10exe.ransom...E5.exe
windows10-2004-x64
10exe.ransom...DC.exe
windows7-x64
10exe.ransom...DC.exe
windows10-2004-x64
10exe.ransom...92.exe
windows7-x64
3exe.ransom...92.exe
windows10-2004-x64
3exe.ransom...3A.exe
windows7-x64
10exe.ransom...3A.exe
windows10-2004-x64
10exe.ransom...AA.exe
windows7-x64
3exe.ransom...AA.exe
windows10-2004-x64
3exe.ransom...5C.exe
windows7-x64
10exe.ransom...5C.exe
windows10-2004-x64
10exe.ransom...A6.exe
windows7-x64
9exe.ransom...A6.exe
windows10-2004-x64
9exe.ransom...AF.exe
windows7-x64
exe.ransom...AF.exe
windows10-2004-x64
exe.ransom...11.exe
windows7-x64
10exe.ransom...11.exe
windows10-2004-x64
10Analysis
-
max time kernel
191s -
max time network
282s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 05:59
Behavioral task
behavioral1
Sample
exe.ransomware.babuk/00/99/96/0099963E7285AEAFC09E4214A45A6A210253D514CBD0D4B0C3997647A0AFE879/00999.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
exe.ransomware.babuk/00/99/96/0099963E7285AEAFC09E4214A45A6A210253D514CBD0D4B0C3997647A0AFE879/00999.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
exe.ransomware.babuk/00/E5/59/00E559A406F5D78514ADA50FE573374D78FCC5C12C6D443D07311131B2542E2F/00E55.exe
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
exe.ransomware.babuk/00/E5/59/00E559A406F5D78514ADA50FE573374D78FCC5C12C6D443D07311131B2542E2F/00E55.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
exe.ransomware.babuk/02/8F/AC/028FACFF67136DE55FE200177A190DA625C8E1713B4E7D95BF5FC5412A5AFFFC/028FA.exe
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
exe.ransomware.babuk/02/8F/AC/028FACFF67136DE55FE200177A190DA625C8E1713B4E7D95BF5FC5412A5AFFFC/028FA.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
exe.ransomware.babuk/02/94/11/0294114D5F411B6C47EB255D4ED6865DF99D1C5252F4F585AABF44E6CBACAA59/02941.exe
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
exe.ransomware.babuk/02/94/11/0294114D5F411B6C47EB255D4ED6865DF99D1C5252F4F585AABF44E6CBACAA59/02941.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
exe.ransomware.babuk/02/E9/88/02E9883501635DA9B501E715BB827A0B9D0C265991F1263F073EB6C5D9B335C3/02E98.exe
Resource
win7-20221111-en
Behavioral task
behavioral10
Sample
exe.ransomware.babuk/02/E9/88/02E9883501635DA9B501E715BB827A0B9D0C265991F1263F073EB6C5D9B335C3/02E98.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral11
Sample
exe.ransomware.babuk/03/11/0B/03110BAA5AAD9D01610293F2B8CD21B44CC7EFA0A465E677D6B3F92510A4B1D7/03110.exe
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
exe.ransomware.babuk/03/11/0B/03110BAA5AAD9D01610293F2B8CD21B44CC7EFA0A465E677D6B3F92510A4B1D7/03110.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
exe.ransomware.babuk/04/12/6B/04126B30C1C2663CDF2B6386781AEDBFCE2EF418A0B01DE510BD536903F577E3/04126.exe
Resource
win7-20220901-en
Behavioral task
behavioral14
Sample
exe.ransomware.babuk/04/12/6B/04126B30C1C2663CDF2B6386781AEDBFCE2EF418A0B01DE510BD536903F577E3/04126.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
exe.ransomware.babuk/04/9E/53/049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8/049E5.exe
Resource
win7-20220901-en
Behavioral task
behavioral16
Sample
exe.ransomware.babuk/04/9E/53/049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8/049E5.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
exe.ransomware.babuk/05/AD/C9/05ADC97ABE6349C6132AA4AB44006B51945225A1EC764C87B781D5044A4E176F/05ADC.exe
Resource
win7-20220901-en
Behavioral task
behavioral18
Sample
exe.ransomware.babuk/05/AD/C9/05ADC97ABE6349C6132AA4AB44006B51945225A1EC764C87B781D5044A4E176F/05ADC.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
