babuk | 37652b0c01d717b554c4871a5b3631cf304e54871e3a1f9514b14145a2031d80

General

Target

e_win.exe
Size

79KB
MD5

7deb707e7d264c73ce6b4dd905b6465d
SHA1

fc67274fb481cb02bf8bcb0e9139751e3f3a38cd
SHA256

37652b0c01d717b554c4871a5b3631cf304e54871e3a1f9514b14145a2031d80
SHA512

8663953e48319c6cb20e35c5eafae7605bd824db11d1e7ff552311e7a3180d306bcd27730456f2e9cdaa8a40128329c343b9e6ec0797966c2a5ba8c8e803744b
SSDEEP

1536:pOkWBeGPGEbmsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:8BeBsmsrQLOJgY8Zp8LHD4XWaNH71dLc

Score

10^/10

babuk ransomware

Malware Config

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (186) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e_win.exe

description	ioc	process
File opened (read-only)	\??\G:	e_win.exe
File opened (read-only)	\??\J:	e_win.exe
File opened (read-only)	\??\K:	e_win.exe
File opened (read-only)	\??\T:	e_win.exe
File opened (read-only)	\??\Y:	e_win.exe
File opened (read-only)	\??\I:	e_win.exe
File opened (read-only)	\??\O:	e_win.exe
File opened (read-only)	\??\S:	e_win.exe
File opened (read-only)	\??\Q:	e_win.exe
File opened (read-only)	\??\A:	e_win.exe
File opened (read-only)	\??\X:	e_win.exe
File opened (read-only)	\??\N:	e_win.exe
File opened (read-only)	\??\P:	e_win.exe
File opened (read-only)	\??\L:	e_win.exe
File opened (read-only)	\??\Z:	e_win.exe
File opened (read-only)	\??\V:	e_win.exe
File opened (read-only)	\??\M:	e_win.exe
File opened (read-only)	\??\B:	e_win.exe
File opened (read-only)	\??\W:	e_win.exe
File opened (read-only)	\??\E:	e_win.exe
File opened (read-only)	\??\R:	e_win.exe
File opened (read-only)	\??\U:	e_win.exe
File opened (read-only)	\??\H:	e_win.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2944 vssadmin.exe
1764 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e_win.exe

pid process

2784 e_win.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2508 vssvc.exe
Token: SeRestorePrivilege 2508 vssvc.exe
Token: SeAuditPrivilege 2508 vssvc.exe

pid	process
2944	vssadmin.exe
1764	vssadmin.exe

pid	process
2784	e_win.exe

description	pid	process
Token: SeBackupPrivilege	2508	vssvc.exe
Token: SeRestorePrivilege	2508	vssvc.exe
Token: SeAuditPrivilege	2508	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e_win.execmd.execmd.exe

description	pid	process	target process
PID 2784 wrote to memory of 3044	2784	e_win.exe	cmd.exe
PID 2784 wrote to memory of 3044	2784	e_win.exe	cmd.exe
PID 2784 wrote to memory of 3044	2784	e_win.exe	cmd.exe
PID 2784 wrote to memory of 3044	2784	e_win.exe	cmd.exe
PID 3044 wrote to memory of 2944	3044	cmd.exe	vssadmin.exe
PID 3044 wrote to memory of 2944	3044	cmd.exe	vssadmin.exe
PID 3044 wrote to memory of 2944	3044	cmd.exe	vssadmin.exe
PID 2784 wrote to memory of 2544	2784	e_win.exe	cmd.exe
PID 2784 wrote to memory of 2544	2784	e_win.exe	cmd.exe
PID 2784 wrote to memory of 2544	2784	e_win.exe	cmd.exe
PID 2784 wrote to memory of 2544	2784	e_win.exe	cmd.exe
PID 2544 wrote to memory of 1764	2544	cmd.exe	vssadmin.exe
PID 2544 wrote to memory of 1764	2544	cmd.exe	vssadmin.exe
PID 2544 wrote to memory of 1764	2544	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e_win.exe
"C:\Users\Admin\AppData\Local\Temp\e_win.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\How To Restore Your Files.txt
Filesize
656B

MD5
e6c8c909b8b255d2285e63437af78ae6

SHA1
3f05be8c657e5a27e13649a44bd544986c2adffd

SHA256
48732b3d79586e004c8b195e15529ac15e74dfffc0dbe4fa9b6855b65aeda8c4

SHA512
84d068e1aa0b6da06c7038f3e132178de758693ab7d8792adf2cd7adce077424d1c8b468521b134294b35d10d967d3a21f57ba3fcf288e2ba411ece9a4548d5c

Download Submit

Analysis

Sharing