babuk | 37652b0c01d717b554c4871a5b3631cf304e54871e3a1f9514b14145a2031d80

General

Target

2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
Size

79KB
MD5

7deb707e7d264c73ce6b4dd905b6465d
SHA1

fc67274fb481cb02bf8bcb0e9139751e3f3a38cd
SHA256

37652b0c01d717b554c4871a5b3631cf304e54871e3a1f9514b14145a2031d80
SHA512

8663953e48319c6cb20e35c5eafae7605bd824db11d1e7ff552311e7a3180d306bcd27730456f2e9cdaa8a40128329c343b9e6ec0797966c2a5ba8c8e803744b
SSDEEP

1536:pOkWBeGPGEbmsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:8BeBsmsrQLOJgY8Zp8LHD4XWaNH71dLc

Score

10^/10

babuk ransomware

Malware Config

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (192) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\A:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\H:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\V:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\N:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\R:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\S:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\X:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\L:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\B:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\E:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\T:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\U:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\O:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\J:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\K:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\M:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\W:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\Y:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\I:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\P:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\G:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
File opened (read-only)	\??\Z:	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3104	vssadmin.exe
2968	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4412	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
4412	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3760	vssvc.exe
Token: SeRestorePrivilege	3760	vssvc.exe
Token: SeAuditPrivilege	3760	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 4588	4412	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe	91
PID 4412 wrote to memory of 4588	4412	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe	91
PID 4588 wrote to memory of 3104	4588	cmd.exe	93
PID 4588 wrote to memory of 3104	4588	cmd.exe	93
PID 4412 wrote to memory of 2172	4412	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe	98
PID 4412 wrote to memory of 2172	4412	2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe	98
PID 2172 wrote to memory of 2968	2172	cmd.exe	101
PID 2172 wrote to memory of 2968	2172	cmd.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_7deb707e7d264c73ce6b4dd905b6465d_babuk_destroyer.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1712 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\How To Restore Your Files.txt

Filesize
656B

MD5
e6c8c909b8b255d2285e63437af78ae6

SHA1
3f05be8c657e5a27e13649a44bd544986c2adffd

SHA256
48732b3d79586e004c8b195e15529ac15e74dfffc0dbe4fa9b6855b65aeda8c4

SHA512
84d068e1aa0b6da06c7038f3e132178de758693ab7d8792adf2cd7adce077424d1c8b468521b134294b35d10d967d3a21f57ba3fcf288e2ba411ece9a4548d5c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads