Overview

overview

10

Static

static

3

2024-08-13...er.exe

windows7-x64

10

2024-08-13...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-08-13_b97789f5e43131e57253c63c3f646715_babuk_destroyer

  • Size

    79KB

  • Sample

    240813-b1bfpsxeje

  • MD5

    b97789f5e43131e57253c63c3f646715

  • SHA1

    5c11d5e8bfcf5518107039c373baabc23115b3af

  • SHA256

    2d5213ab289a6fba4764904f7f06b16ca8f31f5593370efa148feb679095f061

  • SHA512

    bc6092e1feda452eebe4065545188536f231afb8ee888ed7277ce056600a5d05071fb111c424c32cecdfac6f10a72bc78059be2b707a8f8177f192e452acedb0

  • SSDEEP

    1536:9k6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:QhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

Score
10/10
babukdefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\PerfLogs\Admin\How To Restore Your Files.txt

Ransom Note
ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED! WARNINGS: • ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT AND MAKE RECOVERY IMPOSSIBLE. • DO NOT MODIFY ENCRYPTED FILES. • DO NOT RENAME ENCRYPTED FILES (Including the file extension!). • No software available on internet can help you. We are the only ones able to solve your problem. IMPORTANT: • We gathered highly confidential/personal data. This data is currently stored on a private server. This data will be immediately removed after your payment. If you decide to not pay, we will release your data to public or re-seller. • We only want money and our goal is not to damage your reputation or prevent your business from running. • You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. • Our promises are guaranteed. Faliure to comply with our agreement such as leaking data, not recovering data, or selling data/access from victims who have paid will result in loss of reputation. This will cause less victims to pay the ransom fee meaning we lose money. Because of this we have no incentive to scam you and will only lose money by doing so. Contact us for price and get decryption software. [email protected] YOUR TIME IS LIMITED: • IF YOU DON'T CONTACT US WITHIN 48 HOURS, PRICE WILL BE HIGHER. • IF YOU DON'T CONTACT US WITHIN 72 HOURS, DATA WILL BE LEAKED AND KEY WILL BE DELETED. Many Thanks, Support is Waiting ;)

Targets

    • Target

      2024-08-13_b97789f5e43131e57253c63c3f646715_babuk_destroyer

    • Size

      79KB

    • MD5

      b97789f5e43131e57253c63c3f646715

    • SHA1

      5c11d5e8bfcf5518107039c373baabc23115b3af

    • SHA256

      2d5213ab289a6fba4764904f7f06b16ca8f31f5593370efa148feb679095f061

    • SHA512

      bc6092e1feda452eebe4065545188536f231afb8ee888ed7277ce056600a5d05071fb111c424c32cecdfac6f10a72bc78059be2b707a8f8177f192e452acedb0

    • SSDEEP

      1536:9k6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:QhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

    Score
    10/10
    babukdefense_evasiondiscoveryexecutionimpactransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (208) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks