babuk | 37652b0c01d717b554c4871a5b3631cf304e54871e3a1f9514b14145a2031d80

General

Target

e_win.exe
Size

79KB
MD5

7deb707e7d264c73ce6b4dd905b6465d
SHA1

fc67274fb481cb02bf8bcb0e9139751e3f3a38cd
SHA256

37652b0c01d717b554c4871a5b3631cf304e54871e3a1f9514b14145a2031d80
SHA512

8663953e48319c6cb20e35c5eafae7605bd824db11d1e7ff552311e7a3180d306bcd27730456f2e9cdaa8a40128329c343b9e6ec0797966c2a5ba8c8e803744b
SSDEEP

1536:pOkWBeGPGEbmsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:8BeBsmsrQLOJgY8Zp8LHD4XWaNH71dLc

Score

10^/10

babuk defense_evasion execution impact ransomware

Malware Config

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (207) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e_win.exe

description	ioc	process
File opened (read-only)	\??\A:	e_win.exe
File opened (read-only)	\??\T:	e_win.exe
File opened (read-only)	\??\Y:	e_win.exe
File opened (read-only)	\??\I:	e_win.exe
File opened (read-only)	\??\P:	e_win.exe
File opened (read-only)	\??\S:	e_win.exe
File opened (read-only)	\??\J:	e_win.exe
File opened (read-only)	\??\L:	e_win.exe
File opened (read-only)	\??\Z:	e_win.exe
File opened (read-only)	\??\Q:	e_win.exe
File opened (read-only)	\??\R:	e_win.exe
File opened (read-only)	\??\M:	e_win.exe
File opened (read-only)	\??\X:	e_win.exe
File opened (read-only)	\??\B:	e_win.exe
File opened (read-only)	\??\N:	e_win.exe
File opened (read-only)	\??\E:	e_win.exe
File opened (read-only)	\??\U:	e_win.exe
File opened (read-only)	\??\G:	e_win.exe
File opened (read-only)	\??\H:	e_win.exe
File opened (read-only)	\??\K:	e_win.exe
File opened (read-only)	\??\V:	e_win.exe
File opened (read-only)	\??\W:	e_win.exe
File opened (read-only)	\??\O:	e_win.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2632 vssadmin.exe
1568 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e_win.exe

pid process

2956 e_win.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2180 vssvc.exe
Token: SeRestorePrivilege 2180 vssvc.exe
Token: SeAuditPrivilege 2180 vssvc.exe

pid	process
2632	vssadmin.exe
1568	vssadmin.exe

pid	process
2956	e_win.exe

description	pid	process
Token: SeBackupPrivilege	2180	vssvc.exe
Token: SeRestorePrivilege	2180	vssvc.exe
Token: SeAuditPrivilege	2180	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e_win.execmd.execmd.exe

description	pid	process	target process
PID 2956 wrote to memory of 2004	2956	e_win.exe	cmd.exe
PID 2956 wrote to memory of 2004	2956	e_win.exe	cmd.exe
PID 2956 wrote to memory of 2004	2956	e_win.exe	cmd.exe
PID 2956 wrote to memory of 2004	2956	e_win.exe	cmd.exe
PID 2004 wrote to memory of 2632	2004	cmd.exe	vssadmin.exe
PID 2004 wrote to memory of 2632	2004	cmd.exe	vssadmin.exe
PID 2004 wrote to memory of 2632	2004	cmd.exe	vssadmin.exe
PID 2956 wrote to memory of 2992	2956	e_win.exe	cmd.exe
PID 2956 wrote to memory of 2992	2956	e_win.exe	cmd.exe
PID 2956 wrote to memory of 2992	2956	e_win.exe	cmd.exe
PID 2956 wrote to memory of 2992	2956	e_win.exe	cmd.exe
PID 2992 wrote to memory of 1568	2992	cmd.exe	vssadmin.exe
PID 2992 wrote to memory of 1568	2992	cmd.exe	vssadmin.exe
PID 2992 wrote to memory of 1568	2992	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e_win.exe
"C:\Users\Admin\AppData\Local\Temp\e_win.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\How To Restore Your Files.txt

Filesize
656B

MD5
e6c8c909b8b255d2285e63437af78ae6

SHA1
3f05be8c657e5a27e13649a44bd544986c2adffd

SHA256
48732b3d79586e004c8b195e15529ac15e74dfffc0dbe4fa9b6855b65aeda8c4

SHA512
84d068e1aa0b6da06c7038f3e132178de758693ab7d8792adf2cd7adce077424d1c8b468521b134294b35d10d967d3a21f57ba3fcf288e2ba411ece9a4548d5c

Download Submit

Analysis

Sharing