Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
04-09-2024 00:26
General
-
Target
2024-09-04_10a746200164524d5e4e44abc2ddc5ea_babuk_destroyer.exe
-
Size
79KB
-
MD5
10a746200164524d5e4e44abc2ddc5ea
-
SHA1
7d0f165804baa92b14a184da7f84da322d620939
-
SHA256
f89066114c3062fa3ed6049ee2662ced47f725cd383fdbde1049b413e58faa82
-
SHA512
1290db2165066ac08baed1e6afa3bd73d84062a4e05e71b8457e35a33ccd919eb4d2f4ef49f57d59a5de7d83d47b09152d7d8f292b802db4ae284348dba03145
-
SSDEEP
1536:PJkWBeGovEb+srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2vsf0:DBeJs+srQLOJgY8Zp8LHD4XWaNH71dLH
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (154) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-04_10a746200164524d5e4e44abc2ddc5ea_babuk_destroyer.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-04_10a746200164524d5e4e44abc2ddc5ea_babuk_destroyer.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD51cb251ec0d568de6a929b520c4aed8d1
SHA1372ea08cab33e71c02c651dbc83a474d32c676ea
SHA256982d9e3eb996f559e633f4d194def3761d909f5a3b647d1a851fead67c32c9d1
SHA512eaf2c12742cb8c161bcbd84b032b9bb98999a23282542672ca01cc6edd268f7dce9987ad6b2bc79305634f89d90b90102bcd59a57e7135b8e3ceb93c0597117b