Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 21:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe
-
Size
80KB
-
MD5
7bb7c2899106b7c16b787c98c37ac8df
-
SHA1
15ba68d29d846a9ea07ff0df4d84655cfce0a7a0
-
SHA256
63e2ba3f181ba59f1926b7588d9c8d3d5589c15eb4354bc23348f22a49d04f9d
-
SHA512
372dd659779b377a715c7f1b7dbffe76de3645289c6237550dbd07488b93ebbb287ff9e5d4ae4b28256db2418362652e7f5804d8d9b8850ca0c5dd4750dae28d
-
SSDEEP
1536:mV9N/IUx1fSsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG24m:UN/D6srQLOJgY8Zp8LHD4XWaNH71dLdy
Malware Config
Extracted
C:\PerfLogs\Admin\readme_for_unlock.txt
https://gdpr-info.eu/
http://rytsr4wlztsd436yx36atz2h52kql7cnlksuvgvphrzxnl7abn3cccid.onion
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (439) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1480 cmd.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exedescription ioc process File opened (read-only) \??\O: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\P: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\Z: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\B: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\T: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\I: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\A: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\M: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\Y: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\U: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\S: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\G: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\H: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\J: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\K: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\L: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\W: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\R: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\N: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\X: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\V: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\Q: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe File opened (read-only) \??\E: 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2672 vssadmin.exe 2752 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exepid process 2024 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2508 vssvc.exe Token: SeRestorePrivilege 2508 vssvc.exe Token: SeAuditPrivilege 2508 vssvc.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.execmd.execmd.execmd.exedescription pid process target process PID 2024 wrote to memory of 2852 2024 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe cmd.exe PID 2024 wrote to memory of 2852 2024 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe cmd.exe PID 2024 wrote to memory of 2852 2024 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe cmd.exe PID 2024 wrote to memory of 2852 2024 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe cmd.exe PID 2852 wrote to memory of 2672 2852 cmd.exe vssadmin.exe PID 2852 wrote to memory of 2672 2852 cmd.exe vssadmin.exe PID 2852 wrote to memory of 2672 2852 cmd.exe vssadmin.exe PID 2024 wrote to memory of 2400 2024 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe cmd.exe PID 2024 wrote to memory of 2400 2024 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe cmd.exe PID 2024 wrote to memory of 2400 2024 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe cmd.exe PID 2024 wrote to memory of 2400 2024 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe cmd.exe PID 2400 wrote to memory of 2752 2400 cmd.exe vssadmin.exe PID 2400 wrote to memory of 2752 2400 cmd.exe vssadmin.exe PID 2400 wrote to memory of 2752 2400 cmd.exe vssadmin.exe PID 2024 wrote to memory of 2748 2024 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe cmd.exe PID 2024 wrote to memory of 2748 2024 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe cmd.exe PID 2024 wrote to memory of 2748 2024 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe cmd.exe PID 2024 wrote to memory of 2748 2024 2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe cmd.exe PID 2748 wrote to memory of 1480 2748 cmd.exe cmd.exe PID 2748 wrote to memory of 1480 2748 cmd.exe cmd.exe PID 2748 wrote to memory of 1480 2748 cmd.exe cmd.exe PID 2748 wrote to memory of 1480 2748 cmd.exe cmd.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" ☀瑵⛌瑵❰瑵ff<ř眉ﭢ<)/c START /b "" cmd /c DEL "C:\Users\Admin\AppData\Local\Temp\2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe" &EXIT2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\cmd.execmd /c DEL "C:\Users\Admin\AppData\Local\Temp\2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe"3⤵
- Deletes itself
PID:1480
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\Admin\readme_for_unlock.txtFilesize
2KB
MD5ebe81a4c3938d07af46fae704091bf16
SHA1d65d6222011c893db440db814b0f4e56559b2c78
SHA25646f33031161d4be6f0a2cd08a85f96d778415ee35d825bd8e65b0b0b5b04d8d2
SHA512b2224a332fae2c304bd487ccd8725d75f706dc2f9f13abb2f06a95e8df16ad856fa636f24399ca0ef86b4212c9d4bdeec2eb84d18f707bbcceac1d771d89c570