Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 09:11
Static task
static1
Behavioral task
behavioral1
Sample
21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
Resource
win10v2004-20240508-en
General
-
Target
21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
-
Size
241KB
-
MD5
5bb957a511d230c271fae129f48f1fdf
-
SHA1
a72f01cf027c7e385bbfc2488c91db14dadc9fac
-
SHA256
21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2
-
SHA512
5f815534114d0099cd28a5f732d0c6fca59ce535e1b55a42b99d22ca9ebcc921d9430bed9a36e723035326716d8b6f8872f748ed075305a1d4b1933eec92ee23
-
SSDEEP
6144:fyGt4iW5Mpj4tZx80FYuiHAZ2CLR+D7XnrlAPgT7:f94o4XRFYsZbt+D7nhj
Malware Config
Extracted
C:\Recovery\How To Restore Your Files.txt
http://babukq4e2p4wu4iq.onion/login.php?id=p9gFgBg5TsdcO3mV9mf2RJlJoI0iy1
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (441) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\G: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\L: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\Z: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\Q: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\O: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\A: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\U: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\H: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\J: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\B: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\W: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\R: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\Y: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\X: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\M: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\E: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\I: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\P: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\N: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\T: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\K: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\V: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1556 vssadmin.exe 2816 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2080 vssvc.exe Token: SeRestorePrivilege 2080 vssvc.exe Token: SeAuditPrivilege 2080 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2180 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 28 PID 2024 wrote to memory of 2180 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 28 PID 2024 wrote to memory of 2180 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 28 PID 2024 wrote to memory of 2180 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 28 PID 2180 wrote to memory of 2816 2180 cmd.exe 30 PID 2180 wrote to memory of 2816 2180 cmd.exe 30 PID 2180 wrote to memory of 2816 2180 cmd.exe 30 PID 2024 wrote to memory of 2016 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 34 PID 2024 wrote to memory of 2016 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 34 PID 2024 wrote to memory of 2016 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 34 PID 2024 wrote to memory of 2016 2024 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 34 PID 2016 wrote to memory of 1556 2016 cmd.exe 36 PID 2016 wrote to memory of 1556 2016 cmd.exe 36 PID 2016 wrote to memory of 1556 2016 cmd.exe 36 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe"C:\Users\Admin\AppData\Local\Temp\21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1556
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55abdd19cafcd3e72f92826392669abbf
SHA14d1b82cb3ea2d38e9a64b9e554ba37076a534836
SHA2562a4bb91546305a2029efcf3c4bd6977e580d3d9824186cafec66199407f6e507
SHA512fb58a7cc5ef990de16f2255c1c5c05066593dc58af3782fc8a2dfd267f73d4437dd8b65f7614d7e94f5fc2475ee058cfb2bbea13f1df835a10e5855d758f7638