babuk | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

max time kernel
102s
max time network
105s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/Babik_04_01_2021_31KB.exe
Size

30KB
MD5

e10713a4a5f635767dcd54d609bed977
SHA1

320d799beef673a98481757b2ff7e3463ce67916
SHA256

8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9
SHA512

fed1cb7e1798ea0d131a0d4962a2b9f6c700ee3e1c9482c7837be930ce5167196ac7b1e715d9c9a5c171c349f3df3dde1a42db8e439459bc742928f9d19b38a7
SSDEEP

768:S4DnL4DGrUVvP917yo6Xee7amb26ZghLybmGJ87tHvg7jzTzt:SILd639NdCbXZxbytH6

Score

10^/10

babuk credential_access defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\bg-BG\How To Restore Your Files.txt

Family

babuk

Ransom Note

----------- [ Hello! ] -------------> ****BY BABUK LOCKER**** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to contact us? ---------------------------------------------- Using TOR Browser ( https://www.torproject.org/download/ ): http://babukq4e2p4wu4iq.onion/login.php?id=8M60J4vCbbkKgM6QnA07E9qpkn0Qk7 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!

URLs

http://babukq4e2p4wu4iq.onion/login.php?id=8M60J4vCbbkKgM6QnA07E9qpkn0Qk7

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Babuk family
babuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (2019) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\How To Restore Your Files.txt	Babik_04_01_2021_31KB.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\S:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\J:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\K:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\L:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\Z:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\X:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\W:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\Y:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\U:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\P:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\Q:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\E:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\T:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\O:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\G:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\V:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\B:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\R:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\A:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\H:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\N:	Babik_04_01_2021_31KB.exe
File opened (read-only)	\??\M:	Babik_04_01_2021_31KB.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babik_04_01_2021_31KB.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	StartMenuExperienceHost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2704	vssadmin.exe
2552	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8501"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7534"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7534"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "165"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "15071"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "132"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "13007"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "165"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "14104"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "13974"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1099"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "14104"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "13007"	SearchHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe
4616	Babik_04_01_2021_31KB.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2924	vssvc.exe
Token: SeRestorePrivilege	2924	vssvc.exe
Token: SeAuditPrivilege	2924	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3772	StartMenuExperienceHost.exe
416	SearchHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4532	4616	Babik_04_01_2021_31KB.exe	81
PID 4616 wrote to memory of 4532	4616	Babik_04_01_2021_31KB.exe	81
PID 4532 wrote to memory of 2704	4532	cmd.exe	83
PID 4532 wrote to memory of 2704	4532	cmd.exe	83
PID 4616 wrote to memory of 3396	4616	Babik_04_01_2021_31KB.exe	98
PID 4616 wrote to memory of 3396	4616	Babik_04_01_2021_31KB.exe	98
PID 3396 wrote to memory of 2552	3396	cmd.exe	100
PID 3396 wrote to memory of 2552	3396	cmd.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe bcdedit /set shutdown /r /f /t 2
1⤵
- Drops startup file
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3772

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
33KB

MD5
37b18c727982b51292fe50263cef286c

SHA1
b6aad9dba9b722420ee7b2f371a3d60970f4dea6

SHA256
6847b69ccab1caa414b29e042c61d3a0d5889de288ada50f23a80a03dd586283

SHA512
b19dffead4c452c497d135b2b6cfc41c8213e7f443b5389136739609fa068985bfea32e180d0d9927c3440042496b9243c7274a9df5c63ffb200d2bfd6660191

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
27KB

MD5
99c29b8fb2ad50134231484258639c20

SHA1
744f3f77019e47b8c0cc8846e4548362f00a9bf5

SHA256
011c662b84b2e28ff77c3c99c258b030dcb2c3fc961e224a24de8334faff5201

SHA512
2bc8050d764f2a27ab74212568fbaf311bed42106f5e9e74fa6a1115d185788e2586ff9a8086991cac83153b177ee00e8938f05f773933730703bcefed2742ce

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
34KB

MD5
64bd074d2321ef1f405a5535feef341f

SHA1
ddd6325ac685c61e357a6708da1c6dd8fce7640a

SHA256
70ac7c49bad9b008978a35766f713e8fbb0580325f4a1d8631441b3d6fde6ec0

SHA512
c06f429f53a298e3a209d6fbee517abb4be0c9eb18627cae9fdf9d6e5a1fa29d0fe0db1a6405a3060daa346918e306a5538065040c24f6f6be37f227365d5494

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WRLUCZ87\www.bing[1].xml

Filesize
326B

MD5
afc3d1420eaf44f83c56bc8b4d6cb89c

SHA1
1590d44cb593259d51a24e22f39f7cc3e8f3ee90

SHA256
a4e90c472c1809299c030d87e70d382b2fcafc69881ff40e45d94d7283176652

SHA512
d71bfac32e3a033d722a6c7e91e6f31fafea73866b00e7867913beac4d2046424ba2d264bafcdfe32e80fd6645f1f91efbe43b2d96fc3b6d220ee1e431728b1c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\WRLUCZ87\www.bing[1].xml

