babuk | 3d893337a014bd80b29fcd1d1b11d55d8cd245061d250d61a2d1207c6a959eba | Triage

Submit
Reports

Overview

overview

Static

static

2024-06-23...er.exe

windows7-x64

2024-06-23...er.exe

windows10-2004-x64

Sharing

General

Target

2024-06-23_702fd60faabd529ca674d806564c36b1_babuk_destroyer
Size

79KB
Sample

240623-rxc35axhpm
MD5

702fd60faabd529ca674d806564c36b1
SHA1

7f22bb89b1293405201cf4ce0816b5714fc9576a
SHA256

3d893337a014bd80b29fcd1d1b11d55d8cd245061d250d61a2d1207c6a959eba
SHA512

b0685f2855da7c18da9e723b517b74300b0976b5ea10e2c8b0205608aa74cbc69f9349dbb5a6565ec12e7dfa913e9296a13866f90c58102e235b6b03d12c763b
SSDEEP

1536:b+qxi5vmhs2bxsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nC3:hxiJ2xsrQLOJgY8Zp8LHD4XWaNH71dLy

Score

10^/10

babuk defense_evasion execution impact ransomware

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

2024-06-23_702fd60faabd529ca674d806564c36b1_babuk_destroyer.exe

Resource

win7-20240221-en

babuk defense_evasion execution impact ransomware

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

2024-06-23_702fd60faabd529ca674d806564c36b1_babuk_destroyer.exe

Resource

win10v2004-20240611-en

babuk defense_evasion execution impact ransomware

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  2024-06-23_702fd60faabd529ca674d806564c36b1_babuk_destroyer
- Size
  
  79KB
- MD5
  
  702fd60faabd529ca674d806564c36b1
- SHA1
  
  7f22bb89b1293405201cf4ce0816b5714fc9576a
- SHA256
  
  3d893337a014bd80b29fcd1d1b11d55d8cd245061d250d61a2d1207c6a959eba
- SHA512
  
  b0685f2855da7c18da9e723b517b74300b0976b5ea10e2c8b0205608aa74cbc69f9349dbb5a6565ec12e7dfa913e9296a13866f90c58102e235b6b03d12c763b
- SSDEEP
  
  1536:b+qxi5vmhs2bxsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nC3:hxiJ2xsrQLOJgY8Zp8LHD4XWaNH71dLy
Score

10^/10

babuk defense_evasion execution impact ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (186) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

Indicator Removal

File Deletion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

babukdefense_evasionexecutionimpactransomware

behavioral2

babukdefense_evasionexecutionimpactransomware

© 2018-2024

Terms | Privacy