Overview
overview
10Static
static
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
7Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
108s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2024 16:38
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral23
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral32
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20240709-en
General
-
Target
RansomwareSamples/Babik_04_01_2021_31KB.exe
-
Size
30KB
-
MD5
e10713a4a5f635767dcd54d609bed977
-
SHA1
320d799beef673a98481757b2ff7e3463ce67916
-
SHA256
8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9
-
SHA512
fed1cb7e1798ea0d131a0d4962a2b9f6c700ee3e1c9482c7837be930ce5167196ac7b1e715d9c9a5c171c349f3df3dde1a42db8e439459bc742928f9d19b38a7
-
SSDEEP
768:S4DnL4DGrUVvP917yo6Xee7amb26ZghLybmGJ87tHvg7jzTzt:SILd639NdCbXZxbytH6
Malware Config
Extracted
\Device\HarddiskVolume1\Boot\da-DK\How To Restore Your Files.txt
babuk
http://babukq4e2p4wu4iq.onion/login.php?id=8M60J4vCbbkKgM6QnA07E9qpkn0Qk7
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (1641) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation Babik_04_01_2021_31KB.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\How To Restore Your Files.txt Babik_04_01_2021_31KB.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: Babik_04_01_2021_31KB.exe File opened (read-only) \??\J: Babik_04_01_2021_31KB.exe File opened (read-only) \??\Z: Babik_04_01_2021_31KB.exe File opened (read-only) \??\N: Babik_04_01_2021_31KB.exe File opened (read-only) \??\O: Babik_04_01_2021_31KB.exe File opened (read-only) \??\S: Babik_04_01_2021_31KB.exe File opened (read-only) \??\G: Babik_04_01_2021_31KB.exe File opened (read-only) \??\L: Babik_04_01_2021_31KB.exe File opened (read-only) \??\V: Babik_04_01_2021_31KB.exe File opened (read-only) \??\M: Babik_04_01_2021_31KB.exe File opened (read-only) \??\R: Babik_04_01_2021_31KB.exe File opened (read-only) \??\T: Babik_04_01_2021_31KB.exe File opened (read-only) \??\P: Babik_04_01_2021_31KB.exe File opened (read-only) \??\A: Babik_04_01_2021_31KB.exe File opened (read-only) \??\X: Babik_04_01_2021_31KB.exe File opened (read-only) \??\Y: Babik_04_01_2021_31KB.exe File opened (read-only) \??\U: Babik_04_01_2021_31KB.exe File opened (read-only) \??\I: Babik_04_01_2021_31KB.exe File opened (read-only) \??\K: Babik_04_01_2021_31KB.exe File opened (read-only) \??\B: Babik_04_01_2021_31KB.exe File opened (read-only) \??\Q: Babik_04_01_2021_31KB.exe File opened (read-only) \??\W: Babik_04_01_2021_31KB.exe File opened (read-only) \??\E: Babik_04_01_2021_31KB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babik_04_01_2021_31KB.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4604 vssadmin.exe 2380 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe 4092 Babik_04_01_2021_31KB.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 5096 vssvc.exe Token: SeRestorePrivilege 5096 vssvc.exe Token: SeAuditPrivilege 5096 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4404 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4092 wrote to memory of 4152 4092 Babik_04_01_2021_31KB.exe 88 PID 4092 wrote to memory of 4152 4092 Babik_04_01_2021_31KB.exe 88 PID 4152 wrote to memory of 4604 4152 cmd.exe 90 PID 4152 wrote to memory of 4604 4152 cmd.exe 90 PID 4092 wrote to memory of 3436 4092 Babik_04_01_2021_31KB.exe 112 PID 4092 wrote to memory of 3436 4092 Babik_04_01_2021_31KB.exe 112 PID 3436 wrote to memory of 2380 3436 cmd.exe 114 PID 3436 wrote to memory of 2380 3436 cmd.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe"1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2380
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3368
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4404
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize13KB
MD59529dd2edc12daa0053af1c53b9fa8dd
SHA1427cc4600ddb4a417f6373a7e41b1e59310f847d
SHA25617711c2306ee8b05fd4dfae2455502eb08d8a0dac9a91484fa86e37fbeadf55f
SHA512853f60edc353c4dadfc1aa60d2411f3f36667e96bb91215a7be22cac62bf574dfac35162958a4b599d9501d3516016d25e39949078432107ea7658ee3001682c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize13KB
MD53c8e8e7798495fd4134c49c66f8ee416
SHA17c8588716f67c8bae2cd909ad7e2567c66157834
SHA2567767f4f12d984d245d36995afc11a68100719b01414f903ad5f63d8c918e140e
SHA51247704b2b545c1572cd15bd1f49391dd88cbf23b779def330e70ad37635e47fe4f2dc3091d081e9778d8bbd38e2bcc14dfa5c47ba37b00b87f719fbec9f95211a
-
Filesize
1KB
MD5b6e97028103bc6b18214f4b2bd0e0d23
SHA14c202c77782d55af635c28fa71b2ba58b294415e
SHA256db1c8cafdedfc4be8dd6b81aa086b998ae49ad929b8a260d4030c7b5ca373a45
SHA512214f7e9354a76f031bc3d28c6c20b3d5fafed32e5cb2d7414b7c2d185637d2f47e3538b62c722ba8b018cb3e6e3d9ff11bd6437d3f2af8eca9cd8504eb8c0f7d