Overview

overview

10

Static

static

10

2024-03-14...er.exe

windows7-x64

10

2024-03-14...er.exe

windows10-2004-x64

10

Resubmissions

14-03-2024 08:31

240314-ke728afa2x 10

14-03-2024 08:26

240314-kb8vcaha74 10

Analysis

  • max time kernel
    172s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-03-2024 08:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-14_13616e15e6e161bf2c187d4ccff0a74a_babuk_destroyer.exe

  • Size

    80KB

  • MD5

    13616e15e6e161bf2c187d4ccff0a74a

  • SHA1

    5dc358621f84c54e25a5127e6c75873b302878c0

  • SHA256

    c16db5977b4fc0999e81d73641a520b05384431102acc29a3976b47bbad97751

  • SHA512

    e65ec8a0258f0046801e84785355c379aaf375b05bf0759bb49d8a89fc289a1ff446d978842f03de96aa76eb07484c92bcf9e7118665f2c2ffc60384c078e41e

  • SSDEEP

    1536:nc2hl9N/IolKfGsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG24m:nc2N/4usrQLOJgY8Zp8LHD4XWaNH71dc

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\Recovery\readme_for_unlock.txt

Ransom Note
!!! ATTENTION !!! Your network is hacked and files are encrypted. Including the encrypted data we also downloaded other confidential information: Data of your employees, customers, partners, as well as accounting and other internal documentation of your company. All data is stored until you will pay. After payment we will provide you the programs for decryption and we will delete your data. If you refuse to negotiate with us (for any reason) all your data will be put up for sale. What you will face if your data gets on the black market: 1) The personal information of your employees and customers may be used to obtain a loan or purchases in online stores. 2) You may be sued by clients of your company for leaking information that was confidential. 3) After other hackers obtain personal data about your employees, social engineering will be applied to your company and subsequent attacks will only intensify. 4) Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. 5) You will forever lose the reputation. 6) You will be subject to huge fines from the government. You can learn more about liability for data loss here: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://gdpr-info.eu/ Courts, fines and the inability to use important files will lead you to huge losses. The consequences of this will be irreversible for you. Contacting the police will not save you from these consequences, but will only make your situation worse. You can get out of this situation with minimal losses To do this you must strictly observe the following rules: DO NOT Modify, DO NOT rename, DO NOT copy, DO NOT move any files. Such actions may DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it may also DAMAGE files. DO NOT Shutdown or Reboot the system this may DAMAGE files. DO NOT hire any third party negotiators (recovery/police, etc.) You need to contact us as soon as possible and start negotiations. Instructions for contacting our team: Download & Install TOR browser: https://torproject.org For contact us via LIVE CHAT open our > Website: http://s4xpejatghnopeieoqvjqsnfl576jekizgmw52s7ydth6wgyi2wh2gid.onion > Login: CLIENT > Password: SmZo633AIrS6d8p3qA9c If Tor is restricted in your area, use VPN�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
URLs

https://gdpr-info.eu/

http://s4xpejatghnopeieoqvjqsnfl576jekizgmw52s7ydth6wgyi2wh2gid.onion

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (1447) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-14_13616e15e6e161bf2c187d4ccff0a74a_babuk_destroyer.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-14_13616e15e6e161bf2c187d4ccff0a74a_babuk_destroyer.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Enumerates connected drives
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4276
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3348
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1044
      2⤵
      • Program crash
      PID:436
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2620
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 404 -ip 404
    1⤵
      PID:4264

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\readme_for_unlock.txt
      Filesize

      2KB

      MD5

      405c5458425f5bdb2cc6ca2351ba883f

      SHA1

      4f8890c8ee0ea19a7c8986073d78e6dbf396b59c

      SHA256

      fc9dddc880f6b0dd15957f82df4468ae63dbaf67542372357ba7a992ff426a46

      SHA512

      21c5539122414dca1dafe6ad65122c5296514edbe528414e4871e04eaa9390c890dbaa6fb3bb794455da095fc24390c708527c2eb81a230b551d0527bb419402

      Download Submit