Overview

overview

10

Static

static

3

01c647838c...7f.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    155s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    10-01-2025 09:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe

  • Size

    79KB

  • MD5

    f9afb31bc17811e5ab4fa406f105b1fe

  • SHA1

    d1a9449dcc8a3aa0c887bce71f128866175f679a

  • SHA256

    01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f

  • SHA512

    6feca3dfa221b704208754e67bcdce02a2253961da098b3e376d11217cd00b9f77e42f37f242e1a1f4b759b5fd172c29c9f153fce32eace48e07e802aff40b55

  • SSDEEP

    1536:SX6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:uhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

Score
10/10
babukdarksidedefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\Users\Admin\Videos\How To Restore Your Files.txt

Family

darkside

Ransom Note
----------- [ Hello! ] -------------> ****BY BABUK LOCKER**** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. How to contact us? ---------------------------------------------- Using EMAIL: 1) Open your mail 2) Write us: [email protected] backup address: [email protected] [email protected] TO SEND TO THE EMAIL ONLY PERSONAL ID!!! YOUR PERSONAL ID, ATTACH IT: beRv79st1xwM9NTHA1NluiebVXTdr4FS0eRnD5W9wMjAqbKQctyvdxbYuZ8e !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Babuk family
    babuk
  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Darkside family
    darkside
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (188) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 47 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe
    "C:\Users\Admin\AppData\Local\Temp\01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4720
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3024
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1552
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1872
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /0
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3476
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -Embedding
    1⤵
      PID:2092
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1340

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Videos\How To Restore Your Files.txt
        Filesize

        1KB

        MD5

        9b57be4df98eb3b740a28da699734499

        SHA1

        abee599dc58c21a7cacf4bc6a727fee782df8b23

        SHA256

        d7c3edc0231627dccb4c8fc5477ef3bb556f73b5f44d26d7b979c86e856731d6

        SHA512

        96299b107c3623bda24845a732147b988b153664355a6748c5085e443b626377c8b5cc4c5a83347cc00093dffa7233d6a9665f2b812a2f6e7244b9a9c8f3a389

        Download Submit

      • memory/3476-252-0x000001771AE50000-0x000001771AE51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3476-250-0x000001771AE50000-0x000001771AE51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3476-251-0x000001771AE50000-0x000001771AE51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3476-262-0x000001771AE50000-0x000001771AE51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3476-261-0x000001771AE50000-0x000001771AE51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3476-260-0x000001771AE50000-0x000001771AE51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3476-259-0x000001771AE50000-0x000001771AE51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3476-258-0x000001771AE50000-0x000001771AE51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3476-257-0x000001771AE50000-0x000001771AE51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3476-256-0x000001771AE50000-0x000001771AE51000-memory.dmp

        Filesize

        4KB

        Download