Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    17-03-2024 01:04

General

  • Target

    cf88599048145e4911915215a91527f4.exe

  • Size

    1.1MB

  • MD5

    cf88599048145e4911915215a91527f4

  • SHA1

    f4ba5c7117736388c4de3442b1d6e4f84628c15d

  • SHA256

    9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0

  • SHA512

    254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7

  • SSDEEP

    24576:tFJpkHzc3HYxhOIxYk3+cG5w1Uz4RcU96o/pkFMzs3pOqA:zkHzl+0OFO1a4RcU8o/pCMzWO

Score
10/10

Malware Config

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (227) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe
    "C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe
      "C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"
      2⤵
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2388
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2564
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\How To Restore Your Files.txt

    Filesize

    233B

    MD5

    715b331e31300f275b8050ab87f43600

    SHA1

    3205f66c28528831a3298be5278598d15b871297

    SHA256

    18e4c88e767b5bd0cc90b63a626d0e68e7fa5c1bca45419ed47dc94c7f085d92

    SHA512

    351077a945e166a1a45644403eaffeb25fd941db87074abe7813e55f89a5d7f49e911060779918724e55b03518b5d114e105ec35ba4f287236323573277be738

  • memory/2340-21-0x0000000074A50000-0x000000007513E000-memory.dmp

    Filesize

    6.9MB

  • memory/2340-3-0x0000000000340000-0x0000000000341000-memory.dmp

    Filesize

    4KB

  • memory/2340-0-0x0000000000110000-0x000000000023A000-memory.dmp

    Filesize

    1.2MB

  • memory/2340-4-0x0000000000AF0000-0x0000000000B08000-memory.dmp

    Filesize

    96KB

  • memory/2340-1-0x0000000074A50000-0x000000007513E000-memory.dmp

    Filesize

    6.9MB

  • memory/2340-6-0x0000000004E40000-0x0000000004E80000-memory.dmp

    Filesize

    256KB

  • memory/2340-7-0x0000000004E40000-0x0000000004E80000-memory.dmp

    Filesize

    256KB

  • memory/2340-2-0x0000000004E40000-0x0000000004E80000-memory.dmp

    Filesize

    256KB

  • memory/2340-9-0x00000000021E0000-0x0000000002216000-memory.dmp

    Filesize

    216KB

  • memory/2340-8-0x0000000008610000-0x00000000086B2000-memory.dmp

    Filesize

    648KB

  • memory/2340-5-0x0000000074A50000-0x000000007513E000-memory.dmp

    Filesize

    6.9MB

  • memory/2640-15-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/2640-20-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/2640-11-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/2640-10-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/2640-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2640-18-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/2640-14-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/2640-12-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/2640-22-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/2640-23-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/2640-13-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/2640-350-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/2640-366-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/2640-382-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB