Overview
overview
10Static
static
3builder.exe
windows7-x64
1builder.exe
windows10-1703-x64
1builder.exe
ubuntu-20.04-amd64
d_esxi.out
windows7-x64
3d_esxi.out
windows10-1703-x64
3d_esxi.out
ubuntu-20.04-amd64
1d_nas_arm.out
windows7-x64
3d_nas_arm.out
windows10-1703-x64
3d_nas_arm.out
ubuntu-20.04-amd64
d_nas_x86.out
windows7-x64
3d_nas_x86.out
windows10-1703-x64
3d_nas_x86.out
ubuntu-20.04-amd64
3d_win.exe
windows7-x64
6d_win.exe
windows10-1703-x64
3d_win.exe
ubuntu-20.04-amd64
e_esxi.out
windows7-x64
3e_esxi.out
windows10-1703-x64
3e_esxi.out
ubuntu-20.04-amd64
1e_nas_arm.out
windows7-x64
3e_nas_arm.out
windows10-1703-x64
3e_nas_arm.out
ubuntu-20.04-amd64
e_nas_x86.out
windows7-x64
3e_nas_x86.out
windows10-1703-x64
3e_nas_x86.out
ubuntu-20.04-amd64
3e_win.exe
windows7-x64
10e_win.exe
windows10-1703-x64
10e_win.exe
ubuntu-20.04-amd64
Resubmissions
21-02-2024 19:59
240221-yqmsbafb69 1027-02-2023 15:10
230227-sj843seb89 127-06-2021 20:55
210627-2nsmat5hex 10Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-02-2024 19:59
Static task
static1
Behavioral task
behavioral1
Sample
builder.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
builder.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
builder.exe
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral4
Sample
d_esxi.out
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
d_esxi.out
Resource
win10-20240221-en
Behavioral task
behavioral6
Sample
d_esxi.out
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral7
Sample
d_nas_arm.out
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
d_nas_arm.out
Resource
win10-20240221-en
Behavioral task
behavioral9
Sample
d_nas_arm.out
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral10
Sample
d_nas_x86.out
Resource
win7-20240221-en
Behavioral task
behavioral11
Sample
d_nas_x86.out
Resource
win10-20240221-en
Behavioral task
behavioral12
Sample
d_nas_x86.out
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral13
Sample
d_win.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
d_win.exe
Resource
win10-20240214-en
Behavioral task
behavioral15
Sample
d_win.exe
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral16
Sample
e_esxi.out
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
e_esxi.out
Resource
win10-20240221-en
Behavioral task
behavioral18
Sample
e_esxi.out
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral19
Sample
e_nas_arm.out
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
e_nas_arm.out
Resource
win10-20240221-en
Behavioral task
behavioral21
Sample
e_nas_arm.out
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral22
Sample
e_nas_x86.out
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
e_nas_x86.out
Resource
win10-20240221-en
Behavioral task
behavioral24
Sample
e_nas_x86.out
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral25
Sample
e_win.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
e_win.exe
Resource
win10-20240221-en
Behavioral task
behavioral27
Sample
e_win.exe
Resource
ubuntu2004-amd64-20240221-en
General
-
Target
e_win.exe
-
Size
79KB
-
MD5
e5adc80639046a5c69bcfeee458e0833
-
SHA1
d9e3f9edda5df290b5be6fb1d335b750dd7c6758
-
SHA256
ea95f131bd9b49104d9e7ae83335254549ded9d71d557c6e4746740aecca2c85
-
SHA512
c11a24e14ba5fa2b0e2c2b544dd4218ce4c8caae3db7cebd5b0305223f96bde09c9bd237cb8d32768f30118f7be73240971e772f7a89db7c0fba5c6105107e3a
-
SSDEEP
1536:H6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:7hZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (220) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e_win.exedescription ioc process File opened (read-only) \??\Q: e_win.exe File opened (read-only) \??\Y: e_win.exe File opened (read-only) \??\A: e_win.exe File opened (read-only) \??\H: e_win.exe File opened (read-only) \??\Z: e_win.exe File opened (read-only) \??\W: e_win.exe File opened (read-only) \??\I: e_win.exe File opened (read-only) \??\L: e_win.exe File opened (read-only) \??\X: e_win.exe File opened (read-only) \??\U: e_win.exe File opened (read-only) \??\O: e_win.exe File opened (read-only) \??\P: e_win.exe File opened (read-only) \??\G: e_win.exe File opened (read-only) \??\J: e_win.exe File opened (read-only) \??\B: e_win.exe File opened (read-only) \??\N: e_win.exe File opened (read-only) \??\M: e_win.exe File opened (read-only) \??\E: e_win.exe File opened (read-only) \??\R: e_win.exe File opened (read-only) \??\T: e_win.exe File opened (read-only) \??\S: e_win.exe File opened (read-only) \??\K: e_win.exe File opened (read-only) \??\V: e_win.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2604 vssadmin.exe 2816 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e_win.exepid process 1652 e_win.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1648 vssvc.exe Token: SeRestorePrivilege 1648 vssvc.exe Token: SeAuditPrivilege 1648 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e_win.execmd.execmd.exedescription pid process target process PID 1652 wrote to memory of 2136 1652 e_win.exe cmd.exe PID 1652 wrote to memory of 2136 1652 e_win.exe cmd.exe PID 1652 wrote to memory of 2136 1652 e_win.exe cmd.exe PID 1652 wrote to memory of 2136 1652 e_win.exe cmd.exe PID 2136 wrote to memory of 2604 2136 cmd.exe vssadmin.exe PID 2136 wrote to memory of 2604 2136 cmd.exe vssadmin.exe PID 2136 wrote to memory of 2604 2136 cmd.exe vssadmin.exe PID 1652 wrote to memory of 2948 1652 e_win.exe cmd.exe PID 1652 wrote to memory of 2948 1652 e_win.exe cmd.exe PID 1652 wrote to memory of 2948 1652 e_win.exe cmd.exe PID 1652 wrote to memory of 2948 1652 e_win.exe cmd.exe PID 2948 wrote to memory of 2816 2948 cmd.exe vssadmin.exe PID 2948 wrote to memory of 2816 2948 cmd.exe vssadmin.exe PID 2948 wrote to memory of 2816 2948 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e_win.exe"C:\Users\Admin\AppData\Local\Temp\e_win.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2816
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD52af817219bb1d24a11ab839b9453b5f3
SHA1f9ff9075f9472c41aeb93df2e439fe624dc143b0
SHA2566a16454cad4534d51025f65277abaec0ff4a30082840154a35889445bb3ad0a0
SHA512d443e149d8b097cc64b0bbbf65e3d660de43943a4b36ac4c41bfbdfe814fb895d7ba97128aa1235b85d2292b79afc451fbcb89cc6a56d33ecff7d93e18a15c30