Overview
overview
10Static
static
10exe.ransom...99.exe
windows7-x64
9exe.ransom...99.exe
windows10-2004-x64
9exe.ransom...55.exe
windows7-x64
10exe.ransom...55.exe
windows10-2004-x64
10exe.ransom...FA.exe
windows7-x64
10exe.ransom...FA.exe
windows10-2004-x64
10exe.ransom...41.exe
windows7-x64
10exe.ransom...41.exe
windows10-2004-x64
10exe.ransom...98.exe
windows7-x64
9exe.ransom...98.exe
windows10-2004-x64
9exe.ransom...10.exe
windows7-x64
10exe.ransom...10.exe
windows10-2004-x64
10exe.ransom...26.exe
windows7-x64
10exe.ransom...26.exe
windows10-2004-x64
10exe.ransom...E5.exe
windows7-x64
10exe.ransom...E5.exe
windows10-2004-x64
10exe.ransom...DC.exe
windows7-x64
10exe.ransom...DC.exe
windows10-2004-x64
10exe.ransom...92.exe
windows7-x64
3exe.ransom...92.exe
windows10-2004-x64
3exe.ransom...3A.exe
windows7-x64
10exe.ransom...3A.exe
windows10-2004-x64
10exe.ransom...AA.exe
windows7-x64
3exe.ransom...AA.exe
windows10-2004-x64
3exe.ransom...5C.exe
windows7-x64
10exe.ransom...5C.exe
windows10-2004-x64
10exe.ransom...A6.exe
windows7-x64
9exe.ransom...A6.exe
windows10-2004-x64
9exe.ransom...AF.exe
windows7-x64
exe.ransom...AF.exe
windows10-2004-x64
exe.ransom...11.exe
windows7-x64
10exe.ransom...11.exe
windows10-2004-x64
10Analysis
-
max time kernel
225s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 05:59
Behavioral task
behavioral1
Sample
exe.ransomware.babuk/00/99/96/0099963E7285AEAFC09E4214A45A6A210253D514CBD0D4B0C3997647A0AFE879/00999.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
exe.ransomware.babuk/00/99/96/0099963E7285AEAFC09E4214A45A6A210253D514CBD0D4B0C3997647A0AFE879/00999.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
exe.ransomware.babuk/00/E5/59/00E559A406F5D78514ADA50FE573374D78FCC5C12C6D443D07311131B2542E2F/00E55.exe
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
exe.ransomware.babuk/00/E5/59/00E559A406F5D78514ADA50FE573374D78FCC5C12C6D443D07311131B2542E2F/00E55.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
exe.ransomware.babuk/02/8F/AC/028FACFF67136DE55FE200177A190DA625C8E1713B4E7D95BF5FC5412A5AFFFC/028FA.exe
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
exe.ransomware.babuk/02/8F/AC/028FACFF67136DE55FE200177A190DA625C8E1713B4E7D95BF5FC5412A5AFFFC/028FA.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
exe.ransomware.babuk/02/94/11/0294114D5F411B6C47EB255D4ED6865DF99D1C5252F4F585AABF44E6CBACAA59/02941.exe
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
exe.ransomware.babuk/02/94/11/0294114D5F411B6C47EB255D4ED6865DF99D1C5252F4F585AABF44E6CBACAA59/02941.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
exe.ransomware.babuk/02/E9/88/02E9883501635DA9B501E715BB827A0B9D0C265991F1263F073EB6C5D9B335C3/02E98.exe
Resource
win7-20221111-en
Behavioral task
behavioral10
Sample
exe.ransomware.babuk/02/E9/88/02E9883501635DA9B501E715BB827A0B9D0C265991F1263F073EB6C5D9B335C3/02E98.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral11
Sample
exe.ransomware.babuk/03/11/0B/03110BAA5AAD9D01610293F2B8CD21B44CC7EFA0A465E677D6B3F92510A4B1D7/03110.exe
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
exe.ransomware.babuk/03/11/0B/03110BAA5AAD9D01610293F2B8CD21B44CC7EFA0A465E677D6B3F92510A4B1D7/03110.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
exe.ransomware.babuk/04/12/6B/04126B30C1C2663CDF2B6386781AEDBFCE2EF418A0B01DE510BD536903F577E3/04126.exe
Resource
win7-20220901-en
Behavioral task
behavioral14
Sample
exe.ransomware.babuk/04/12/6B/04126B30C1C2663CDF2B6386781AEDBFCE2EF418A0B01DE510BD536903F577E3/04126.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
exe.ransomware.babuk/04/9E/53/049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8/049E5.exe
Resource
win7-20220901-en
Behavioral task
behavioral16
Sample
exe.ransomware.babuk/04/9E/53/049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8/049E5.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