Filesize
16KB

MD5
9180d5c4a15ca3b64b91746e6c0d07e5

SHA1
ade3b02b7a875e1f6835e14fcdd3362f529a8e72

SHA256
13c809a087e64fda7f1b0ac4438a6958e91aec6a60e43ae3eafe0221196425b6

SHA512
db54a8c352246fd96d2bd613ec06f0af2f331aa8ac89d8690c76eef8041fe489e74e7ecd18ebc4f6af5a02b157abf575543ddc77478e1302011d888029ea0300

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133873876744605907.txt

Filesize
83KB

MD5
3bc6850a5d6f107f84d2a30ccbd48acf

SHA1
1fa67916ab9432e028dd0f95d289fe62875b492d

SHA256
5c2b30b810722914f9eaa10ea193d46287ba325c618b3fd75ecf158135cec141

SHA512
0d5428f5f482b42a032899b1cff2fa71329a5e16b9ce57140810a37acb7a8e032c3b78339b83bea238da2d62787c4a178b60867d952a013c67f643046a4429d4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat

Filesize
26KB

MD5
2618eddd95c3d7deb7ba2a27e4907767

SHA1
e170b7eacfea25194db64f5039b6129c2b4e811d

SHA256
4232b956bbae3d49d93d010f1fc4c28593de8554d3424dd347b0a9b4e2981727

SHA512
f95319f21ced5d9101965b71160b20c0ef6caf268a987ab1be00057588c479ed7a79ffa396458edb3b63173866237b491ebfa171d097e493c978458395bb228f

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat

Filesize
26KB

MD5
4f3b683acb8983283f9ed30c977ca951

SHA1
e20460823dab6b3e296f0277c7fdd441e1f08885

SHA256
0f56a96a3b8b4421c0b306b11fc8423686adf72465c9a8c4fec271302267a1db

SHA512
08ddedd46ec7a6335d02416c3b34052c98d4d654504358d9dd9175ffc362cc288111d82fc7ed7c81c3eb5f37eaeac8feebc19665306a732d3e4950b2a7ed4e97

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat

Filesize
23KB

MD5
91e99867496bc76a97d2dec29559f49c

SHA1
3cc4fdfff67ca700137b71a0a26d332785d024b7

SHA256
73d7d024408b052c86da72cc0196f9928314a773877a0465dd91cc09d418f761

SHA512
9cd1eaae9cd87618c38ef17a2c23d36ea6eea45109b568d656b74d221c732f9ecdde2c13d230c3909d0b3bd702d0a69817a09a9b4d1de7ed6ffa6bb2807aaf0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt

Filesize
846KB

MD5
766f5efd9efca73b6dfd0fb3d648639f

SHA1
71928a29c3affb9715d92542ef4cf3472e7931fe

SHA256
9111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc

SHA512
1d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434

Download Submit
\Device\HarddiskVolume1\Boot\bg-BG\How To Restore Your Files.txt

Filesize
1KB

MD5
b6e97028103bc6b18214f4b2bd0e0d23

SHA1
4c202c77782d55af635c28fa71b2ba58b294415e

SHA256
db1c8cafdedfc4be8dd6b81aa086b998ae49ad929b8a260d4030c7b5ca373a45

SHA512
214f7e9354a76f031bc3d28c6c20b3d5fafed32e5cb2d7414b7c2d185637d2f47e3538b62c722ba8b018cb3e6e3d9ff11bd6437d3f2af8eca9cd8504eb8c0f7d

Download Submit
memory/416-1835-0x000001D313E60000-0x000001D313F60000-memory.dmp

Filesize
1024KB

Download
memory/416-1839-0x000001D313E60000-0x000001D313F60000-memory.dmp

Filesize
1024KB

Download
memory/416-1727-0x000001D2FF750000-0x000001D2FF770000-memory.dmp

Filesize
128KB

Download
memory/416-1718-0x000001D2FFCF0000-0x000001D2FFDF0000-memory.dmp

Filesize
1024KB

Download
memory/416-1714-0x000001D2FEB20000-0x000001D2FEB40000-memory.dmp

Filesize
128KB

Download
memory/3772-1534-0x000001C119E30000-0x000001C119E31000-memory.dmp

Filesize
4KB

Download
memory/3772-1541-0x000001C119E30000-0x000001C119E31000-memory.dmp

Filesize
4KB

Download
memory/3772-1542-0x000001C119E30000-0x000001C119E31000-memory.dmp

Filesize
4KB

Download
memory/3772-1543-0x000001C119E30000-0x000001C119E31000-memory.dmp

Filesize
4KB

Download
memory/3772-1544-0x000001C119E30000-0x000001C119E31000-memory.dmp

Filesize
4KB

Download
memory/3772-1545-0x000001C119E30000-0x000001C119E31000-memory.dmp

Filesize
4KB

Download
memory/3772-1546-0x000001C119E30000-0x000001C119E31000-memory.dmp

Filesize
4KB

Download
memory/3772-1540-0x000001C119E30000-0x000001C119E31000-memory.dmp

Filesize
4KB

Download
memory/3772-1535-0x000001C119E30000-0x000001C119E31000-memory.dmp

Filesize
4KB

Download
memory/3772-1536-0x000001C119E30000-0x000001C119E31000-memory.dmp

Filesize
4KB

Download