Malware Analysis Report

2025-01-18 12:51

Sample ID 240613-d3m9dssgld
Target 2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer
SHA256 eb3dc86e2d56fa258e94350d16383bde84b15fe40c584b39cb202e2e4bb89c2d
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb3dc86e2d56fa258e94350d16383bde84b15fe40c584b39cb202e2e4bb89c2d

Threat Level: Known bad

The file 2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer was found to be: Known bad.

Malicious Activity Summary


Detects command variations typically used by ransomware

Detects executables containing many references to VEEAM. Observed in ransomware

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:32

Signatures

Detects command variations typically used by ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing many references to VEEAM. Observed in ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:32

Reported

2024-06-13 03:34

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 216

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:32

Reported

2024-06-13 03:34

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_48a2f6b1c617c3601e034cce0343e094_babuk_destroyer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3016 -ip 3016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 564

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A