Analysis
-
max time kernel
91s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 04:55
Static task
static1
Behavioral task
behavioral1
Sample
4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
Resource
win10v2004-20240426-en
General
-
Target
4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe
-
Size
14KB
-
MD5
cf37b43fd1149f718c085c1926bacfd5
-
SHA1
dc68b780d86929b212d0bd6adb7f3aa1a06894f5
-
SHA256
4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4
-
SHA512
7f8696d8fa85946b487bd0793981a511a4673f433d847fe7f5a89794c1be76537a59980a386e79a70a7a78182f173b3304957f0890ae770cf0b23222851dd4f6
-
SSDEEP
384:W/B5q72Bxo/NmBsRvWfM326U8bt8/3AKQj:6B5G2BiVOs9uMS8bt8y
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (207) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\T: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\A: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\H: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\N: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\V: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\W: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\R: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\Y: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\I: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\O: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\P: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\X: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\M: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\Q: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\G: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\K: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\L: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\Z: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\U: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\S: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\J: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe File opened (read-only) \??\B: 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4724 vssadmin.exe 5020 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 808 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe 808 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 4880 vssvc.exe Token: SeRestorePrivilege 4880 vssvc.exe Token: SeAuditPrivilege 4880 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 808 wrote to memory of 4372 808 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe 82 PID 808 wrote to memory of 4372 808 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe 82 PID 4372 wrote to memory of 4724 4372 cmd.exe 86 PID 4372 wrote to memory of 4724 4372 cmd.exe 86 PID 808 wrote to memory of 4704 808 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe 97 PID 808 wrote to memory of 4704 808 4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe 97 PID 4704 wrote to memory of 5020 4704 cmd.exe 99 PID 4704 wrote to memory of 5020 4704 cmd.exe 99 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe"C:\Users\Admin\AppData\Local\Temp\4740ab354a836006d48c6af651852df436a1ed07e9ad4fa09c9aa6cd34fd68d4.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5020
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58719a4f9e9ffd0b8b8b0b49134698b90
SHA198cc50eedea6206a7eedf8b8442ad9c10095b500
SHA256dd5ba1629ecd99ee7b9f723e217d589e0fb7c84689973e5b5efe45c5282ba7e7
SHA512a1ddc7df09ee37daf0bdb04daf0b509fa96d8f81d64d8582eef65be3707a0959d5e3bac97c23598c66d5b912b4dcfff4fb89b849e3599bbc68867092152416ef