Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 12:56
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe
-
Size
79KB
-
MD5
204253b2cf495b1304d529e4edcebaf0
-
SHA1
ce4c825685a546ead3037d6e8b69d40d19ba2705
-
SHA256
9d1382cfe812378d742424f3e4717cfee4fa90d1fe0c8067cdf998e9330c0e14
-
SHA512
4176076157eec99d41e657b347ea1c5c234fcf30cac54a004fb09c5b800b51b1604c7c2aacc60e20c262d51c9a88f66cb1ba91fa4c0f077bc01a107c878591b9
-
SSDEEP
1536:CukWBeGPGEbmsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:dBeBsmsrQLOJgY8Zp8LHD4XWaNH71dLc
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (193) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\I: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\H: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\X: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\V: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\Q: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\E: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\R: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\B: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\J: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\Z: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\M: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\Y: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\A: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\P: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\S: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\G: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\K: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\L: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\W: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\U: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\O: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe File opened (read-only) \??\N: 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2824 vssadmin.exe 1720 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1148 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2188 vssvc.exe Token: SeRestorePrivilege 2188 vssvc.exe Token: SeAuditPrivilege 2188 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1148 wrote to memory of 2300 1148 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe 28 PID 1148 wrote to memory of 2300 1148 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe 28 PID 1148 wrote to memory of 2300 1148 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe 28 PID 1148 wrote to memory of 2300 1148 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe 28 PID 2300 wrote to memory of 2824 2300 cmd.exe 30 PID 2300 wrote to memory of 2824 2300 cmd.exe 30 PID 2300 wrote to memory of 2824 2300 cmd.exe 30 PID 1148 wrote to memory of 2056 1148 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe 34 PID 1148 wrote to memory of 2056 1148 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe 34 PID 1148 wrote to memory of 2056 1148 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe 34 PID 1148 wrote to memory of 2056 1148 2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe 34 PID 2056 wrote to memory of 1720 2056 cmd.exe 36 PID 2056 wrote to memory of 1720 2056 cmd.exe 36 PID 2056 wrote to memory of 1720 2056 cmd.exe 36 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_204253b2cf495b1304d529e4edcebaf0_babuk_destroyer.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2824
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1720
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD52af817219bb1d24a11ab839b9453b5f3
SHA1f9ff9075f9472c41aeb93df2e439fe624dc143b0
SHA2566a16454cad4534d51025f65277abaec0ff4a30082840154a35889445bb3ad0a0
SHA512d443e149d8b097cc64b0bbbf65e3d660de43943a4b36ac4c41bfbdfe814fb895d7ba97128aa1235b85d2292b79afc451fbcb89cc6a56d33ecff7d93e18a15c30