babuk | 37652b0c01d717b554c4871a5b3631cf304e54871e3a1f9514b14145a2031d80

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e_win.exe
Size

79KB
MD5

7deb707e7d264c73ce6b4dd905b6465d
SHA1

fc67274fb481cb02bf8bcb0e9139751e3f3a38cd
SHA256

37652b0c01d717b554c4871a5b3631cf304e54871e3a1f9514b14145a2031d80
SHA512

8663953e48319c6cb20e35c5eafae7605bd824db11d1e7ff552311e7a3180d306bcd27730456f2e9cdaa8a40128329c343b9e6ec0797966c2a5ba8c8e803744b
SSDEEP

1536:pOkWBeGPGEbmsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:8BeBsmsrQLOJgY8Zp8LHD4XWaNH71dLc

Score

10^/10

babuk ransomware

Malware Config

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (159) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	e_win.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	e_win.exe
File opened (read-only)	\??\N:	e_win.exe
File opened (read-only)	\??\M:	e_win.exe
File opened (read-only)	\??\Y:	e_win.exe
File opened (read-only)	\??\U:	e_win.exe
File opened (read-only)	\??\O:	e_win.exe
File opened (read-only)	\??\H:	e_win.exe
File opened (read-only)	\??\K:	e_win.exe
File opened (read-only)	\??\Q:	e_win.exe
File opened (read-only)	\??\W:	e_win.exe
File opened (read-only)	\??\E:	e_win.exe
File opened (read-only)	\??\P:	e_win.exe
File opened (read-only)	\??\B:	e_win.exe
File opened (read-only)	\??\R:	e_win.exe
File opened (read-only)	\??\T:	e_win.exe
File opened (read-only)	\??\A:	e_win.exe
File opened (read-only)	\??\J:	e_win.exe
File opened (read-only)	\??\V:	e_win.exe
File opened (read-only)	\??\I:	e_win.exe
File opened (read-only)	\??\S:	e_win.exe
File opened (read-only)	\??\G:	e_win.exe
File opened (read-only)	\??\L:	e_win.exe
File opened (read-only)	\??\X:	e_win.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4752	vssadmin.exe
3944	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
908	e_win.exe
908	e_win.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	220	vssvc.exe
Token: SeRestorePrivilege	220	vssvc.exe
Token: SeAuditPrivilege	220	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 3184	908	e_win.exe	86
PID 908 wrote to memory of 3184	908	e_win.exe	86
PID 3184 wrote to memory of 4752	3184	cmd.exe	90
PID 3184 wrote to memory of 4752	3184	cmd.exe	90
PID 908 wrote to memory of 3492	908	e_win.exe	91
PID 908 wrote to memory of 3492	908	e_win.exe	91
PID 3492 wrote to memory of 3944	3492	cmd.exe	95
PID 3492 wrote to memory of 3944	3492	cmd.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e_win.exe
"C:\Users\Admin\AppData\Local\Temp\e_win.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\How To Restore Your Files.txt

Filesize
656B

MD5
e6c8c909b8b255d2285e63437af78ae6

SHA1
3f05be8c657e5a27e13649a44bd544986c2adffd

SHA256
48732b3d79586e004c8b195e15529ac15e74dfffc0dbe4fa9b6855b65aeda8c4

SHA512
84d068e1aa0b6da06c7038f3e132178de758693ab7d8792adf2cd7adce077424d1c8b468521b134294b35d10d967d3a21f57ba3fcf288e2ba411ece9a4548d5c

Download Submit