Analysis
-
max time kernel
113s -
max time network
234s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
01-12-2022 05:59
General
-
Target
exe.ransomware.babuk/0D/3A/60/0D3A60C89463AC1E39FA7CFF05F7AB365B32096E89F49000F26ECDD1D542D5EA/0D3A6.exe
-
Size
78KB
-
MD5
754f324349f65108552dab958549739a
-
SHA1
02b05c57c37e3a1abb4e6f06a0c53af24013cfa0
-
SHA256
0d3a60c89463ac1e39fa7cff05f7ab365b32096e89f49000f26ecdd1d542d5ea
-
SHA512
4f03387bd3473dc70854647efb8876ed487e3e8aa0c00729cc25c2cebeb75adf394f7f3cb78b8c7970132bce12c913c4d51d1cd841dfbeeacf968c58ec866c84
-
SSDEEP
1536:J1kWBeGcADE6fsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2EMfq:5Bek5fsrQLOJgY8Zp8LHD4XWaNH71dLM
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\0D\3A\60\0D3A60C89463AC1E39FA7CFF05F7AB365B32096E89F49000F26ECDD1D542D5EA\0D3A6.exe"C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\0D\3A\60\0D3A60C89463AC1E39FA7CFF05F7AB365B32096E89F49000F26ECDD1D542D5EA\0D3A6.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
-
-
-