babuk | 65813aa45df5c32fbeafd976881ad119d1b9e3b7dfe4e632e236b2a4dcac9c47

General

Target

2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
Size

79KB
MD5

239379865eecbe894b9dfa3623a11878
SHA1

bb834c9401ea34b8423530b84094a558e824a650
SHA256

65813aa45df5c32fbeafd976881ad119d1b9e3b7dfe4e632e236b2a4dcac9c47
SHA512

42b560f3391202c4dfc440d82805d452d71f3a5746bd58ffef01f15dc0fc7bd5637e564929de0baf4d867633b44b25944bc711ec49e987f4002125d6cc6732ed
SSDEEP

1536:k6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:2hZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

Score

10^/10

babuk ransomware

Malware Config

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (188) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe

description	ioc	process
File opened (read-only)	\??\Q:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\I:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\S:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\J:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\W:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\R:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\Y:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\A:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\Z:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\X:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\B:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\M:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\E:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\T:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\U:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\P:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\G:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\H:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\L:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\V:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\O:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\K:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
File opened (read-only)	\??\N:	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2624 vssadmin.exe
2084 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe

pid process

2028 2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2820 vssvc.exe
Token: SeRestorePrivilege 2820 vssvc.exe
Token: SeAuditPrivilege 2820 vssvc.exe

pid	process
2624	vssadmin.exe
2084	vssadmin.exe

pid	process
2028	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe

description	pid	process
Token: SeBackupPrivilege	2820	vssvc.exe
Token: SeRestorePrivilege	2820	vssvc.exe
Token: SeAuditPrivilege	2820	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.execmd.execmd.exe

description	pid	process	target process
PID 2028 wrote to memory of 1732	2028	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe	cmd.exe
PID 2028 wrote to memory of 1732	2028	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe	cmd.exe
PID 2028 wrote to memory of 1732	2028	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe	cmd.exe
PID 2028 wrote to memory of 1732	2028	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe	cmd.exe
PID 1732 wrote to memory of 2624	1732	cmd.exe	vssadmin.exe
PID 1732 wrote to memory of 2624	1732	cmd.exe	vssadmin.exe
PID 1732 wrote to memory of 2624	1732	cmd.exe	vssadmin.exe
PID 2028 wrote to memory of 384	2028	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe	cmd.exe
PID 2028 wrote to memory of 384	2028	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe	cmd.exe
PID 2028 wrote to memory of 384	2028	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe	cmd.exe
PID 2028 wrote to memory of 384	2028	2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe	cmd.exe
PID 384 wrote to memory of 2084	384	cmd.exe	vssadmin.exe
PID 384 wrote to memory of 2084	384	cmd.exe	vssadmin.exe
PID 384 wrote to memory of 2084	384	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-16_239379865eecbe894b9dfa3623a11878_babuk_destroyer.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\How To Restore Your Files.txt

Filesize
416B

MD5
be6ff0c888b03ae7be25a9cd40d25ec4

SHA1
f81998b65f6ebbd9d53e86c97212476b99481c13

SHA256
ffb8aae1f157ca72e7a3a861e8f7750f42ce675110fa857f1a628ec622b9d930

SHA512
32c36045fef6b4e0246a67313a79d20c1417fbea72194ffb21ae632849015ca00bb5cf56ee64291a9d810195c17d279173165629e06522ba6ba6c802983eb4d5

Download Submit

Analysis

Sharing