exe.ransomware.babuk/08/99/29/089929F1CDE37E9FD14DD09A7844272678AC48E47887EDE23B561D156FE50057/08992.exe
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
exe.ransomware.babuk/08/99/29/089929F1CDE37E9FD14DD09A7844272678AC48E47887EDE23B561D156FE50057/08992.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
exe.ransomware.babuk/0B/93/A0/0B93A024B5D6874D7BB69ABD7F0E2D54A67C602584575A9B6D1212BAAE81442F/0B93A.exe
Resource
win7-20220812-en
Behavioral task
behavioral22
Sample
exe.ransomware.babuk/0B/93/A0/0B93A024B5D6874D7BB69ABD7F0E2D54A67C602584575A9B6D1212BAAE81442F/0B93A.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
exe.ransomware.babuk/0B/BA/AB/0BBAABB3C8603C5C10BE282DFD13C776612FDE54D18DDD06A96AD42E9B3BAF23/0BBAA.exe
Resource
win7-20220812-en
Behavioral task
behavioral24
Sample
exe.ransomware.babuk/0B/BA/AB/0BBAABB3C8603C5C10BE282DFD13C776612FDE54D18DDD06A96AD42E9B3BAF23/0BBAA.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
exe.ransomware.babuk/0C/55/C4/0C55C4FB23178948E0DF495158B290CCE676BC93C5927E8EA57D93B3128972F5/0C55C.exe
Resource
win7-20220812-en
Behavioral task
behavioral26
Sample
exe.ransomware.babuk/0C/55/C4/0C55C4FB23178948E0DF495158B290CCE676BC93C5927E8EA57D93B3128972F5/0C55C.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral27
Sample
exe.ransomware.babuk/0D/3A/60/0D3A60C89463AC1E39FA7CFF05F7AB365B32096E89F49000F26ECDD1D542D5EA/0D3A6.exe
Resource
win7-20220812-en
Behavioral task
behavioral28
Sample
exe.ransomware.babuk/0D/3A/60/0D3A60C89463AC1E39FA7CFF05F7AB365B32096E89F49000F26ECDD1D542D5EA/0D3A6.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
exe.ransomware.babuk/10/5A/F5/105AF5C40C65F51979308E022C25DD285DB3CD20E9656CAABA0E9B1FC253898B/105AF.exe
Resource
win7-20221111-en
Behavioral task
behavioral30
Sample
exe.ransomware.babuk/10/5A/F5/105AF5C40C65F51979308E022C25DD285DB3CD20E9656CAABA0E9B1FC253898B/105AF.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral31
Sample
exe.ransomware.babuk/10/61/18/106118444E0A7405C13531F8CD70191F36356581D58789DFC5DF3DA7BA0F9223/10611.exe
Resource
win7-20221111-en
Behavioral task
behavioral32
Sample
exe.ransomware.babuk/10/61/18/106118444E0A7405C13531F8CD70191F36356581D58789DFC5DF3DA7BA0F9223/10611.exe
Resource
win10v2004-20220812-en
General
-
Target
exe.ransomware.babuk/0C/55/C4/0C55C4FB23178948E0DF495158B290CCE676BC93C5927E8EA57D93B3128972F5/0C55C.exe
-
Size
79KB
-
MD5
a55fa9c010416b233a1f8e63b658ecbc
-
SHA1
75a580aa9cc3f4901e229843411f6e2669256525
-
SHA256
0c55c4fb23178948e0df495158b290cce676bc93c5927e8ea57d93b3128972f5
-
SHA512
71889ebe24f6836c08db83f36f54dc53b4ef8d2d3f31a1e42e68e40eb74f6ffaa4456a3876a4dd2f7da9e4783c41c768f964d50c8da0d96748fe06257d07dacf
-
SSDEEP
1536:n6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:bhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 20 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
0C55C.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\StepMeasure.tiff.babyk 0C55C.exe File opened for modification C:\Users\Admin\Pictures\UnlockWrite.png.babyk 0C55C.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromApprove.tiff 0C55C.exe File renamed C:\Users\Admin\Pictures\ConvertFromApprove.tiff => C:\Users\Admin\Pictures\ConvertFromApprove.tiff.babyk 0C55C.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromApprove.tiff.babyk 0C55C.exe File opened for modification C:\Users\Admin\Pictures\FindBlock.crw.babyk 0C55C.exe File renamed C:\Users\Admin\Pictures\FormatRemove.tif => C:\Users\Admin\Pictures\FormatRemove.tif.babyk 0C55C.exe File renamed C:\Users\Admin\Pictures\UnlockWrite.png => C:\Users\Admin\Pictures\UnlockWrite.png.babyk 0C55C.exe File opened for modification C:\Users\Admin\Pictures\ConfirmRename.png.babyk 0C55C.exe File renamed C:\Users\Admin\Pictures\FindBlock.crw => C:\Users\Admin\Pictures\FindBlock.crw.babyk 0C55C.exe File opened for modification C:\Users\Admin\Pictures\FormatRemove.tif.babyk 0C55C.exe File renamed C:\Users\Admin\Pictures\SubmitConvert.raw => C:\Users\Admin\Pictures\SubmitConvert.raw.babyk 0C55C.exe File opened for modification C:\Users\Admin\Pictures\SubmitConvert.raw.babyk 0C55C.exe File renamed C:\Users\Admin\Pictures\ConfirmRename.png => C:\Users\Admin\Pictures\ConfirmRename.png.babyk 0C55C.exe File opened for modification C:\Users\Admin\Pictures\MoveReset.png.babyk 0C55C.exe File opened for modification C:\Users\Admin\Pictures\StepMeasure.tiff 0C55C.exe File opened for modification C:\Users\Admin\Pictures\ResolveCompare.raw.babyk 0C55C.exe File renamed C:\Users\Admin\Pictures\MoveReset.png => C:\Users\Admin\Pictures\MoveReset.png.babyk 0C55C.exe File renamed C:\Users\Admin\Pictures\ResolveCompare.raw => C:\Users\Admin\Pictures\ResolveCompare.raw.babyk 0C55C.exe File renamed C:\Users\Admin\Pictures\StepMeasure.tiff => C:\Users\Admin\Pictures\StepMeasure.tiff.babyk 0C55C.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0C55C.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 0C55C.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0C55C.exedescription ioc process File opened (read-only) \??\X: 0C55C.exe File opened (read-only) \??\Q: 0C55C.exe File opened (read-only) \??\E: 0C55C.exe File opened (read-only) \??\U: 0C55C.exe File opened (read-only) \??\P: 0C55C.exe File opened (read-only) \??\S: 0C55C.exe File opened (read-only) \??\K: 0C55C.exe File opened (read-only) \??\Z: 0C55C.exe File opened (read-only) \??\M: 0C55C.exe File opened (read-only) \??\T: 0C55C.exe File opened (read-only) \??\Y: 0C55C.exe File opened (read-only) \??\I: 0C55C.exe File opened (read-only) \??\H: 0C55C.exe File opened (read-only) \??\B: 0C55C.exe File opened (read-only) \??\N: 0C55C.exe File opened (read-only) \??\A: 0C55C.exe File opened (read-only) \??\F: 0C55C.exe File opened (read-only) \??\G: 0C55C.exe File opened (read-only) \??\J: 0C55C.exe File opened (read-only) \??\V: 0C55C.exe File opened (read-only) \??\W: 0C55C.exe File opened (read-only) \??\R: 0C55C.exe File opened (read-only) \??\O: 0C55C.exe File opened (read-only) \??\L: 0C55C.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3888 vssadmin.exe 4012 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0C55C.exepid process 1220 0C55C.exe 1220 0C55C.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3336 vssvc.exe Token: SeRestorePrivilege 3336 vssvc.exe Token: SeAuditPrivilege 3336 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0C55C.execmd.execmd.exedescription pid process target process PID 1220 wrote to memory of 3100 1220 0C55C.exe cmd.exe PID 1220 wrote to memory of 3100 1220 0C55C.exe cmd.exe PID 3100 wrote to memory of 3888 3100 cmd.exe vssadmin.exe PID 3100 wrote to memory of 3888 3100 cmd.exe vssadmin.exe PID 1220 wrote to memory of 4304 1220 0C55C.exe cmd.exe PID 1220 wrote to memory of 4304 1220 0C55C.exe cmd.exe PID 4304 wrote to memory of 4012 4304 cmd.exe vssadmin.exe PID 4304 wrote to memory of 4012 4304 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\0C\55\C4\0C55C4FB23178948E0DF495158B290CCE676BC93C5927E8EA57D93B3128972F5\0C55C.exe"C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\0C\55\C4\0C55C4FB23178948E0DF495158B290CCE676BC93C5927E8EA57D93B3128972F5\0C55C.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4012
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3336