Overview

overview

10

Static

static

3

2024-08-13...er.exe

windows7-x64

10

2024-08-13...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 01:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-13_b97789f5e43131e57253c63c3f646715_babuk_destroyer.exe

  • Size

    79KB

  • MD5

    b97789f5e43131e57253c63c3f646715

  • SHA1

    5c11d5e8bfcf5518107039c373baabc23115b3af

  • SHA256

    2d5213ab289a6fba4764904f7f06b16ca8f31f5593370efa148feb679095f061

  • SHA512

    bc6092e1feda452eebe4065545188536f231afb8ee888ed7277ce056600a5d05071fb111c424c32cecdfac6f10a72bc78059be2b707a8f8177f192e452acedb0

  • SSDEEP

    1536:9k6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:QhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

Score
10/10
babukdefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\Recovery\WindowsRE\How To Restore Your Files.txt

Ransom Note
ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED! WARNINGS: • ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT AND MAKE RECOVERY IMPOSSIBLE. • DO NOT MODIFY ENCRYPTED FILES. • DO NOT RENAME ENCRYPTED FILES (Including the file extension!). • No software available on internet can help you. We are the only ones able to solve your problem. IMPORTANT: • We gathered highly confidential/personal data. This data is currently stored on a private server. This data will be immediately removed after your payment. If you decide to not pay, we will release your data to public or re-seller. • We only want money and our goal is not to damage your reputation or prevent your business from running. • You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. • Our promises are guaranteed. Faliure to comply with our agreement such as leaking data, not recovering data, or selling data/access from victims who have paid will result in loss of reputation. This will cause less victims to pay the ransom fee meaning we lose money. Because of this we have no incentive to scam you and will only lose money by doing so. Contact us for price and get decryption software. [email protected] YOUR TIME IS LIMITED: • IF YOU DON'T CONTACT US WITHIN 48 HOURS, PRICE WILL BE HIGHER. • IF YOU DON'T CONTACT US WITHIN 72 HOURS, DATA WILL BE LEAKED AND KEY WILL BE DELETED. Many Thanks, Support is Waiting ;)

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (171) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-13_b97789f5e43131e57253c63c3f646715_babuk_destroyer.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-13_b97789f5e43131e57253c63c3f646715_babuk_destroyer.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4876
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2908
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4456
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recovery\WindowsRE\How To Restore Your Files.txt
    Filesize

    1KB

    MD5

    d0611c32100542de4fd6f77f2a2f701b

    SHA1

    924bd0ab0c5a68dd27c9978805a1a97c5b3088ff

    SHA256

    c37cbb2245e2e33357aa382e07b3eb7868cb7b6832b114e49889c071fc39c6e9

    SHA512

    d9bdf63358f3ce5bbac0f9305e3785e592742a6c47a76da95c73f17a6b719843687ca6b283c9e0f31d16d12bfee8f7a5659c4ef38e3492fd023c4e2bfdeb2b79

    Download Submit