Overview

overview

10

Static

static

3

cf88599048...f4.exe

windows7-x64

10

cf88599048...f4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-03-2024 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf88599048145e4911915215a91527f4.exe

  • Size

    1.1MB

  • MD5

    cf88599048145e4911915215a91527f4

  • SHA1

    f4ba5c7117736388c4de3442b1d6e4f84628c15d

  • SHA256

    9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0

  • SHA512

    254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7

  • SSDEEP

    24576:tFJpkHzc3HYxhOIxYk3+cG5w1Uz4RcU96o/pkFMzs3pOqA:zkHzl+0OFO1a4RcU8o/pCMzWO

Score
10/10
babukransomware

Malware Config

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (199) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe
    "C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe
      "C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"
      2⤵
        PID:3096
      • C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe
        "C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"
        2⤵
          PID:1048
        • C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe
          "C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"
          2⤵
          • Checks computer location settings
          • Enumerates connected drives
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1468
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4292
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:2592
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3592
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:3680
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4440

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\WindowsRE\How To Restore Your Files.txt
        Filesize

        233B

        MD5

        715b331e31300f275b8050ab87f43600

        SHA1

        3205f66c28528831a3298be5278598d15b871297

        SHA256

        18e4c88e767b5bd0cc90b63a626d0e68e7fa5c1bca45419ed47dc94c7f085d92

        SHA512

        351077a945e166a1a45644403eaffeb25fd941db87074abe7813e55f89a5d7f49e911060779918724e55b03518b5d114e105ec35ba4f287236323573277be738

        Download Submit

      • memory/1468-13-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1468-331-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1468-315-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1468-19-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1468-17-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1468-16-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1704-2-0x0000000006010000-0x00000000065B4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1704-6-0x00000000058D0000-0x00000000058D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1704-9-0x0000000075160000-0x0000000075910000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1704-10-0x0000000005950000-0x0000000005960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1704-11-0x0000000009110000-0x00000000091B2000-memory.dmp

        Filesize

        648KB

        Download

      • memory/1704-12-0x000000000B8A0000-0x000000000B8D6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1704-7-0x0000000005A20000-0x0000000005A2A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1704-8-0x0000000008DE0000-0x0000000008DF8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1704-1-0x0000000075160000-0x0000000075910000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1704-18-0x0000000075160000-0x0000000075910000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1704-4-0x0000000005B00000-0x0000000005B9C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1704-5-0x0000000005950000-0x0000000005960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1704-3-0x0000000005960000-0x00000000059F2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1704-0-0x0000000000E10000-0x0000000000F3A000-memory.dmp

        Filesize

        1.2MB

        Download