Analysis
-
max time kernel
91s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2025, 08:58
Static task
static1
Behavioral task
behavioral1
Sample
2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe
Resource
win10v2004-20250217-en
General
-
Target
2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe
-
Size
79KB
-
MD5
d0fe83c7d3f84d90f71ba3a682cc75f9
-
SHA1
e6d1422a7691287f041505a3f68a87014137800a
-
SHA256
db2625edd1448fc3abe3edd4d9606d211e61c83ebae8ff205d1f29aa331ab9f3
-
SHA512
a38301e1fbe67cbee0d8395a55df8c488ab37c0c0ed1619b199c284d56310b776ed5cf921d7aa22c9bd7006ac4c1288c9281551ed8a66a9b3e3695261157e13a
-
SSDEEP
1536:b5kaWBeGrVZbzsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nwd:b8BeuNzsrQLOJgY8Zp8LHD4XWaNH71d8
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Babuk family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (179) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\M: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\Q: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\E: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\K: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\B: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\W: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\R: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\T: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\P: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\A: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\S: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\H: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\L: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\Y: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\U: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\I: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\O: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\G: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\Z: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\X: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\V: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe File opened (read-only) \??\J: 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3084 vssadmin.exe 2100 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1012 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe 1012 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 4200 vssvc.exe Token: SeRestorePrivilege 4200 vssvc.exe Token: SeAuditPrivilege 4200 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1012 wrote to memory of 1532 1012 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe 86 PID 1012 wrote to memory of 1532 1012 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe 86 PID 1532 wrote to memory of 3084 1532 cmd.exe 90 PID 1532 wrote to memory of 3084 1532 cmd.exe 90 PID 1012 wrote to memory of 2260 1012 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe 92 PID 1012 wrote to memory of 2260 1012 2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe 92 PID 2260 wrote to memory of 2100 2260 cmd.exe 95 PID 2260 wrote to memory of 2100 2260 cmd.exe 95 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-08_d0fe83c7d3f84d90f71ba3a682cc75f9_babuk_destroyer.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2100
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD52af817219bb1d24a11ab839b9453b5f3
SHA1f9ff9075f9472c41aeb93df2e439fe624dc143b0
SHA2566a16454cad4534d51025f65277abaec0ff4a30082840154a35889445bb3ad0a0
SHA512d443e149d8b097cc64b0bbbf65e3d660de43943a4b36ac4c41bfbdfe814fb895d7ba97128aa1235b85d2292b79afc451fbcb89cc6a56d33ecff7d93e18a15c30