Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17-03-2024 01:04
Static task
static1
Behavioral task
behavioral1
Sample
cf88599048145e4911915215a91527f4.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
cf88599048145e4911915215a91527f4.exe
Resource
win10v2004-20231215-en
General
-
Target
cf88599048145e4911915215a91527f4.exe
-
Size
1.1MB
-
MD5
cf88599048145e4911915215a91527f4
-
SHA1
f4ba5c7117736388c4de3442b1d6e4f84628c15d
-
SHA256
9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0
-
SHA512
254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7
-
SSDEEP
24576:tFJpkHzc3HYxhOIxYk3+cG5w1Uz4RcU96o/pkFMzs3pOqA:zkHzl+0OFO1a4RcU8o/pCMzWO
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (227) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cf88599048145e4911915215a91527f4.exedescription ioc process File opened (read-only) \??\E: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\U: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\J: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\N: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\M: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\O: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\A: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\G: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\H: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\Z: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\X: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\B: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\Q: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\W: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\T: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\Y: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\I: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\S: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\V: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\R: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\P: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\K: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\L: cf88599048145e4911915215a91527f4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cf88599048145e4911915215a91527f4.exedescription pid process target process PID 2340 set thread context of 2640 2340 cf88599048145e4911915215a91527f4.exe cf88599048145e4911915215a91527f4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2388 vssadmin.exe 2564 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
cf88599048145e4911915215a91527f4.exepid process 2640 cf88599048145e4911915215a91527f4.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
cf88599048145e4911915215a91527f4.exevssvc.exedescription pid process Token: SeDebugPrivilege 2340 cf88599048145e4911915215a91527f4.exe Token: SeBackupPrivilege 2904 vssvc.exe Token: SeRestorePrivilege 2904 vssvc.exe Token: SeAuditPrivilege 2904 vssvc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
cf88599048145e4911915215a91527f4.execf88599048145e4911915215a91527f4.execmd.execmd.exedescription pid process target process PID 2340 wrote to memory of 2640 2340 cf88599048145e4911915215a91527f4.exe cf88599048145e4911915215a91527f4.exe PID 2340 wrote to memory of 2640 2340 cf88599048145e4911915215a91527f4.exe cf88599048145e4911915215a91527f4.exe PID 2340 wrote to memory of 2640 2340 cf88599048145e4911915215a91527f4.exe cf88599048145e4911915215a91527f4.exe PID 2340 wrote to memory of 2640 2340 cf88599048145e4911915215a91527f4.exe cf88599048145e4911915215a91527f4.exe PID 2340 wrote to memory of 2640 2340 cf88599048145e4911915215a91527f4.exe cf88599048145e4911915215a91527f4.exe PID 2340 wrote to memory of 2640 2340 cf88599048145e4911915215a91527f4.exe cf88599048145e4911915215a91527f4.exe PID 2340 wrote to memory of 2640 2340 cf88599048145e4911915215a91527f4.exe cf88599048145e4911915215a91527f4.exe PID 2340 wrote to memory of 2640 2340 cf88599048145e4911915215a91527f4.exe cf88599048145e4911915215a91527f4.exe PID 2340 wrote to memory of 2640 2340 cf88599048145e4911915215a91527f4.exe cf88599048145e4911915215a91527f4.exe PID 2340 wrote to memory of 2640 2340 cf88599048145e4911915215a91527f4.exe cf88599048145e4911915215a91527f4.exe PID 2340 wrote to memory of 2640 2340 cf88599048145e4911915215a91527f4.exe cf88599048145e4911915215a91527f4.exe PID 2640 wrote to memory of 2612 2640 cf88599048145e4911915215a91527f4.exe cmd.exe PID 2640 wrote to memory of 2612 2640 cf88599048145e4911915215a91527f4.exe cmd.exe PID 2640 wrote to memory of 2612 2640 cf88599048145e4911915215a91527f4.exe cmd.exe PID 2640 wrote to memory of 2612 2640 cf88599048145e4911915215a91527f4.exe cmd.exe PID 2612 wrote to memory of 2388 2612 cmd.exe vssadmin.exe PID 2612 wrote to memory of 2388 2612 cmd.exe vssadmin.exe PID 2612 wrote to memory of 2388 2612 cmd.exe vssadmin.exe PID 2640 wrote to memory of 2232 2640 cf88599048145e4911915215a91527f4.exe cmd.exe PID 2640 wrote to memory of 2232 2640 cf88599048145e4911915215a91527f4.exe cmd.exe PID 2640 wrote to memory of 2232 2640 cf88599048145e4911915215a91527f4.exe cmd.exe PID 2640 wrote to memory of 2232 2640 cf88599048145e4911915215a91527f4.exe cmd.exe PID 2232 wrote to memory of 2564 2232 cmd.exe vssadmin.exe PID 2232 wrote to memory of 2564 2232 cmd.exe vssadmin.exe PID 2232 wrote to memory of 2564 2232 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2564
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
233B
MD5715b331e31300f275b8050ab87f43600
SHA13205f66c28528831a3298be5278598d15b871297
SHA25618e4c88e767b5bd0cc90b63a626d0e68e7fa5c1bca45419ed47dc94c7f085d92
SHA512351077a945e166a1a45644403eaffeb25fd941db87074abe7813e55f89a5d7f49e911060779918724e55b03518b5d114e105ec35ba4f287236323573277be738