Overview

overview

10

Static

static

3

827f9b83d8...cs.exe

windows7-x64

10

827f9b83d8...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 22:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    827f9b83d84385d95c192f650607f6e0_NeikiAnalytics.exe

  • Size

    74KB

  • MD5

    827f9b83d84385d95c192f650607f6e0

  • SHA1

    03a737943c80f3d2792dbc9ba06fb184955c1d0a

  • SHA256

    75832c6246b8033d842a6a92b7a851562efe166ce5a7e41159b33f0f5df16471

  • SHA512

    c29db6a5f56a93c2d51cda95b0074f35d2635846deb5908ae625ac312f3b3a6a26a9655fd99f954980a11286ce9e92dceed6a6e12bdf479128e59e6213c33499

  • SSDEEP

    1536:ZfaIdDedRu8UOyaC69srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Ew:ZydRuxWsrQLOJgY8Zp8LHD4XWaNH71dP

Score
10/10
babukdefense_evasionevasionexecutionimpactransomware

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\How To Restore Your Files.txt

Ransom Note
What happened to my file! Ransom Note Subject: Urgent: Your Files Have Been Encrypted Dear User? We regret to inform you that all the files on your computer have been encrypted by a sophisticated ransomware attack. Your documents, photos, videos, and other important data are now inaccessible without the decryption key. We are demanding a ransom in exchange for the decryption key. The payment must be made in bitcoins to the following wallet address: [Bitcoin Wallet Address]. The amount of the ransom is [Amount] bitcoins, which is equivalent to approximately [Amount in USD] USD. You have 72 hours to make the payment. Failure to comply with our demand will result in the permanent loss of your files. We have encrypted your files using a strong encryption algorithm, and there is no other way to recover them without the decryption key. We assure you that once the payment is received, we will provide you with the decryption key promptly. Do not attempt to decrypt the files yourself, as it may lead to irreversible damage. To prove that we have the decryption key and can restore your files, you can send us one encrypted file, and we will decrypt it for you as a demonstration of our capability. For payment instructions and further communication, please reply to this email. Do not involve law enforcement or attempt to trace this email, as it will only complicate the situation. Time is of the essence. Act swiftly to secure the release of your files. Sincerely, The Ransomware Team

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (193) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\827f9b83d84385d95c192f650607f6e0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\827f9b83d84385d95c192f650607f6e0_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3532
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4428
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state off
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3372
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set allprofiles state off
        3⤵
        • Modifies Windows Firewall
        PID:728
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1884
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Downloads\How To Restore Your Files.txt
    Filesize

    1KB

    MD5

    cf8b921f3e13ec8e43b14438b7effa6e

    SHA1

    5eaab3e470e27567afebb8731b99203aa4da1ee1

    SHA256

    ba5517deccf5c0b1017e38f6c0f3e1914e39d96bf321bfd9e8ad330ab11ed9f4

    SHA512

    b06aaeed3ee12deb6ad6c88410c6af2f5ae5cba701b5440da00c022e6219328f8994d3690adae9da0628f7b85edc73cfddb416f22bab39cfc7a097585cc2ba67

    Download Submit