exe.ransomware.babuk/05/AD/C9/05ADC97ABE6349C6132AA4AB44006B51945225A1EC764C87B781D5044A4E176F/05ADC.exe
Resource
win7-20220901-en
Behavioral task
behavioral18
Sample
exe.ransomware.babuk/05/AD/C9/05ADC97ABE6349C6132AA4AB44006B51945225A1EC764C87B781D5044A4E176F/05ADC.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
exe.ransomware.babuk/08/99/29/089929F1CDE37E9FD14DD09A7844272678AC48E47887EDE23B561D156FE50057/08992.exe
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
exe.ransomware.babuk/08/99/29/089929F1CDE37E9FD14DD09A7844272678AC48E47887EDE23B561D156FE50057/08992.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
exe.ransomware.babuk/0B/93/A0/0B93A024B5D6874D7BB69ABD7F0E2D54A67C602584575A9B6D1212BAAE81442F/0B93A.exe
Resource
win7-20220812-en
Behavioral task
behavioral22
Sample
exe.ransomware.babuk/0B/93/A0/0B93A024B5D6874D7BB69ABD7F0E2D54A67C602584575A9B6D1212BAAE81442F/0B93A.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
exe.ransomware.babuk/0B/BA/AB/0BBAABB3C8603C5C10BE282DFD13C776612FDE54D18DDD06A96AD42E9B3BAF23/0BBAA.exe
Resource
win7-20220812-en
Behavioral task
behavioral24
Sample
exe.ransomware.babuk/0B/BA/AB/0BBAABB3C8603C5C10BE282DFD13C776612FDE54D18DDD06A96AD42E9B3BAF23/0BBAA.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
exe.ransomware.babuk/0C/55/C4/0C55C4FB23178948E0DF495158B290CCE676BC93C5927E8EA57D93B3128972F5/0C55C.exe
Resource
win7-20220812-en
Behavioral task
behavioral26
Sample
exe.ransomware.babuk/0C/55/C4/0C55C4FB23178948E0DF495158B290CCE676BC93C5927E8EA57D93B3128972F5/0C55C.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral27
Sample
exe.ransomware.babuk/0D/3A/60/0D3A60C89463AC1E39FA7CFF05F7AB365B32096E89F49000F26ECDD1D542D5EA/0D3A6.exe
Resource
win7-20220812-en
Behavioral task
behavioral28
Sample
exe.ransomware.babuk/0D/3A/60/0D3A60C89463AC1E39FA7CFF05F7AB365B32096E89F49000F26ECDD1D542D5EA/0D3A6.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
exe.ransomware.babuk/10/5A/F5/105AF5C40C65F51979308E022C25DD285DB3CD20E9656CAABA0E9B1FC253898B/105AF.exe
Resource
win7-20221111-en
Behavioral task
behavioral30
Sample
exe.ransomware.babuk/10/5A/F5/105AF5C40C65F51979308E022C25DD285DB3CD20E9656CAABA0E9B1FC253898B/105AF.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral31
Sample
exe.ransomware.babuk/10/61/18/106118444E0A7405C13531F8CD70191F36356581D58789DFC5DF3DA7BA0F9223/10611.exe
Resource
win7-20221111-en
Behavioral task
behavioral32
Sample
exe.ransomware.babuk/10/61/18/106118444E0A7405C13531F8CD70191F36356581D58789DFC5DF3DA7BA0F9223/10611.exe
Resource
win10v2004-20220812-en
General
-
Target
exe.ransomware.babuk/10/61/18/106118444E0A7405C13531F8CD70191F36356581D58789DFC5DF3DA7BA0F9223/10611.exe
-
Size
78KB
-
MD5
b43e8b865d3339eeb8b8b11f900f6c89
-
SHA1
52538e17d4dc85c22f6a01acbbc8caa7447a50b0
-
SHA256
106118444e0a7405c13531f8cd70191f36356581d58789dfc5df3da7ba0f9223
-
SHA512
cc31cbf27ab26bd026c6a92af518ecf5fdaf32c1607813c192fb080de2f8ed54b8f9b360c14f885db5ffd65ea99c013a36109e2e7c5c813f451eb3865f1c9ae0
-
SSDEEP
1536:8LhkWBeG/LEOSsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Osf:UBe8dSsrQLOJgY8Zp8LHD4XWaNH71dLT
Malware Config
Extracted
C:\Help Restore Your Files.txt
3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 20 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
10611.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\EnterRevoke.raw.delta 10611.exe File opened for modification C:\Users\Admin\Pictures\GroupSave.tiff.delta 10611.exe File renamed C:\Users\Admin\Pictures\SwitchConvertFrom.raw => C:\Users\Admin\Pictures\SwitchConvertFrom.raw.delta 10611.exe File opened for modification C:\Users\Admin\Pictures\SwitchConvertFrom.raw.delta 10611.exe File renamed C:\Users\Admin\Pictures\UninstallWait.raw => C:\Users\Admin\Pictures\UninstallWait.raw.delta 10611.exe File renamed C:\Users\Admin\Pictures\DebugPing.crw => C:\Users\Admin\Pictures\DebugPing.crw.delta 10611.exe File opened for modification