General
-
Target
79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.zip
-
Size
11.8MB
-
Sample
241103-1byx5svelh
-
MD5
6db006a488603a965fb7374a13371745
-
SHA1
549694ef5294f4389feeab8a32fafa7cef3a2374
-
SHA256
a41df9f000efd4e8286fdac8f793da281e4a58761e90c2c149d8ee126e23a6d4
-
SHA512
40b52f5b49b957426a195d1a9b2e03dca1f92db01d2cc3934a8f5f4c723ff21d38cd2aec2112d3b7f18227a7ea05011891ac428feb5f8ac96b1c89f3afd8ebb7
-
SSDEEP
196608:B4eJaz61K46JZmcyxUoN1NTkFIsMdqmdxKNMQtM4kF+AcmcCWS58yL8OaJd:BvQ9pDQnTRMmLKj0Fw3NCmd
Malware Config
Targets
-
-
Target
79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac
-
Size
12.0MB
-
MD5
59d018958d77ee68568eac6250a4224e
-
SHA1
a5ac1b794b33da74b7d587b04394721f7aa96d0f
-
SHA256
79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac
-
SHA512
5f285f3920463646a77487c9e0b1c46ebe950f779fafb524d6064aa280ba84c3119cd19c2b88f3011e20a7f7b70a1341103d42baca28f1781d8670bca8737881
-
SSDEEP
393216:VobaG+ZUoC9EYeWJ8taL/d2otNCk2rszUXS:VMaG+Z7C9M+RJ2ontkXS
Score10/10-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Babuk family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (159) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
3