Analysis
-
max time kernel
96s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
07-12-2022 10:27
General
-
Target
e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe
-
Size
79KB
-
MD5
1f6ea1848c050a59782b67d4516b03a3
-
SHA1
96d57e583a660c1ea47ba653eb3e3223e97269f7
-
SHA256
e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d
-
SHA512
360fde4b699068f35044cc05641072e4715ffea21c70e80f5bb1f90cd3aa1f3f0dd1224ffcc745bf68faec70e46c684a16a6c370facb4b77539a411e690ed54a
-
SSDEEP
1536:VikWBeG/vEbmsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:EBeQsmsrQLOJgY8Zp8LHD4XWaNH71dLc
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe"C:\Users\Admin\AppData\Local\Temp\e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3736-135-0x0000000000000000-mapping.dmp
-
memory/4132-132-0x0000000000000000-mapping.dmp
-
memory/4632-134-0x0000000000000000-mapping.dmp
-
memory/4952-133-0x0000000000000000-mapping.dmp