Overview

overview

10

Static

static

3

827f9b83d8...cs.exe

windows7-x64

10

827f9b83d8...cs.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    827f9b83d84385d95c192f650607f6e0_NeikiAnalytics.exe

  • Size

    74KB

  • Sample

    240531-2g47safh6s

  • MD5

    827f9b83d84385d95c192f650607f6e0

  • SHA1

    03a737943c80f3d2792dbc9ba06fb184955c1d0a

  • SHA256

    75832c6246b8033d842a6a92b7a851562efe166ce5a7e41159b33f0f5df16471

  • SHA512

    c29db6a5f56a93c2d51cda95b0074f35d2635846deb5908ae625ac312f3b3a6a26a9655fd99f954980a11286ce9e92dceed6a6e12bdf479128e59e6213c33499

  • SSDEEP

    1536:ZfaIdDedRu8UOyaC69srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Ew:ZydRuxWsrQLOJgY8Zp8LHD4XWaNH71dP

Score
10/10
babukdefense_evasionevasionexecutionimpactransomware

Malware Config

Extracted

Path

C:\PerfLogs\How To Restore Your Files.txt

Ransom Note
What happened to my file! Ransom Note Subject: Urgent: Your Files Have Been Encrypted Dear User? We regret to inform you that all the files on your computer have been encrypted by a sophisticated ransomware attack. Your documents, photos, videos, and other important data are now inaccessible without the decryption key. We are demanding a ransom in exchange for the decryption key. The payment must be made in bitcoins to the following wallet address: [Bitcoin Wallet Address]. The amount of the ransom is [Amount] bitcoins, which is equivalent to approximately [Amount in USD] USD. You have 72 hours to make the payment. Failure to comply with our demand will result in the permanent loss of your files. We have encrypted your files using a strong encryption algorithm, and there is no other way to recover them without the decryption key. We assure you that once the payment is received, we will provide you with the decryption key promptly. Do not attempt to decrypt the files yourself, as it may lead to irreversible damage. To prove that we have the decryption key and can restore your files, you can send us one encrypted file, and we will decrypt it for you as a demonstration of our capability. For payment instructions and further communication, please reply to this email. Do not involve law enforcement or attempt to trace this email, as it will only complicate the situation. Time is of the essence. Act swiftly to secure the release of your files. Sincerely, The Ransomware Team

Targets

    • Target

      827f9b83d84385d95c192f650607f6e0_NeikiAnalytics.exe

    • Size

      74KB

    • MD5

      827f9b83d84385d95c192f650607f6e0

    • SHA1

      03a737943c80f3d2792dbc9ba06fb184955c1d0a

    • SHA256

      75832c6246b8033d842a6a92b7a851562efe166ce5a7e41159b33f0f5df16471

    • SHA512

      c29db6a5f56a93c2d51cda95b0074f35d2635846deb5908ae625ac312f3b3a6a26a9655fd99f954980a11286ce9e92dceed6a6e12bdf479128e59e6213c33499

    • SSDEEP

      1536:ZfaIdDedRu8UOyaC69srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Ew:ZydRuxWsrQLOJgY8Zp8LHD4XWaNH71dP

    Score
    10/10
    babukdefense_evasionevasionexecutionimpactransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (221) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks