babuk | 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4

General

Target

4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
Size

14KB
MD5

cf37b43fd1149f718c085c1926bacfd5
SHA1

dc68b780d86929b212d0bd6adb7f3aa1a06894f5
SHA256

4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4
SHA512

7f8696d8fa85946b487bd0793981a511a4673f433d847fe7f5a89794c1be76537a59980a386e79a70a7a78182f173b3304957f0890ae770cf0b23222851dd4f6
SSDEEP

384:W/B5q72Bxo/NmBsRvWfM326U8bt8/3AKQj:6B5G2BiVOs9uMS8bt8y

Score

10^/10

babuk defense_evasion execution impact ransomware

Malware Config

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (207) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe

description	ioc	process
File opened (read-only)	\??\E:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\T:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\A:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\H:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\N:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\V:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\W:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\R:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\Y:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\I:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\O:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\P:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\X:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\M:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\Q:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\G:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\K:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\L:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\Z:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\U:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\S:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\J:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
File opened (read-only)	\??\B:	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4724 vssadmin.exe
5020 vssadmin.exe

pid	process
4724	vssadmin.exe
5020	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe

pid	process
808	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
808	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 4880 vssvc.exe
Token: SeRestorePrivilege 4880 vssvc.exe
Token: SeAuditPrivilege 4880 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	4880	vssvc.exe
Token: SeRestorePrivilege	4880	vssvc.exe
Token: SeAuditPrivilege	4880	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.execmd.execmd.exe

description	pid	process	target process
PID 808 wrote to memory of 4372	808	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe	cmd.exe
PID 808 wrote to memory of 4372	808	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe	cmd.exe
PID 4372 wrote to memory of 4724	4372	cmd.exe	vssadmin.exe
PID 4372 wrote to memory of 4724	4372	cmd.exe	vssadmin.exe
PID 808 wrote to memory of 4704	808	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe	cmd.exe
PID 808 wrote to memory of 4704	808	4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe	cmd.exe
PID 4704 wrote to memory of 5020	4704	cmd.exe	vssadmin.exe
PID 4704 wrote to memory of 5020	4704	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
"C:\Users\Admin\AppData\Local\Temp\4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\How To Restore Your Files.txt

Filesize
1KB

MD5
8719a4f9e9ffd0b8b8b0b49134698b90

SHA1
98cc50eedea6206a7eedf8b8442ad9c10095b500

SHA256
dd5ba1629ecd99ee7b9f723e217d589e0fb7c84689973e5b5efe45c5282ba7e7

SHA512
a1ddc7df09ee37daf0bdb04daf0b509fa96d8f81d64d8582eef65be3707a0959d5e3bac97c23598c66d5b912b4dcfff4fb89b849e3599bbc68867092152416ef

Download Submit
memory/808-0-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/808-1-0x0000000001240000-0x0000000001243000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads