Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-09-2024 00:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe
-
Size
79KB
-
MD5
535d7581519e1a575b54ed9b10a22f9e
-
SHA1
9d6092b82c80880dabe6e01608a68b655aef3ce5
-
SHA256
ab5f9ab8a8072142d4b6ffcfdf50442cc729f67ce327b6afc73d7dbc51c49520
-
SHA512
5672a1d5395158ba0d2032688e4bb571ac0d7c53bbb462891f807df430478b7412fe7e980c26020b2642caf490a34a4430012a6d03bd4c849e44298f9760666b
-
SSDEEP
1536:PJkWBeGovEb+srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2vsf:DBeJs+srQLOJgY8Zp8LHD4XWaNH71dLE
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (184) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exedescription ioc process File opened (read-only) \??\R: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\T: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\U: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\O: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\A: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\S: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\M: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\Q: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\I: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\Z: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\N: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\P: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\G: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\H: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\K: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\L: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\B: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\W: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\E: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\Y: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\J: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\X: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe File opened (read-only) \??\V: 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1064 vssadmin.exe 3240 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exepid process 4528 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe 4528 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1328 vssvc.exe Token: SeRestorePrivilege 1328 vssvc.exe Token: SeAuditPrivilege 1328 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.execmd.execmd.exedescription pid process target process PID 4528 wrote to memory of 1492 4528 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe cmd.exe PID 4528 wrote to memory of 1492 4528 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe cmd.exe PID 1492 wrote to memory of 1064 1492 cmd.exe vssadmin.exe PID 1492 wrote to memory of 1064 1492 cmd.exe vssadmin.exe PID 4528 wrote to memory of 2140 4528 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe cmd.exe PID 4528 wrote to memory of 2140 4528 2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe cmd.exe PID 2140 wrote to memory of 3240 2140 cmd.exe vssadmin.exe PID 2140 wrote to memory of 3240 2140 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-04_535d7581519e1a575b54ed9b10a22f9e_babuk_destroyer.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3240
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD51cb251ec0d568de6a929b520c4aed8d1
SHA1372ea08cab33e71c02c651dbc83a474d32c676ea
SHA256982d9e3eb996f559e633f4d194def3761d909f5a3b647d1a851fead67c32c9d1
SHA512eaf2c12742cb8c161bcbd84b032b9bb98999a23282542672ca01cc6edd268f7dce9987ad6b2bc79305634f89d90b90102bcd59a57e7135b8e3ceb93c0597117b