Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-04-2024 11:44
Static task
static1
Behavioral task
behavioral1
Sample
e_win.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e_win.exe
Resource
win10v2004-20240412-en
General
-
Target
e_win.exe
-
Size
79KB
-
MD5
7deb707e7d264c73ce6b4dd905b6465d
-
SHA1
fc67274fb481cb02bf8bcb0e9139751e3f3a38cd
-
SHA256
37652b0c01d717b554c4871a5b3631cf304e54871e3a1f9514b14145a2031d80
-
SHA512
8663953e48319c6cb20e35c5eafae7605bd824db11d1e7ff552311e7a3180d306bcd27730456f2e9cdaa8a40128329c343b9e6ec0797966c2a5ba8c8e803744b
-
SSDEEP
1536:pOkWBeGPGEbmsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:8BeBsmsrQLOJgY8Zp8LHD4XWaNH71dLc
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (186) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e_win.exedescription ioc process File opened (read-only) \??\G: e_win.exe File opened (read-only) \??\J: e_win.exe File opened (read-only) \??\K: e_win.exe File opened (read-only) \??\T: e_win.exe File opened (read-only) \??\Y: e_win.exe File opened (read-only) \??\I: e_win.exe File opened (read-only) \??\O: e_win.exe File opened (read-only) \??\S: e_win.exe File opened (read-only) \??\Q: e_win.exe File opened (read-only) \??\A: e_win.exe File opened (read-only) \??\X: e_win.exe File opened (read-only) \??\N: e_win.exe File opened (read-only) \??\P: e_win.exe File opened (read-only) \??\L: e_win.exe File opened (read-only) \??\Z: e_win.exe File opened (read-only) \??\V: e_win.exe File opened (read-only) \??\M: e_win.exe File opened (read-only) \??\B: e_win.exe File opened (read-only) \??\W: e_win.exe File opened (read-only) \??\E: e_win.exe File opened (read-only) \??\R: e_win.exe File opened (read-only) \??\U: e_win.exe File opened (read-only) \??\H: e_win.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2944 vssadmin.exe 1764 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e_win.exepid process 2784 e_win.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2508 vssvc.exe Token: SeRestorePrivilege 2508 vssvc.exe Token: SeAuditPrivilege 2508 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e_win.execmd.execmd.exedescription pid process target process PID 2784 wrote to memory of 3044 2784 e_win.exe cmd.exe PID 2784 wrote to memory of 3044 2784 e_win.exe cmd.exe PID 2784 wrote to memory of 3044 2784 e_win.exe cmd.exe PID 2784 wrote to memory of 3044 2784 e_win.exe cmd.exe PID 3044 wrote to memory of 2944 3044 cmd.exe vssadmin.exe PID 3044 wrote to memory of 2944 3044 cmd.exe vssadmin.exe PID 3044 wrote to memory of 2944 3044 cmd.exe vssadmin.exe PID 2784 wrote to memory of 2544 2784 e_win.exe cmd.exe PID 2784 wrote to memory of 2544 2784 e_win.exe cmd.exe PID 2784 wrote to memory of 2544 2784 e_win.exe cmd.exe PID 2784 wrote to memory of 2544 2784 e_win.exe cmd.exe PID 2544 wrote to memory of 1764 2544 cmd.exe vssadmin.exe PID 2544 wrote to memory of 1764 2544 cmd.exe vssadmin.exe PID 2544 wrote to memory of 1764 2544 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e_win.exe"C:\Users\Admin\AppData\Local\Temp\e_win.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\Admin\How To Restore Your Files.txtFilesize
656B
MD5e6c8c909b8b255d2285e63437af78ae6
SHA13f05be8c657e5a27e13649a44bd544986c2adffd
SHA25648732b3d79586e004c8b195e15529ac15e74dfffc0dbe4fa9b6855b65aeda8c4
SHA51284d068e1aa0b6da06c7038f3e132178de758693ab7d8792adf2cd7adce077424d1c8b468521b134294b35d10d967d3a21f57ba3fcf288e2ba411ece9a4548d5c