Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2024-09-04...er.exe

windows7-x64

10

2024-09-04...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/09/2024, 00:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-04_cd80dc7644c812853899d925af527c5d_babuk_destroyer.exe

  • Size

    79KB

  • MD5

    cd80dc7644c812853899d925af527c5d

  • SHA1

    945a5ab18824be709dd5db3a8a1dc477396c3fe7

  • SHA256

    cb5e69c29c3e7d54245d3f32d8f4f153c9f6b6704c96c92bae513e28f01208de

  • SHA512

    d666f0fe3e00dd1a27cc83ebce0b030572fe52aa48c212efa94005cdff2264c97dbfde2c51a16f1823a0837d47f8a75633416ad71944ec2a128c143f8b1b3e0f

  • SSDEEP

    1536:PJkWBeGovEb+srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2vsf0:DBeJs+srQLOJgY8Zp8LHD4XWaNH71dLH

Score
10/10
babukdefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (197) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-04_cd80dc7644c812853899d925af527c5d_babuk_destroyer.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-04_cd80dc7644c812853899d925af527c5d_babuk_destroyer.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2780
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2032
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PerfLogs\Admin\How to decrypt your files.txt
    Filesize

    4B

    MD5

    1cb251ec0d568de6a929b520c4aed8d1

    SHA1

    372ea08cab33e71c02c651dbc83a474d32c676ea

    SHA256

    982d9e3eb996f559e633f4d194def3761d909f5a3b647d1a851fead67c32c9d1

    SHA512

    eaf2c12742cb8c161bcbd84b032b9bb98999a23282542672ca01cc6edd268f7dce9987ad6b2bc79305634f89d90b90102bcd59a57e7135b8e3ceb93c0597117b

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.