Analysis
-
max time kernel
53s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
01-12-2022 05:59
General
-
Target
exe.ransomware.babuk/00/E5/59/00E559A406F5D78514ADA50FE573374D78FCC5C12C6D443D07311131B2542E2F/00E55.exe
-
Size
79KB
-
MD5
e9fca248189c7cf66e7b6471713b0f98
-
SHA1
a17d9d6dbb4fda3aa7bd4600d0fef75cc9a8a405
-
SHA256
00e559a406f5d78514ada50fe573374d78fcc5c12c6d443d07311131b2542e2f
-
SHA512
460c32147156d63160a51a7710be9bd4c1bcea944a54c0fe57adc05911377ef922e3d9e2c9a310d664c2c20d683454cc5984395649e47ec6a2033d6d15ab900d
-
SSDEEP
1536:r6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:vhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\00\E5\59\00E559A406F5D78514ADA50FE573374D78FCC5C12C6D443D07311131B2542E2F\00E55.exe"C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\00\E5\59\00E559A406F5D78514ADA50FE573374D78FCC5C12C6D443D07311131B2542E2F\00E55.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/764-56-0x0000000000000000-mapping.dmp
-
memory/812-55-0x0000000000000000-mapping.dmp
-
memory/1524-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/1948-58-0x0000000000000000-mapping.dmp
-
memory/2028-57-0x0000000000000000-mapping.dmp