C:\Users\Admin\Pictures\DebugPing.crw.delta 10611.exe File renamed C:\Users\Admin\Pictures\EnterRevoke.raw => C:\Users\Admin\Pictures\EnterRevoke.raw.delta 10611.exe File opened for modification C:\Users\Admin\Pictures\FindShow.png.delta 10611.exe File opened for modification C:\Users\Admin\Pictures\SkipUnpublish.tiff 10611.exe File opened for modification C:\Users\Admin\Pictures\ShowEdit.raw.delta 10611.exe File opened for modification C:\Users\Admin\Pictures\SearchConvert.png.delta 10611.exe File opened for modification C:\Users\Admin\Pictures\UninstallWait.raw.delta 10611.exe File opened for modification C:\Users\Admin\Pictures\GroupSave.tiff 10611.exe File renamed C:\Users\Admin\Pictures\FindShow.png => C:\Users\Admin\Pictures\FindShow.png.delta 10611.exe File renamed C:\Users\Admin\Pictures\GroupSave.tiff => C:\Users\Admin\Pictures\GroupSave.tiff.delta 10611.exe File renamed C:\Users\Admin\Pictures\ShowEdit.raw => C:\Users\Admin\Pictures\ShowEdit.raw.delta 10611.exe File renamed C:\Users\Admin\Pictures\SearchConvert.png => C:\Users\Admin\Pictures\SearchConvert.png.delta 10611.exe File renamed C:\Users\Admin\Pictures\SkipUnpublish.tiff => C:\Users\Admin\Pictures\SkipUnpublish.tiff.delta 10611.exe File opened for modification C:\Users\Admin\Pictures\SkipUnpublish.tiff.delta 10611.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
10611.exedescription ioc process File opened (read-only) \??\J: 10611.exe File opened (read-only) \??\L: 10611.exe File opened (read-only) \??\V: 10611.exe File opened (read-only) \??\N: 10611.exe File opened (read-only) \??\O: 10611.exe File opened (read-only) \??\S: 10611.exe File opened (read-only) \??\H: 10611.exe File opened (read-only) \??\G: 10611.exe File opened (read-only) \??\K: 10611.exe File opened (read-only) \??\X: 10611.exe File opened (read-only) \??\B: 10611.exe File opened (read-only) \??\Y: 10611.exe File opened (read-only) \??\P: 10611.exe File opened (read-only) \??\F: 10611.exe File opened (read-only) \??\R: 10611.exe File opened (read-only) \??\T: 10611.exe File opened (read-only) \??\U: 10611.exe File opened (read-only) \??\A: 10611.exe File opened (read-only) \??\Q: 10611.exe File opened (read-only) \??\W: 10611.exe File opened (read-only) \??\E: 10611.exe File opened (read-only) \??\I: 10611.exe File opened (read-only) \??\Z: 10611.exe File opened (read-only) \??\M: 10611.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 564 vssadmin.exe 1712 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
10611.exepid process 268 10611.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1920 vssvc.exe Token: SeRestorePrivilege 1920 vssvc.exe Token: SeAuditPrivilege 1920 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
10611.execmd.execmd.exedescription pid process target process PID 268 wrote to memory of 1268 268 10611.exe cmd.exe PID 268 wrote to memory of 1268 268 10611.exe cmd.exe PID 268 wrote to memory of 1268 268 10611.exe cmd.exe PID 268 wrote to memory of 1268 268 10611.exe cmd.exe PID 1268 wrote to memory of 564 1268 cmd.exe vssadmin.exe PID 1268 wrote to memory of 564 1268 cmd.exe vssadmin.exe PID 1268 wrote to memory of 564 1268 cmd.exe vssadmin.exe PID 268 wrote to memory of 2040 268 10611.exe cmd.exe PID 268 wrote to memory of 2040 268 10611.exe cmd.exe PID 268 wrote to memory of 2040 268 10611.exe cmd.exe PID 268 wrote to memory of 2040 268 10611.exe cmd.exe PID 2040 wrote to memory of 1712 2040 cmd.exe vssadmin.exe PID 2040 wrote to memory of 1712 2040 cmd.exe vssadmin.exe PID 2040 wrote to memory of 1712 2040 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\10\61\18\106118444E0A7405C13531F8CD70191F36356581D58789DFC5DF3DA7BA0F9223\10611.exe"C:\Users\Admin\AppData\Local\Temp\exe.ransomware.babuk\10\61\18\106118444E0A7405C13531F8CD70191F36356581D58789DFC5DF3DA7BA0F9223\10611.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1712
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920