Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 12:29
Static task
static1
Behavioral task
behavioral1
Sample
f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe
Resource
win10v2004-20240508-en
General
-
Target
f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe
-
Size
281KB
-
MD5
9f3970b2f9304dd5335f935f3620615f
-
SHA1
350099ddb478c5a6c23fb93bb463b845581bbbff
-
SHA256
f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b
-
SHA512
ad8838c34e056fd76f04dbfd416d6b2ad978b3cbf559becf00b98ca0436d332109fe907ef72090a1bb125613d5613a7c85cb165f5f75a263e12542e7bce4e909
-
SSDEEP
6144:z6EfK6u5yvXIq1FYBthpg+Ji7NuOMucQQ6ALqp:xLuEXIqHyhaqi7NRMucQR
Malware Config
Extracted
C:\Users\How To Restore Your Files.txt
http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/c9daf42fcfa6aca8432ecb7ffeff7f5e4e75f4ddd75f428c629bf6aa6a108a08/
http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/
http://tsu2dpiiv4zjzfyq73eibemit2qyrimbbb6lhpm6n5ihgallom5lhdyd.onion/3eb91fac85bb0db5dde432443e998a3863f0f1c76e3449319178e6b78f5d3f44
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (220) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\X: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\R: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\Y: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\A: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\S: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\P: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\J: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\K: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\Z: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\Q: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\W: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\T: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\O: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\M: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\U: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\G: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\V: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\N: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\E: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\I: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\H: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\B: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2484 vssadmin.exe 2864 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1640 f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2516 vssvc.exe Token: SeRestorePrivilege 2516 vssvc.exe Token: SeAuditPrivilege 2516 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1640 wrote to memory of 2504 1640 f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe 28 PID 1640 wrote to memory of 2504 1640 f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe 28 PID 1640 wrote to memory of 2504 1640 f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe 28 PID 1640 wrote to memory of 2504 1640 f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe 28 PID 2504 wrote to memory of 2484 2504 cmd.exe 30 PID 2504 wrote to memory of 2484 2504 cmd.exe 30 PID 2504 wrote to memory of 2484 2504 cmd.exe 30 PID 1640 wrote to memory of 2804 1640 f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe 34 PID 1640 wrote to memory of 2804 1640 f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe 34 PID 1640 wrote to memory of 2804 1640 f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe 34 PID 1640 wrote to memory of 2804 1640 f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe 34 PID 2804 wrote to memory of 2864 2804 cmd.exe 36 PID 2804 wrote to memory of 2864 2804 cmd.exe 36 PID 2804 wrote to memory of 2864 2804 cmd.exe 36 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe"C:\Users\Admin\AppData\Local\Temp\f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2864
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD51dcf5c7c2e5edb7783ea492707605050
SHA1d0b81b7e81ef6b6567b28dba0c0a8738937cec32
SHA256f35266ab980be271447d8220b8e233b2ce36d849db6a5033fc023cbcae51bdf8
SHA512a22c82fdc35b3557707588f83f151ca697a0f2956a1b77b525a6266e6bc2e87e5f56a09e20e612a38318da2e3044e6c4c3b0e8e359c1c7582265233198b43be9