babuk | 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4

General

Target

4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
Size

14KB
MD5

cf37b43fd1149f718c085c1926bacfd5
SHA1

dc68b780d86929b212d0bd6adb7f3aa1a06894f5
SHA256

4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4
SHA512

7f8696d8fa85946b487bd0793981a511a4673f433d847fe7f5a89794c1be76537a59980a386e79a70a7a78182f173b3304957f0890ae770cf0b23222851dd4f6
SSDEEP

384:W/B5q72Bxo/NmBsRvWfM326U8bt8/3AKQj:6B5G2BiVOs9uMS8bt8y

Score

10^/10

babuk defense_evasion execution impact ransomware

Malware Config

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (221) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe

description	ioc	process
File opened (read-only)	\??\T:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\O:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\A:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\Q:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\W:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\U:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\G:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\Z:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\B:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\M:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\Y:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\I:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\S:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\H:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\L:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\V:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\N:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\E:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\R:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\P:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\J:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\K:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\X:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2548 vssadmin.exe
2812 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe

pid process

2172 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2696 vssvc.exe
Token: SeRestorePrivilege 2696 vssvc.exe
Token: SeAuditPrivilege 2696 vssvc.exe

pid	process
2548	vssadmin.exe
2812	vssadmin.exe

pid	process
2172	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe

description	pid	process
Token: SeBackupPrivilege	2696	vssvc.exe
Token: SeRestorePrivilege	2696	vssvc.exe
Token: SeAuditPrivilege	2696	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.execmd.execmd.exe

description	pid	process	target process
PID 2172 wrote to memory of 1056	2172	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe	cmd.exe
PID 2172 wrote to memory of 1056	2172	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe	cmd.exe
PID 2172 wrote to memory of 1056	2172	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe	cmd.exe
PID 2172 wrote to memory of 1056	2172	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe	cmd.exe
PID 1056 wrote to memory of 2548	1056	cmd.exe	vssadmin.exe
PID 1056 wrote to memory of 2548	1056	cmd.exe	vssadmin.exe
PID 1056 wrote to memory of 2548	1056	cmd.exe	vssadmin.exe
PID 2172 wrote to memory of 900	2172	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe	cmd.exe
PID 2172 wrote to memory of 900	2172	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe	cmd.exe
PID 2172 wrote to memory of 900	2172	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe	cmd.exe
PID 2172 wrote to memory of 900	2172	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe	cmd.exe
PID 900 wrote to memory of 2812	900	cmd.exe	vssadmin.exe
PID 900 wrote to memory of 2812	900	cmd.exe	vssadmin.exe
PID 900 wrote to memory of 2812	900	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
"C:\Users\Admin\AppData\Local\Temp\4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\How To Restore Your Files.txt

Filesize
1KB

MD5
8719a4f9e9ffd0b8b8b0b49134698b90

SHA1
98cc50eedea6206a7eedf8b8442ad9c10095b500

SHA256
dd5ba1629ecd99ee7b9f723e217d589e0fb7c84689973e5b5efe45c5282ba7e7

SHA512
a1ddc7df09ee37daf0bdb04daf0b509fa96d8f81d64d8582eef65be3707a0959d5e3bac97c23598c66d5b912b4dcfff4fb89b849e3599bbc68867092152416ef

Download Submit
memory/2172-1-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/2172-0-0x0000000001090000-0x000000000109C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing