Overview
overview
10Static
static
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
7Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
1561s -
max time network
1563s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
07-07-2024 14:07
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral9
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral11
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral13
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral15
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral17
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral18
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral19
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral20
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral21
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral23
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral25
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral30
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral31
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20240704-en
General
-
Target
RansomwareSamples/Babuk_20_04_2021_79KB.exe
-
Size
79KB
-
MD5
024382eef9abab8edd804548f94b78fc
-
SHA1
b69a5385d880f4d0acd3358df002aba42b12820f
-
SHA256
c4282e9040cdc1df92b722568a8b4c42ce9f6533fed0bd34b7fdbae264947784
-
SHA512
011bd185ef5aef409dbd198f59829d9812d2b1ead69e867e8b9983eb7c742356b074b17383c17fe22f417b61e6aaf7858cbb9e3abd5d25d02f256b69834c42d4
-
SSDEEP
1536:jRS6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:jRMhZ5YesrQLOJgY8Zp8LHD4XWaNH71m
Malware Config
Extracted
C:\PerfLogs\Admin\How To Restore Your Files.txt
http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/55a5aa93131ff81478afe895d99ccb1e5350128a6a85abe0955dc9af55c31e66/
http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/
http://tsu2dpiiv4zjzfyq73eibemit2qyrimbbb6lhpm6n5ihgallom5lhdyd.onion/92c51a11c29950b07fc1e46c752e7d40a363ce64447d698442331feaf7de7397
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (227) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Babuk_20_04_2021_79KB.exedescription ioc process File opened (read-only) \??\A: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\J: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\V: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\Y: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\U: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\O: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\G: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\M: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\T: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\I: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\S: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\H: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\Z: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\R: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\P: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\E: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\K: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\L: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\X: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\B: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\N: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\Q: Babuk_20_04_2021_79KB.exe File opened (read-only) \??\W: Babuk_20_04_2021_79KB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1564 vssadmin.exe 2560 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Babuk_20_04_2021_79KB.exepid process 2480 Babuk_20_04_2021_79KB.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2868 vssvc.exe Token: SeRestorePrivilege 2868 vssvc.exe Token: SeAuditPrivilege 2868 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Babuk_20_04_2021_79KB.execmd.execmd.exedescription pid process target process PID 2480 wrote to memory of 1048 2480 Babuk_20_04_2021_79KB.exe cmd.exe PID 2480 wrote to memory of 1048 2480 Babuk_20_04_2021_79KB.exe cmd.exe PID 2480 wrote to memory of 1048 2480 Babuk_20_04_2021_79KB.exe cmd.exe PID 2480 wrote to memory of 1048 2480 Babuk_20_04_2021_79KB.exe cmd.exe PID 1048 wrote to memory of 1564 1048 cmd.exe vssadmin.exe PID 1048 wrote to memory of 1564 1048 cmd.exe vssadmin.exe PID 1048 wrote to memory of 1564 1048 cmd.exe vssadmin.exe PID 2480 wrote to memory of 2372 2480 Babuk_20_04_2021_79KB.exe cmd.exe PID 2480 wrote to memory of 2372 2480 Babuk_20_04_2021_79KB.exe cmd.exe PID 2480 wrote to memory of 2372 2480 Babuk_20_04_2021_79KB.exe cmd.exe PID 2480 wrote to memory of 2372 2480 Babuk_20_04_2021_79KB.exe cmd.exe PID 2372 wrote to memory of 2560 2372 cmd.exe vssadmin.exe PID 2372 wrote to memory of 2560 2372 cmd.exe vssadmin.exe PID 2372 wrote to memory of 2560 2372 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2560
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD581fc4c91a0938482f65a72216cda1e39
SHA13fb3d27ceb1502ddf0d68fa9251a6aec46036377
SHA25659ac7c1a064a53196eb135e59ab7b658577fd2ad22b45a02b77f1df630912591
SHA512ef34299b9f48c9362fadd6da53ef4c57a5d4b3cb95e35ad5be24f51249e8bbd5a5df519065212f120897461f7360c415c20dcebd74a29221086208d8f8d6d1f4