Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
29-05-2024 09:11
General
-
Target
21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
-
Size
241KB
-
MD5
5bb957a511d230c271fae129f48f1fdf
-
SHA1
a72f01cf027c7e385bbfc2488c91db14dadc9fac
-
SHA256
21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2
-
SHA512
5f815534114d0099cd28a5f732d0c6fca59ce535e1b55a42b99d22ca9ebcc921d9430bed9a36e723035326716d8b6f8872f748ed075305a1d4b1933eec92ee23
-
SSDEEP
6144:fyGt4iW5Mpj4tZx80FYuiHAZ2CLR+D7XnrlAPgT7:f94o4XRFYsZbt+D7nhj
Malware Config
Extracted
C:\Recovery\How To Restore Your Files.txt
http://babukq4e2p4wu4iq.onion/login.php?id=p9gFgBg5TsdcO3mV9mf2RJlJoI0iy1
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (441) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe"C:\Users\Admin\AppData\Local\Temp\21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55abdd19cafcd3e72f92826392669abbf
SHA14d1b82cb3ea2d38e9a64b9e554ba37076a534836
SHA2562a4bb91546305a2029efcf3c4bd6977e580d3d9824186cafec66199407f6e507
SHA512fb58a7cc5ef990de16f2255c1c5c05066593dc58af3782fc8a2dfd267f73d4437dd8b65f7614d7e94f5fc2475ee058cfb2bbea13f1df835a10e5855d758f7638
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
36KB
-
Filesize
240KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
240KB
-
Filesize
160KB