Analysis Overview
SHA256
eb3dc86e2d56fa258e94350d16383bde84b15fe40c584b39cb202e2e4bb89c2d
Threat Level: Known bad
The file 2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer was found to be: Known bad.
Malicious Activity Summary
Detects command variations typically used by ransomware
Detects executables containing many references to VEEAM. Observed in ransomware
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-13 03:32
Signatures
Detects command variations typically used by ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing many references to VEEAM. Observed in ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 03:32
Reported
2024-06-13 03:34
Platform
win7-20240508-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 848 wrote to memory of 1188 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 848 wrote to memory of 1188 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 848 wrote to memory of 1188 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 848 wrote to memory of 1188 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 216
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 03:32
Reported
2024-06-13 03:34
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3016 -ip 3016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 564
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |