Analysis
-
max time kernel
94s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2023 19:01
Static task
static1
Behavioral task
behavioral1
Sample
e_win.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e_win.exe
Resource
win10v2004-20230220-en
General
-
Target
e_win.exe
-
Size
79KB
-
MD5
3c070554f9b588ac31e317be5d5f5120
-
SHA1
43ff7548df9f8597a4a0e8af82fb75ad622f6750
-
SHA256
10843ab4b6e4c9592a31a72bc5f7ccfa48fd365e6fba1b100319f40125f8da6f
-
SHA512
9eab16bd98efdb908902bc7303962dfa645248c411a407234ba03c7bd75cd8909cd41902e4a50847677d6e42c20a10e98cbb0d57f31a11f60d3eb05936ab334b
-
SSDEEP
1536:m6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:ghZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\WaitMeasure.tif.babyk e_win.exe File renamed C:\Users\Admin\Pictures\ImportAdd.raw => C:\Users\Admin\Pictures\ImportAdd.raw.babyk e_win.exe File renamed C:\Users\Admin\Pictures\ResolveRedo.tif => C:\Users\Admin\Pictures\ResolveRedo.tif.babyk e_win.exe File renamed C:\Users\Admin\Pictures\WaitMeasure.tif => C:\Users\Admin\Pictures\WaitMeasure.tif.babyk e_win.exe File renamed C:\Users\Admin\Pictures\ResizeDisable.png => C:\Users\Admin\Pictures\ResizeDisable.png.babyk e_win.exe File opened for modification C:\Users\Admin\Pictures\ResolveRedo.tif.babyk e_win.exe File renamed C:\Users\Admin\Pictures\LockApprove.tif => C:\Users\Admin\Pictures\LockApprove.tif.babyk e_win.exe File renamed C:\Users\Admin\Pictures\RevokeRename.png => C:\Users\Admin\Pictures\RevokeRename.png.babyk e_win.exe File opened for modification C:\Users\Admin\Pictures\LockApprove.tif.babyk e_win.exe File opened for modification C:\Users\Admin\Pictures\ResizeDisable.png.babyk e_win.exe File renamed C:\Users\Admin\Pictures\CheckpointSend.raw => C:\Users\Admin\Pictures\CheckpointSend.raw.babyk e_win.exe File opened for modification C:\Users\Admin\Pictures\CheckpointSend.raw.babyk e_win.exe File renamed C:\Users\Admin\Pictures\CopyConfirm.crw => C:\Users\Admin\Pictures\CopyConfirm.crw.babyk e_win.exe File opened for modification C:\Users\Admin\Pictures\CopyConfirm.crw.babyk e_win.exe File opened for modification C:\Users\Admin\Pictures\ImportAdd.raw.babyk e_win.exe File opened for modification C:\Users\Admin\Pictures\RevokeRename.png.babyk e_win.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation e_win.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: e_win.exe File opened (read-only) \??\E: e_win.exe File opened (read-only) \??\O: e_win.exe File opened (read-only) \??\G: e_win.exe File opened (read-only) \??\Z: e_win.exe File opened (read-only) \??\B: e_win.exe File opened (read-only) \??\R: e_win.exe File opened (read-only) \??\U: e_win.exe File opened (read-only) \??\P: e_win.exe File opened (read-only) \??\F: e_win.exe File opened (read-only) \??\J: e_win.exe File opened (read-only) \??\X: e_win.exe File opened (read-only) \??\T: e_win.exe File opened (read-only) \??\A: e_win.exe File opened (read-only) \??\K: e_win.exe File opened (read-only) \??\N: e_win.exe File opened (read-only) \??\M: e_win.exe File opened (read-only) \??\W: e_win.exe File opened (read-only) \??\Y: e_win.exe File opened (read-only) \??\I: e_win.exe File opened (read-only) \??\S: e_win.exe File opened (read-only) \??\H: e_win.exe File opened (read-only) \??\L: e_win.exe File opened (read-only) \??\V: e_win.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4696 vssadmin.exe 1276 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3440 e_win.exe 3440 e_win.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 3416 vssvc.exe Token: SeRestorePrivilege 3416 vssvc.exe Token: SeAuditPrivilege 3416 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3440 wrote to memory of 2324 3440 e_win.exe 85 PID 3440 wrote to memory of 2324 3440 e_win.exe 85 PID 2324 wrote to memory of 4696 2324 cmd.exe 88 PID 2324 wrote to memory of 4696 2324 cmd.exe 88 PID 3440 wrote to memory of 2076 3440 e_win.exe 91 PID 3440 wrote to memory of 2076 3440 e_win.exe 91 PID 2076 wrote to memory of 1276 2076 cmd.exe 93 PID 2076 wrote to memory of 1276 2076 cmd.exe 93 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e_win.exe"C:\Users\Admin\AppData\Local\Temp\e_win.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4696
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1276
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3416
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD51cb251ec0d568de6a929b520c4aed8d1
SHA1372ea08cab33e71c02c651dbc83a474d32c676ea
SHA256982d9e3eb996f559e633f4d194def3761d909f5a3b647d1a851fead67c32c9d1
SHA512eaf2c12742cb8c161bcbd84b032b9bb98999a23282542672ca01cc6edd268f7dce9987ad6b2bc79305634f89d90b90102bcd59a57e7135b8e3ceb93c0597117b