Analysis
-
max time kernel
92s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2024 01:04
Static task
static1
Behavioral task
behavioral1
Sample
cf88599048145e4911915215a91527f4.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
cf88599048145e4911915215a91527f4.exe
Resource
win10v2004-20231215-en
General
-
Target
cf88599048145e4911915215a91527f4.exe
-
Size
1.1MB
-
MD5
cf88599048145e4911915215a91527f4
-
SHA1
f4ba5c7117736388c4de3442b1d6e4f84628c15d
-
SHA256
9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0
-
SHA512
254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7
-
SSDEEP
24576:tFJpkHzc3HYxhOIxYk3+cG5w1Uz4RcU96o/pkFMzs3pOqA:zkHzl+0OFO1a4RcU8o/pCMzWO
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (199) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation cf88599048145e4911915215a91527f4.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\K: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\L: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\B: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\W: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\E: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\U: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\G: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\M: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\T: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\I: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\P: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\Z: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\V: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\Q: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\A: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\S: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\X: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\N: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\R: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\Y: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\O: cf88599048145e4911915215a91527f4.exe File opened (read-only) \??\H: cf88599048145e4911915215a91527f4.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1704 set thread context of 1468 1704 cf88599048145e4911915215a91527f4.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2592 vssadmin.exe 3680 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1704 cf88599048145e4911915215a91527f4.exe 1704 cf88599048145e4911915215a91527f4.exe 1704 cf88599048145e4911915215a91527f4.exe 1704 cf88599048145e4911915215a91527f4.exe 1468 cf88599048145e4911915215a91527f4.exe 1468 cf88599048145e4911915215a91527f4.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1704 cf88599048145e4911915215a91527f4.exe Token: SeBackupPrivilege 4440 vssvc.exe Token: SeRestorePrivilege 4440 vssvc.exe Token: SeAuditPrivilege 4440 vssvc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1704 wrote to memory of 3096 1704 cf88599048145e4911915215a91527f4.exe 93 PID 1704 wrote to memory of 3096 1704 cf88599048145e4911915215a91527f4.exe 93 PID 1704 wrote to memory of 3096 1704 cf88599048145e4911915215a91527f4.exe 93 PID 1704 wrote to memory of 1048 1704 cf88599048145e4911915215a91527f4.exe 94 PID 1704 wrote to memory of 1048 1704 cf88599048145e4911915215a91527f4.exe 94 PID 1704 wrote to memory of 1048 1704 cf88599048145e4911915215a91527f4.exe 94 PID 1704 wrote to memory of 1468 1704 cf88599048145e4911915215a91527f4.exe 95 PID 1704 wrote to memory of 1468 1704 cf88599048145e4911915215a91527f4.exe 95 PID 1704 wrote to memory of 1468 1704 cf88599048145e4911915215a91527f4.exe 95 PID 1704 wrote to memory of 1468 1704 cf88599048145e4911915215a91527f4.exe 95 PID 1704 wrote to memory of 1468 1704 cf88599048145e4911915215a91527f4.exe 95 PID 1704 wrote to memory of 1468 1704 cf88599048145e4911915215a91527f4.exe 95 PID 1704 wrote to memory of 1468 1704 cf88599048145e4911915215a91527f4.exe 95 PID 1704 wrote to memory of 1468 1704 cf88599048145e4911915215a91527f4.exe 95 PID 1704 wrote to memory of 1468 1704 cf88599048145e4911915215a91527f4.exe 95 PID 1704 wrote to memory of 1468 1704 cf88599048145e4911915215a91527f4.exe 95 PID 1468 wrote to memory of 4292 1468 cf88599048145e4911915215a91527f4.exe 96 PID 1468 wrote to memory of 4292 1468 cf88599048145e4911915215a91527f4.exe 96 PID 4292 wrote to memory of 2592 4292 cmd.exe 98 PID 4292 wrote to memory of 2592 4292 cmd.exe 98 PID 1468 wrote to memory of 3592 1468 cf88599048145e4911915215a91527f4.exe 102 PID 1468 wrote to memory of 3592 1468 cf88599048145e4911915215a91527f4.exe 102 PID 3592 wrote to memory of 3680 3592 cmd.exe 104 PID 3592 wrote to memory of 3680 3592 cmd.exe 104 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"2⤵PID:3096
-
-
C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"2⤵PID:1048
-
-
C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"C:\Users\Admin\AppData\Local\Temp\cf88599048145e4911915215a91527f4.exe"2⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:3680
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
233B
MD5715b331e31300f275b8050ab87f43600
SHA13205f66c28528831a3298be5278598d15b871297
SHA25618e4c88e767b5bd0cc90b63a626d0e68e7fa5c1bca45419ed47dc94c7f085d92
SHA512351077a945e166a1a45644403eaffeb25fd941db87074abe7813e55f89a5d7f49e911060779918724e55b03518b5d114e105ec35ba4f287236323573277be738