Overview

overview

10

Static

static

3

2025-03-07...er.exe

windows7-x64

10

2025-03-07...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2025, 17:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-07_fc3ce4e60c8c67dce8f4db295bf588d0_babuk_destroyer.exe

  • Size

    87KB

  • MD5

    fc3ce4e60c8c67dce8f4db295bf588d0

  • SHA1

    f53d85664cf5377f78f160046c7ac4f9e0d97b71

  • SHA256

    35207d1da900a08d511c6e5ed5d87e04347540fa89776486155f8184c60f41e4

  • SHA512

    75a0386450b9ab4275c955f36ff50aa04e78ac12fcd06f593db80c877a575fcd468ecf75bacd650f15faccbae799c1d77c2558efa9cc03b32e2898d6e78c8948

  • SSDEEP

    1536:zmQvhe/yPhBgzPWmisrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2CIE:1he/yPe+/srQLOJgY8Zp8LHD4XWaNH78

Score
10/10
babukdefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Babuk family
    babuk
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (219) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-07_fc3ce4e60c8c67dce8f4db295bf588d0_babuk_destroyer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-07_fc3ce4e60c8c67dce8f4db295bf588d0_babuk_destroyer.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2016
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2556
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\How To Restore Your Files.txt
    Filesize

    8KB

    MD5

    2af817219bb1d24a11ab839b9453b5f3

    SHA1

    f9ff9075f9472c41aeb93df2e439fe624dc143b0

    SHA256

    6a16454cad4534d51025f65277abaec0ff4a30082840154a35889445bb3ad0a0

    SHA512

    d443e149d8b097cc64b0bbbf65e3d660de43943a4b36ac4c41bfbdfe814fb895d7ba97128aa1235b85d2292b79afc451fbcb89cc6a56d33ecff7d93e18a15c30

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.