babuk | 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2

General

Target

21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
Size

241KB
MD5

5bb957a511d230c271fae129f48f1fdf
SHA1

a72f01cf027c7e385bbfc2488c91db14dadc9fac
SHA256

21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2
SHA512

5f815534114d0099cd28a5f732d0c6fca59ce535e1b55a42b99d22ca9ebcc921d9430bed9a36e723035326716d8b6f8872f748ed075305a1d4b1933eec92ee23
SSDEEP

6144:fyGt4iW5Mpj4tZx80FYuiHAZ2CLR+D7XnrlAPgT7:f94o4XRFYsZbt+D7nhj

Score

10^/10

babuk defense_evasion execution impact ransomware

Malware Config

Extracted

Path

C:\Recovery\How To Restore Your Files.txt

Ransom Note

----------- [ Hello, Schauer Agrotronic ] -------------> ****BY BABUK LOCKER**** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. What information compromised? ---------------------------------------------- We copied more than 50 gb from your internal network, here are some proofs, for additional confirmations, please chat with us In cases of ignoring us, the information will be released to the public. How to contact us? ---------------------------------------------- Using TOR Browser ( https://www.torproject.org/download/ ): http://babukq4e2p4wu4iq.onion/login.php?id=p9gFgBg5TsdcO3mV9mf2RJlJoI0iy1 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!

URLs

http://babukq4e2p4wu4iq.onion/login.php?id=p9gFgBg5TsdcO3mV9mf2RJlJoI0iy1

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (441) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe

description	ioc	process
File opened (read-only)	\??\S:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\G:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\L:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\Z:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\Q:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\O:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\A:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\U:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\H:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\J:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\B:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\W:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\R:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\Y:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\X:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\M:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\E:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\I:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\P:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\N:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\T:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\K:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
File opened (read-only)	\??\V:	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1556 vssadmin.exe
2816 vssadmin.exe

pid	process
1556	vssadmin.exe
2816	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe

pid	process
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2080 vssvc.exe
Token: SeRestorePrivilege 2080 vssvc.exe
Token: SeAuditPrivilege 2080 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2080	vssvc.exe
Token: SeRestorePrivilege	2080	vssvc.exe
Token: SeAuditPrivilege	2080	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.execmd.execmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 2180	2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe	cmd.exe
PID 2024 wrote to memory of 2180	2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe	cmd.exe
PID 2024 wrote to memory of 2180	2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe	cmd.exe
PID 2024 wrote to memory of 2180	2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe	cmd.exe
PID 2180 wrote to memory of 2816	2180	cmd.exe	vssadmin.exe
PID 2180 wrote to memory of 2816	2180	cmd.exe	vssadmin.exe
PID 2180 wrote to memory of 2816	2180	cmd.exe	vssadmin.exe
PID 2024 wrote to memory of 2016	2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe	cmd.exe
PID 2024 wrote to memory of 2016	2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe	cmd.exe
PID 2024 wrote to memory of 2016	2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe	cmd.exe
PID 2024 wrote to memory of 2016	2024	21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe	cmd.exe
PID 2016 wrote to memory of 1556	2016	cmd.exe	vssadmin.exe
PID 2016 wrote to memory of 1556	2016	cmd.exe	vssadmin.exe
PID 2016 wrote to memory of 1556	2016	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
"C:\Users\Admin\AppData\Local\Temp\21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\How To Restore Your Files.txt

Filesize
1KB

MD5
5abdd19cafcd3e72f92826392669abbf

SHA1
4d1b82cb3ea2d38e9a64b9e554ba37076a534836

SHA256
2a4bb91546305a2029efcf3c4bd6977e580d3d9824186cafec66199407f6e507

SHA512
fb58a7cc5ef990de16f2255c1c5c05066593dc58af3782fc8a2dfd267f73d4437dd8b65f7614d7e94f5fc2475ee058cfb2bbea13f1df835a10e5855d758f7638

Download Submit
memory/2024-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2024-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2024-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2024-3-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2024-2-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2024-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2024-6-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2024-5-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2024-253-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2024-252-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2024-251-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads