Analysis
-
max time kernel
123s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2024 20:21
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe
-
Size
79KB
-
MD5
2298d910b2d34e870e0f561eda4dcfc6
-
SHA1
078b2cace5161e34aaaaeba6bfbe3f6259651f34
-
SHA256
bb845cf9c1674452a995f58b3971c04fd67a0a8d256288e58cb4454bb80a5efe
-
SHA512
6465216a71c116321a6e7d9e1746247cfe1c29a5897422f13ed55cfb3a0daa42ba673a7cc308bf5440c6bf5fb084d065a6b4aab84c11ca1d81fdf23c09cbfe33
-
SSDEEP
1536:N8WkWBeG/vEbmsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:lBeQsmsrQLOJgY8Zp8LHD4XWaNH71dLc
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Babuk family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (153) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exedescription ioc process File opened (read-only) \??\S: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\Z: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\X: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\B: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\N: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\Q: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\O: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\U: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\I: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\A: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\L: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\E: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\R: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\J: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\K: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\V: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\M: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\T: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\P: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\G: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\H: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\W: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe File opened (read-only) \??\Y: 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4680 vssadmin.exe 5004 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exepid process 2372 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe 2372 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3052 vssvc.exe Token: SeRestorePrivilege 3052 vssvc.exe Token: SeAuditPrivilege 3052 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.execmd.execmd.exedescription pid process target process PID 2372 wrote to memory of 2988 2372 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe cmd.exe PID 2372 wrote to memory of 2988 2372 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe cmd.exe PID 2988 wrote to memory of 4680 2988 cmd.exe vssadmin.exe PID 2988 wrote to memory of 4680 2988 cmd.exe vssadmin.exe PID 2372 wrote to memory of 5032 2372 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe cmd.exe PID 2372 wrote to memory of 5032 2372 2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe cmd.exe PID 5032 wrote to memory of 5004 5032 cmd.exe vssadmin.exe PID 5032 wrote to memory of 5004 5032 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-03_2298d910b2d34e870e0f561eda4dcfc6_babuk_destroyer.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5004
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
259B
MD5f026fb213f419a400ba83e1a69d26472
SHA1821f1318d077065fe1a3fe2075f053f1191d5739
SHA256b87c7d852c60b34e5986e2d41fb4f644df11f7350ef2272ad58a469e476d2bc1
SHA5126929aa4dccef21718625513ab21c9e39599969d6350dadfa00747cc8bde302d2d7158df845686f1e607b2b05126697263982f6ab61e189781117c9329176e50e