Analysis
-
max time kernel
124s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 12:29
Static task
static1
Behavioral task
behavioral1
Sample
f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe
Resource
win10v2004-20240508-en
General
-
Target
f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe
-
Size
281KB
-
MD5
9f3970b2f9304dd5335f935f3620615f
-
SHA1
350099ddb478c5a6c23fb93bb463b845581bbbff
-
SHA256
f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b
-
SHA512
ad8838c34e056fd76f04dbfd416d6b2ad978b3cbf559becf00b98ca0436d332109fe907ef72090a1bb125613d5613a7c85cb165f5f75a263e12542e7bce4e909
-
SSDEEP
6144:z6EfK6u5yvXIq1FYBthpg+Ji7NuOMucQQ6ALqp:xLuEXIqHyhaqi7NRMucQR
Malware Config
Extracted
C:\Users\How To Restore Your Files.txt
http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/c9daf42fcfa6aca8432ecb7ffeff7f5e4e75f4ddd75f428c629bf6aa6a108a08/
http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/
http://tsu2dpiiv4zjzfyq73eibemit2qyrimbbb6lhpm6n5ihgallom5lhdyd.onion/3eb91fac85bb0db5dde432443e998a3863f0f1c76e3449319178e6b78f5d3f44
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (186) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\W: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\T: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\Y: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\H: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\K: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\V: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\B: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\U: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\O: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\G: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\J: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\L: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\X: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\Q: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\E: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\I: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\N: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\R: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\P: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\A: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\S: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe File opened (read-only) \??\Z: f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3000 vssadmin.exe 2228 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4744 f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe 4744 f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 3396 vssvc.exe Token: SeRestorePrivilege 3396 vssvc.exe Token: SeAuditPrivilege 3396 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4744 wrote to memory of 2788 4744 f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe 92 PID 4744 wrote to memory of 2788 4744 f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe 92 PID 2788 wrote to memory of 3000 2788 cmd.exe 97 PID 2788 wrote to memory of 3000 2788 cmd.exe 97 PID 4744 wrote to memory of 3224 4744 f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe 98 PID 4744 wrote to memory of 3224 4744 f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe 98 PID 3224 wrote to memory of 2228 3224 cmd.exe 101 PID 3224 wrote to memory of 2228 3224 cmd.exe 101 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe"C:\Users\Admin\AppData\Local\Temp\f978f89aac0a76c4b568194b502c8367ca804ab2eeb0c4efe1765d84b942a17b.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2228
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:81⤵PID:4728
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD51dcf5c7c2e5edb7783ea492707605050
SHA1d0b81b7e81ef6b6567b28dba0c0a8738937cec32
SHA256f35266ab980be271447d8220b8e233b2ce36d849db6a5033fc023cbcae51bdf8
SHA512a22c82fdc35b3557707588f83f151ca697a0f2956a1b77b525a6266e6bc2e87e5f56a09e20e612a38318da2e3044e6c4c3b0e8e359c1c7582265233198b43be9