Overview

overview

10

Static

static

3

2025-03-08...er.exe

windows7-x64

10

2025-03-08...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2025, 06:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-08_70ca7c78e94ddd86d4239c4ec0703612_babuk_destroyer.exe

  • Size

    79KB

  • MD5

    70ca7c78e94ddd86d4239c4ec0703612

  • SHA1

    106ef85bff0c3c08bae3b58994dbe3aea35ecb40

  • SHA256

    3484be72a837607503dff3d9606edafb2492201c7d4ad6bf5a4b4fe0dcec2385

  • SHA512

    080a4d4ab6769b38a2fcc42dee1a802c8035b4af7846be8f1d62021829c9a4308b1e35a2efe2c977e2b9d40b250621971f6016e4d54907b7a1c232d2dba450bd

  • SSDEEP

    1536:dcIYWBeGXSJbRsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2noJ:vZBeldRsrQLOJgY8Zp8LHD4XWaNH71dk

Score
10/10
babukdefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Babuk family
    babuk
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (194) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-08_70ca7c78e94ddd86d4239c4ec0703612_babuk_destroyer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-08_70ca7c78e94ddd86d4239c4ec0703612_babuk_destroyer.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2348
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1496
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PerfLogs\Admin\How To Restore Your Files.txt
    Filesize

    8KB

    MD5

    2af817219bb1d24a11ab839b9453b5f3

    SHA1

    f9ff9075f9472c41aeb93df2e439fe624dc143b0

    SHA256

    6a16454cad4534d51025f65277abaec0ff4a30082840154a35889445bb3ad0a0

    SHA512

    d443e149d8b097cc64b0bbbf65e3d660de43943a4b36ac4c41bfbdfe814fb895d7ba97128aa1235b85d2292b79afc451fbcb89cc6a56d33ecff7d93e18a15c30

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.