Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07-12-2022 10:58
Static task
static1
Behavioral task
behavioral1
Sample
11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe
Resource
win10v2004-20221111-en
General
-
Target
11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe
-
Size
79KB
-
MD5
fe4843e07dc9b0a11223c5797052d64d
-
SHA1
f3458f864f9c96668900a133d90870ebb7f9e296
-
SHA256
11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8
-
SHA512
ec7281382d235f6a80e7ef9065b56ef845bf6d9da5ed2cdb47f8380b602ac7b5aafdd0e72a6437a704686e7a77aeec9104a7cd591e88cf04ad32657d8678422b
-
SSDEEP
1536:HMSmkWBeG/vEbmsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:HMlBeQsmsrQLOJgY8Zp8LHD4XWaNH71i
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\AssertCopy.tiff 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File renamed C:\Users\Admin\Pictures\AssertCopy.tiff => C:\Users\Admin\Pictures\AssertCopy.tiff.babyk 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened for modification C:\Users\Admin\Pictures\AssertCopy.tiff.babyk 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File renamed C:\Users\Admin\Pictures\ConvertToUpdate.raw => C:\Users\Admin\Pictures\ConvertToUpdate.raw.babyk 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened for modification C:\Users\Admin\Pictures\ConvertToUpdate.raw.babyk 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File renamed C:\Users\Admin\Pictures\DisableDebug.tiff => C:\Users\Admin\Pictures\DisableDebug.tiff.babyk 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File renamed C:\Users\Admin\Pictures\RepairSet.crw => C:\Users\Admin\Pictures\RepairSet.crw.babyk 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened for modification C:\Users\Admin\Pictures\DisableDebug.tiff 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened for modification C:\Users\Admin\Pictures\DisableDebug.tiff.babyk 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened for modification C:\Users\Admin\Pictures\RepairSet.crw.babyk 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\S: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\H: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\B: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\N: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\W: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\Y: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\I: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\X: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\Q: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\E: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\J: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\F: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\G: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\K: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\L: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\V: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\T: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\O: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\P: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\M: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\R: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\U: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe File opened (read-only) \??\Z: 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 584 vssadmin.exe 2040 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1468 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1136 vssvc.exe Token: SeRestorePrivilege 1136 vssvc.exe Token: SeAuditPrivilege 1136 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1468 wrote to memory of 1116 1468 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe 27 PID 1468 wrote to memory of 1116 1468 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe 27 PID 1468 wrote to memory of 1116 1468 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe 27 PID 1468 wrote to memory of 1116 1468 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe 27 PID 1116 wrote to memory of 584 1116 cmd.exe 29 PID 1116 wrote to memory of 584 1116 cmd.exe 29 PID 1116 wrote to memory of 584 1116 cmd.exe 29 PID 1468 wrote to memory of 1888 1468 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe 33 PID 1468 wrote to memory of 1888 1468 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe 33 PID 1468 wrote to memory of 1888 1468 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe 33 PID 1468 wrote to memory of 1888 1468 11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe 33 PID 1888 wrote to memory of 2040 1888 cmd.exe 35 PID 1888 wrote to memory of 2040 1888 cmd.exe 35 PID 1888 wrote to memory of 2040 1888 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe"C:\Users\Admin\AppData\Local\Temp\11b02dab624fe46946921638718117644c3a91da72a9c9b08c7fb98965a08cd8.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:584
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2040
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136