lockfile | e36819a304d8eb00a404b3ff1dce1f708de985ca87f56e8c571a4a14740ffd62

General

Target

2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
Size

71KB
MD5

44fcd277d0a92c0b7eafd911ccc93864
SHA1

6beed4cec39a2f126738e9a8909cd84f4edb5736
SHA256

e36819a304d8eb00a404b3ff1dce1f708de985ca87f56e8c571a4a14740ffd62
SHA512

2b6085c757242f552b1db42e9353c41d9ff8c5f7b9cc69ee4441087862a16487ccc58690d08487fdb5fc9e8072b275bf74085ee901727fdd2eacdc4fa5eadf04
SSDEEP

1536:AXcbhZMBIWhuUsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2AH:lhZEVsrQLOJgY8Zp8LHD4XWaNH71dLdS

Score

10^/10

lockfile ransomware

Malware Config

Signatures

LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
ransomware lockfile
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (202) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\G:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\Z:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\X:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\Q:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\I:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\O:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\M:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\E:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\T:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\Y:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\U:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\P:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\L:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\B:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\N:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\R:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\A:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\H:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\J:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\K:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\V:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
File opened (read-only)	\??\W:	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3768	vssadmin.exe
5716	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3572	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
3572	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	5380	vssvc.exe
Token: SeRestorePrivilege	5380	vssvc.exe
Token: SeAuditPrivilege	5380	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 4536	3572	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe	87
PID 3572 wrote to memory of 4536	3572	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe	87
PID 4536 wrote to memory of 3768	4536	cmd.exe	89
PID 4536 wrote to memory of 3768	4536	cmd.exe	89
PID 3572 wrote to memory of 5624	3572	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe	97
PID 3572 wrote to memory of 5624	3572	2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe	97
PID 5624 wrote to memory of 5716	5624	cmd.exe	99
PID 5624 wrote to memory of 5716	5624	cmd.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-12_44fcd277d0a92c0b7eafd911ccc93864_babuk_destroyer.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5624
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3892,i,18365831710660765070,18037862594269997910,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:5156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\How To Restore Your Files.txt

Filesize
898B

MD5
0b382cae2e96dc2444193e0d1ff7f1a2

SHA1
f8100f578b0d07923ab9ba46361b2797228ab4ea

SHA256
5347b1ece7f3b476cfb778aa628134041078caf39f62c9da2f2479c5d74f1f1c

SHA512
fff1546d25f85c94cd629b975e2ba4f919e293d1bf79363cee2ff359ea3a292394313cc7ffcdcc2a0d5e18577e434bbad33418e9edf87b85db86edb1fe226acd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads