Analysis
-
max time kernel
96s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2022 10:27
Static task
static1
Behavioral task
behavioral1
Sample
e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe
Resource
win10v2004-20220812-en
General
-
Target
e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe
-
Size
79KB
-
MD5
1f6ea1848c050a59782b67d4516b03a3
-
SHA1
96d57e583a660c1ea47ba653eb3e3223e97269f7
-
SHA256
e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d
-
SHA512
360fde4b699068f35044cc05641072e4715ffea21c70e80f5bb1f90cd3aa1f3f0dd1224ffcc745bf68faec70e46c684a16a6c370facb4b77539a411e690ed54a
-
SSDEEP
1536:VikWBeG/vEbmsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:EBeQsmsrQLOJgY8Zp8LHD4XWaNH71dLc
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exedescription ioc process File renamed C:\Users\Admin\Pictures\GroupSet.tif => C:\Users\Admin\Pictures\GroupSet.tif.babyk e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File renamed C:\Users\Admin\Pictures\NewBlock.raw => C:\Users\Admin\Pictures\NewBlock.raw.babyk e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File renamed C:\Users\Admin\Pictures\StepEnter.tif => C:\Users\Admin\Pictures\StepEnter.tif.babyk e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened for modification C:\Users\Admin\Pictures\StepEnter.tif.babyk e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened for modification C:\Users\Admin\Pictures\CompleteCheckpoint.raw.babyk e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened for modification C:\Users\Admin\Pictures\GroupSet.tif.babyk e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened for modification C:\Users\Admin\Pictures\NewBlock.raw.babyk e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File renamed C:\Users\Admin\Pictures\ResetApprove.tif => C:\Users\Admin\Pictures\ResetApprove.tif.babyk e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened for modification C:\Users\Admin\Pictures\ResetApprove.tif.babyk e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File renamed C:\Users\Admin\Pictures\CompleteCheckpoint.raw => C:\Users\Admin\Pictures\CompleteCheckpoint.raw.babyk e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exedescription ioc process File opened (read-only) \??\I: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\O: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\P: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\H: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\N: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\E: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\Y: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\L: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\A: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\J: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\F: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\Z: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\X: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\V: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\B: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\M: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\R: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\S: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\T: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\U: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\G: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\K: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\Q: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe File opened (read-only) \??\W: e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4952 vssadmin.exe 3736 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exepid process 4820 e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe 4820 e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 824 vssvc.exe Token: SeRestorePrivilege 824 vssvc.exe Token: SeAuditPrivilege 824 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.execmd.execmd.exedescription pid process target process PID 4820 wrote to memory of 4132 4820 e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe cmd.exe PID 4820 wrote to memory of 4132 4820 e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe cmd.exe PID 4132 wrote to memory of 4952 4132 cmd.exe vssadmin.exe PID 4132 wrote to memory of 4952 4132 cmd.exe vssadmin.exe PID 4820 wrote to memory of 4632 4820 e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe cmd.exe PID 4820 wrote to memory of 4632 4820 e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe cmd.exe PID 4632 wrote to memory of 3736 4632 cmd.exe vssadmin.exe PID 4632 wrote to memory of 3736 4632 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe"C:\Users\Admin\AppData\Local\Temp\e7e3bc426f1133900f850fadf1d087086aa4bfd853b107dfa3526bb75f12c52d.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3736
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:824