babuk | 79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac | Triage

Submit
Reports

Overview

overview

Static

static

3

79a67070f0...ac.exe

windows7-x64

79a67070f0...ac.exe

windows10-2004-x64

Sharing

General

Target

79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe
Size

12.0MB
Sample

241103-zv1emstlhs
MD5

59d018958d77ee68568eac6250a4224e
SHA1

a5ac1b794b33da74b7d587b04394721f7aa96d0f
SHA256

79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac
SHA512

5f285f3920463646a77487c9e0b1c46ebe950f779fafb524d6064aa280ba84c3119cd19c2b88f3011e20a7f7b70a1341103d42baca28f1781d8670bca8737881
SSDEEP

393216:VobaG+ZUoC9EYeWJ8taL/d2otNCk2rszUXS:VMaG+Z7C9M+RJ2ontkXS

Score

10^/10

babuk defense_evasion discovery execution impact pyinstaller ransomware

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe

Resource

win7-20240903-en

babuk defense_evasion discovery execution impact pyinstaller ransomware

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe

Resource

win10v2004-20241007-en

babuk defense_evasion discovery execution impact pyinstaller ransomware

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe
- Size
  
  12.0MB
- MD5
  
  59d018958d77ee68568eac6250a4224e
- SHA1
  
  a5ac1b794b33da74b7d587b04394721f7aa96d0f
- SHA256
  
  79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac
- SHA512
  
  5f285f3920463646a77487c9e0b1c46ebe950f779fafb524d6064aa280ba84c3119cd19c2b88f3011e20a7f7b70a1341103d42baca28f1781d8670bca8737881
- SSDEEP
  
  393216:VobaG+ZUoC9EYeWJ8taL/d2otNCk2rszUXS:VMaG+Z7C9M+RJ2ontkXS
Score

10^/10

babuk defense_evasion discovery execution impact pyinstaller ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Babuk family
  babuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (198) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

Indicator Removal

File Deletion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

babukdefense_evasiondiscoveryexecutionimpactpyinstallerransomware

behavioral2

babukdefense_evasiondiscoveryexecutionimpactpyinstallerransomware

© 2018-2024

Terms | Privacy