Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 21:01
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe
-
Size
79KB
-
MD5
d5eaa5c4f55781bc3f161e7c583e45c4
-
SHA1
d3796032c80f40cd7e1c6c8b5896ac8945c3eee1
-
SHA256
adb10da10d9e2cc882bfadf2210a6cb2fdc62308470200401ffe869c01405995
-
SHA512
5ae0af58d804e8f1ec624d1f4ea68a625d75373d14c73ea7ce8f0a988c0427a69138fa8ceeab978f7db3c246a44169fa33aa79107897c94b483cd657bde176ff
-
SSDEEP
1536:apoUyFydC/ZbtsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2ncf:1UyFydC/NtsrQLOJgY8Zp8LHD4XWaNHY
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (159) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\P: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\S: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\N: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\M: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\Q: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\R: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\L: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\X: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\B: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\T: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\K: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\I: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\O: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\H: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\J: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\Z: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\V: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\W: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\E: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\G: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\U: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe File opened (read-only) \??\A: 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 392 vssadmin.exe 2504 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2368 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe 2368 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 3560 vssvc.exe Token: SeRestorePrivilege 3560 vssvc.exe Token: SeAuditPrivilege 3560 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2816 2368 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe 85 PID 2368 wrote to memory of 2816 2368 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe 85 PID 2816 wrote to memory of 392 2816 cmd.exe 89 PID 2816 wrote to memory of 392 2816 cmd.exe 89 PID 2368 wrote to memory of 4388 2368 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe 91 PID 2368 wrote to memory of 4388 2368 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe 91 PID 4388 wrote to memory of 2504 4388 cmd.exe 93 PID 4388 wrote to memory of 2504 4388 cmd.exe 93 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:392
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2504
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD52af817219bb1d24a11ab839b9453b5f3
SHA1f9ff9075f9472c41aeb93df2e439fe624dc143b0
SHA2566a16454cad4534d51025f65277abaec0ff4a30082840154a35889445bb3ad0a0
SHA512d443e149d8b097cc64b0bbbf65e3d660de43943a4b36ac4c41bfbdfe814fb895d7ba97128aa1235b85d2292b79afc451fbcb89cc6a56d33ecff7d93e18a15c30