Analysis
-
max time kernel
15s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 13:48
Static task
static1
Behavioral task
behavioral1
Sample
e_win.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
e_win.exe
Resource
win10v2004-20240419-en
General
-
Target
e_win.exe
-
Size
79KB
-
MD5
7deb707e7d264c73ce6b4dd905b6465d
-
SHA1
fc67274fb481cb02bf8bcb0e9139751e3f3a38cd
-
SHA256
37652b0c01d717b554c4871a5b3631cf304e54871e3a1f9514b14145a2031d80
-
SHA512
8663953e48319c6cb20e35c5eafae7605bd824db11d1e7ff552311e7a3180d306bcd27730456f2e9cdaa8a40128329c343b9e6ec0797966c2a5ba8c8e803744b
-
SSDEEP
1536:pOkWBeGPGEbmsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:8BeBsmsrQLOJgY8Zp8LHD4XWaNH71dLc
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (207) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: e_win.exe File opened (read-only) \??\T: e_win.exe File opened (read-only) \??\Y: e_win.exe File opened (read-only) \??\I: e_win.exe File opened (read-only) \??\P: e_win.exe File opened (read-only) \??\S: e_win.exe File opened (read-only) \??\J: e_win.exe File opened (read-only) \??\L: e_win.exe File opened (read-only) \??\Z: e_win.exe File opened (read-only) \??\Q: e_win.exe File opened (read-only) \??\R: e_win.exe File opened (read-only) \??\M: e_win.exe File opened (read-only) \??\X: e_win.exe File opened (read-only) \??\B: e_win.exe File opened (read-only) \??\N: e_win.exe File opened (read-only) \??\E: e_win.exe File opened (read-only) \??\U: e_win.exe File opened (read-only) \??\G: e_win.exe File opened (read-only) \??\H: e_win.exe File opened (read-only) \??\K: e_win.exe File opened (read-only) \??\V: e_win.exe File opened (read-only) \??\W: e_win.exe File opened (read-only) \??\O: e_win.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2632 vssadmin.exe 1568 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2956 e_win.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2180 vssvc.exe Token: SeRestorePrivilege 2180 vssvc.exe Token: SeAuditPrivilege 2180 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2004 2956 e_win.exe 28 PID 2956 wrote to memory of 2004 2956 e_win.exe 28 PID 2956 wrote to memory of 2004 2956 e_win.exe 28 PID 2956 wrote to memory of 2004 2956 e_win.exe 28 PID 2004 wrote to memory of 2632 2004 cmd.exe 30 PID 2004 wrote to memory of 2632 2004 cmd.exe 30 PID 2004 wrote to memory of 2632 2004 cmd.exe 30 PID 2956 wrote to memory of 2992 2956 e_win.exe 34 PID 2956 wrote to memory of 2992 2956 e_win.exe 34 PID 2956 wrote to memory of 2992 2956 e_win.exe 34 PID 2956 wrote to memory of 2992 2956 e_win.exe 34 PID 2992 wrote to memory of 1568 2992 cmd.exe 36 PID 2992 wrote to memory of 1568 2992 cmd.exe 36 PID 2992 wrote to memory of 1568 2992 cmd.exe 36 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e_win.exe"C:\Users\Admin\AppData\Local\Temp\e_win.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1568
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
656B
MD5e6c8c909b8b255d2285e63437af78ae6
SHA13f05be8c657e5a27e13649a44bd544986c2adffd
SHA25648732b3d79586e004c8b195e15529ac15e74dfffc0dbe4fa9b6855b65aeda8c4
SHA51284d068e1aa0b6da06c7038f3e132178de758693ab7d8792adf2cd7adce077424d1c8b468521b134294b35d10d967d3a21f57ba3fcf288e2ba411ece9a4548d5c