Analysis
-
max time kernel
135s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 09:11
Static task
static1
Behavioral task
behavioral1
Sample
21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
Resource
win10v2004-20240508-en
General
-
Target
21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe
-
Size
241KB
-
MD5
5bb957a511d230c271fae129f48f1fdf
-
SHA1
a72f01cf027c7e385bbfc2488c91db14dadc9fac
-
SHA256
21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2
-
SHA512
5f815534114d0099cd28a5f732d0c6fca59ce535e1b55a42b99d22ca9ebcc921d9430bed9a36e723035326716d8b6f8872f748ed075305a1d4b1933eec92ee23
-
SSDEEP
6144:fyGt4iW5Mpj4tZx80FYuiHAZ2CLR+D7XnrlAPgT7:f94o4XRFYsZbt+D7nhj
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\How To Restore Your Files.txt
http://babukq4e2p4wu4iq.onion/login.php?id=p9gFgBg5TsdcO3mV9mf2RJlJoI0iy1
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (1536) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe -
Drops startup file 1 IoCs
Processes:
21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\How To Restore Your Files.txt 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exedescription ioc process File opened (read-only) \??\M: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\W: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\R: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\Y: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\I: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\L: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\N: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\Q: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\E: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\A: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\X: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\H: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\K: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\T: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\U: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\O: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\P: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\S: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\G: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\B: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\J: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\Z: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe File opened (read-only) \??\V: 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4276 vssadmin.exe 2972 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
StartMenuExperienceHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exepid process 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2420 vssvc.exe Token: SeRestorePrivilege 2420 vssvc.exe Token: SeAuditPrivilege 2420 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
StartMenuExperienceHost.exepid process 1924 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.execmd.execmd.exedescription pid process target process PID 4728 wrote to memory of 2556 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe cmd.exe PID 4728 wrote to memory of 2556 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe cmd.exe PID 2556 wrote to memory of 4276 2556 cmd.exe vssadmin.exe PID 2556 wrote to memory of 4276 2556 cmd.exe vssadmin.exe PID 4728 wrote to memory of 1712 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe cmd.exe PID 4728 wrote to memory of 1712 4728 21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe cmd.exe PID 1712 wrote to memory of 2972 1712 cmd.exe vssadmin.exe PID 1712 wrote to memory of 2972 1712 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe"C:\Users\Admin\AppData\Local\Temp\21611a8c76169a345715cf0d6dbf9e495e71ad235ed11bca5ee38ec281f75fc2.exe"1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2972
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2364
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55abdd19cafcd3e72f92826392669abbf
SHA14d1b82cb3ea2d38e9a64b9e554ba37076a534836
SHA2562a4bb91546305a2029efcf3c4bd6977e580d3d9824186cafec66199407f6e507
SHA512fb58a7cc5ef990de16f2255c1c5c05066593dc58af3782fc8a2dfd267f73d4437dd8b65f7614d7e94f5fc2475ee058cfb2bbea13f1df835a10e5855d758f7638
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize13KB
MD5a2045103f8d28ea48ccb1dc0b0283030
SHA13dc7993c3baf8381a88dfdb2c38cbcee44ed3745
SHA256d185057d73a152752b7ea9cca2099cd4164442e0a2f6953825ee753e27a1d1db
SHA512b4ce93c44514f553aba46ff49a4b54c3916b5fe7bd4c627860d53961e188c19326c20c06f9dc1b9f20c5105e8bfb45432f89d0a32cd6f9df2f428a84ac6bb1a6
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize13KB
MD5d7b7ef15420b157bf2aa6b75a4f020ef
SHA118085eeff64a9f9141bf0006f05f48b62bf1a508
SHA256a4bc99dd08b5fded7a044e72265aa127404c5a0e766a67195f7bf948b48e7ef1
SHA51209e7dc65763b513a436fe54f4471ae6b11cf70d492cacbde170b2bd060e7389f28632c8872b2608583a379151f16369b69670a9100d83f8e43b90f9a43f3f9ac