Overview

overview

10

Static

static

10

2024-05-25...er.exe

windows7-x64

10

2024-05-25...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 21:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe

  • Size

    80KB

  • MD5

    7bb7c2899106b7c16b787c98c37ac8df

  • SHA1

    15ba68d29d846a9ea07ff0df4d84655cfce0a7a0

  • SHA256

    63e2ba3f181ba59f1926b7588d9c8d3d5589c15eb4354bc23348f22a49d04f9d

  • SHA512

    372dd659779b377a715c7f1b7dbffe76de3645289c6237550dbd07488b93ebbb287ff9e5d4ae4b28256db2418362652e7f5804d8d9b8850ca0c5dd4750dae28d

  • SSDEEP

    1536:mV9N/IUx1fSsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG24m:UN/D6srQLOJgY8Zp8LHD4XWaNH71dLdy

Score
10/10
defense_evasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Recovery\WindowsRE\readme_for_unlock.txt

Ransom Note
!!! ATTENTION !!! Your network is hacked and files are encrypted. Including the encrypted data we also downloaded other confidential information: Data of your employees, customers, partners, as well as accounting and other internal documentation of your company. All data is stored until you will pay. After payment we will provide you the programs for decryption and we will delete your data. If you refuse to negotiate with us (for any reason) all your data will be put up for sale. What you will face if your data gets on the black market: 1) The personal information of your employees and customers may be used to obtain a loan or purchases in online stores. 2) You may be sued by clients of your company for leaking information that was confidential. 3) After other hackers obtain personal data about your employees, social engineering will be applied to your company and subsequent attacks will only intensify. 4) Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. 5) You will forever lose the reputation. 6) You will be subject to huge fines from the government. You can learn more about liability for data loss here: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://gdpr-info.eu/ Courts, fines and the inability to use important files will lead you to huge losses. The consequences of this will be irreversible for you. Contacting the police will not save you from these consequences, but will only make your situation worse. You can get out of this situation with minimal losses To do this you must strictly observe the following rules: DO NOT Modify, DO NOT rename, DO NOT copy, DO NOT move any files. Such actions may DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it may also DAMAGE files. DO NOT Shutdown or Reboot the system this may DAMAGE files. DO NOT hire any third party negotiators (recovery/police, etc.) You need to contact us as soon as possible and start negotiations. Instructions for contacting our team: Download & Install TOR browser: https://torproject.org For contact us via LIVE CHAT open our > Website: http://rytsr4wlztsd436yx36atz2h52kql7cnlksuvgvphrzxnl7abn3cccid.onion > Login: CLIENT > Password: 1KYfRkEfXQJavUbZkc38 If Tor is restricted in your area, use VPN�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
URLs

https://gdpr-info.eu/

http://rytsr4wlztsd436yx36atz2h52kql7cnlksuvgvphrzxnl7abn3cccid.onion

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (1398) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3884
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4856
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4016
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3684
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c START /b "" cmd /c DEL "C:\Users\Admin\AppData\Local\Temp\2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe" &EXIT
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3120
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c DEL "C:\Users\Admin\AppData\Local\Temp\2024-05-25_7bb7c2899106b7c16b787c98c37ac8df_babuk_destroyer.exe"
        3⤵
          PID:6112
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\WindowsRE\readme_for_unlock.txt
      Filesize

      2KB

      MD5

      ebe81a4c3938d07af46fae704091bf16

      SHA1

      d65d6222011c893db440db814b0f4e56559b2c78

      SHA256

      46f33031161d4be6f0a2cd08a85f96d778415ee35d825bd8e65b0b0b5b04d8d2

      SHA512

      b2224a332fae2c304bd487ccd8725d75f706dc2f9f13abb2f06a95e8df16ad856fa636f24399ca0ef86b4212c9d4bdeec2eb84d18f707bbcceac1d771d89c570

      Download Submit