babuk | ff78e9706891818a3db5ef3f46f107250f59bff43276d72e77eb4ec9d26e0e66

General

Target

2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
Size

79KB
MD5

dde253fbf823011af1961649e16e218c
SHA1

a725eac8b1e7487078dd79bac03b635fb658a511
SHA256

ff78e9706891818a3db5ef3f46f107250f59bff43276d72e77eb4ec9d26e0e66
SHA512

27f50866d9bd67b5859d0d7589a996b0ef0d131dea54b62d4e34c71200751739cba64257fe4cdc15ca86f52e3e017172b95b3290a1b6b76cb38c7ee46e5f9b77
SSDEEP

1536:UmkWBeG/vEbmsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:HBeQsmsrQLOJgY8Zp8LHD4XWaNH71dLc

Score

10^/10

babuk ransomware

Malware Config

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (191) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe

description	ioc	process
File opened (read-only)	\??\Q:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\U:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\K:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\Z:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\B:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\N:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\W:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\T:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\H:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\J:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\X:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\V:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\M:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\O:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\P:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\A:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\G:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\S:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\L:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\E:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\R:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\Y:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
File opened (read-only)	\??\I:	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2732 vssadmin.exe
872 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe

pid process

1872 2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2572 vssvc.exe
Token: SeRestorePrivilege 2572 vssvc.exe
Token: SeAuditPrivilege 2572 vssvc.exe

pid	process
2732	vssadmin.exe
872	vssadmin.exe

pid	process
1872	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe

description	pid	process
Token: SeBackupPrivilege	2572	vssvc.exe
Token: SeRestorePrivilege	2572	vssvc.exe
Token: SeAuditPrivilege	2572	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.execmd.execmd.exe

description	pid	process	target process
PID 1872 wrote to memory of 2288	1872	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe	cmd.exe
PID 1872 wrote to memory of 2288	1872	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe	cmd.exe
PID 1872 wrote to memory of 2288	1872	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe	cmd.exe
PID 1872 wrote to memory of 2288	1872	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe	cmd.exe
PID 2288 wrote to memory of 2732	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 2732	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 2732	2288	cmd.exe	vssadmin.exe
PID 1872 wrote to memory of 2392	1872	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe	cmd.exe
PID 1872 wrote to memory of 2392	1872	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe	cmd.exe
PID 1872 wrote to memory of 2392	1872	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe	cmd.exe
PID 1872 wrote to memory of 2392	1872	2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe	cmd.exe
PID 2392 wrote to memory of 872	2392	cmd.exe	vssadmin.exe
PID 2392 wrote to memory of 872	2392	cmd.exe	vssadmin.exe
PID 2392 wrote to memory of 872	2392	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-30_dde253fbf823011af1961649e16e218c_babuk_destroyer.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\How To Restore Your Files.txt

Filesize
143B

MD5
4412c9256c586536fe50e4e597e3e17c

SHA1
63fb5a15306c6322feb227aa8a5fbdce5e38ef1c

SHA256
2c8b4cf863cf122558b64a47c47179312012ffcc84bc9176bebe031fb47b4648

SHA512
298283dd3ec47888b80ccaeecd33d9c386a2b2af1bd01ea74142a970c6bfd3e9fdc1258f2ee4bdfbb68914103482a3e07f5b4e8f9d50abeda6ba3f65c35eda63

Download Submit

Analysis

Sharing