Overview

overview

10

Static

static

3

Trojan-Ran...1cf.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    75s
  • max time network
    63s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2025, 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trojan-Ransom.Win32.Babuk.a-2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf.7z

  • Size

    22KB

  • MD5

    05736fead4f81b48adbb459dbc727d33

  • SHA1

    ffcdcc5113cc6c2199d8522c0b8349bb847d2c5d

  • SHA256

    22fee0b9c0435d8bea8ee63255ab4df89e167d10fad4e06909d5aa0a20c06d3f

  • SHA512

    0e7046c299172e7d01d855fbe2e495992ee8be45a39e047a1128bf3250231a069770819ac0072f4d5bab96dd9d4532b42121f323ec16c1e50b58f07c1281adcb

  • SSDEEP

    384:fu8K6uR9GJQkG12MRuj1qxMwys1iL7+kQer2l8JdhQg6LRpHx+4ZGYDvQVNzF:m8KjyQkGEWjawGL7z3hQtLBZIVN5

Score
10/10
babukdefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\How To Restore Your Files.txt

Ransom Note
############## [ babuk ransomware greetings you ] ############## Introduction ---------------------------------------------- Congratulations! If you see this note, your company've been randomly chosen for security audit and your company haven't passed it. Unfortunately your servers are encrypted, backups are encrtypted too or deleted. Our enctyption algorythms are strong and it's impossible to decrypt your stuff without our help. Only one method to restore all your network and systems is - to buy our universal decryption software. Follow simple steps that discribed down below and your data will be saved. In case you ignore this situation, the consequences could me much serious, than you can imagine. Guarantees ---------------------------------------------- The hack and system encryption wasn't compromised by your competitors or any other 3rd party, this is just and only our initiative and only thing we interested is profit. Accurding the previous sentence We are very much value of our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We guarantee full support and help through the all decryption process. As the proof of our abilities and honesty, we can decrypt few small files for free, check the link provided and ask any questions. Data leakage ---------------------------------------------- We have copied some quantity of data from your servers. Check those proofs and estimate the seriousness of consequences which can occur in case you ignore us: http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/104617a28c7b21518d506b079ca9d5221551f89d5d54025a1ec71dd33aacd896/ This link is private and only you can see it. Use tor browser to open link. Ignoring the interaction with us brings you the publishing your data in our public blog http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/ Contact ---------------------------------------------- 1) Download tor browser: https://www.torproject.org/download/ 2) Open it 3) Follow this link in tor browser: http://vq3zf757tzpwhs7bulnr43d2rfg5fkvvfkhee2zhhzievuxrbnarmgqd.onion/4c43fb6f271eda10ac65ec0dc918f7ec851455acb98c1fe29f3b2feffe53c286 * 6 simple steps do minimize harm from ransomware. ----------------------------------------------------------------------------------------------------------------- Thousands of companies around the world are struggling on ransomware these days, and the most of companies are making the same mistakes again and again. Let’s figure out how to minimize harm and do not be a dumb and pathetic donkey which will make fun for journalists and so on.. 1. If you see small fella malicious .exe file never load it to virustotal.com or any other virus researching website. Otherwise the info about the hack is not a secret anymore. The fact that your company is under ransomware attack is already known by filthy predators data security agents who will post in their pity twitters the fresh known news “OMG ANOTHER RANSOMWARE NOW IT’S “Your company name LLC!!!!! We are all gonna die aaaaaa halp” 2. No any public announcements about the hack or data leakage. And do not applicate to law enforcement. If you commit this actions, more serious consequences can occur and you pay much more than a ransom amount. Law structures like GDPR in this case can oblige you to pay huge fine. 3. As soon as you see your network compromised, follow the link inside any note and follow instructions. 4. Calm your employees. Explain them that this is a drill. And you test your network security systems. 5. If you decide to hire the data recovery company, obligate them to do not inform anyone and any third party about details of the attack. We strongly do not recommend to cooperate with data recovery company, because they do absolutely nothing that you can do by yourself and take money for it. all communications with hackers could be conducted by your it department indipendently without any extra payments. 6. Do not try to decrypt your data via 3rd party software. Most of ransomware use strong encryption algorythm and you can harm your files by using 3rd party decryption software.
URLs

http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/104617a28c7b21518d506b079ca9d5221551f89d5d54025a1ec71dd33aacd896/

http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/

http://vq3zf757tzpwhs7bulnr43d2rfg5fkvvfkhee2zhhzievuxrbnarmgqd.onion/4c43fb6f271eda10ac65ec0dc918f7ec851455acb98c1fe29f3b2feffe53c286

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Babuk family
    babuk
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (178) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Babuk.a-2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:116
  • C:\Users\Admin\Desktop\Trojan-Ransom.Win32.Babuk.a-2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf.exe
    "C:\Users\Admin\Desktop\Trojan-Ransom.Win32.Babuk.a-2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf.exe"
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:6064
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4332
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:5520
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3704
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\How To Restore Your Files.txt
    1⤵
      PID:3960
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4812

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\How To Restore Your Files.txt
      Filesize

      4KB

      MD5

      655a099a144e6164ba891274ac9aa406

      SHA1

      66c4292b9f1b516ec0869adcd64efeb5c4bd1917

      SHA256

      cfad30c98f7fdd4c40a88994cb4d2f8499d67525ac92031d1f77595164b27b71

      SHA512

      3fc847a23a2fbc3a03607195451a22caf3cd867d4085796d8ddb4e6b490cd303524c22c75d9b9f204b17d62f089692fd8f11d9275a10e15da62ae3bcf2fedecf

      Download Submit

    • C:\Users\Admin\Desktop\Trojan-Ransom.Win32.Babuk.a-2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf.exe
      Filesize

      79KB

      MD5

      f6282c938e0662cf851feee0146d79a4

      SHA1

      9d0c6528565303e5b10a964a2783c77f25b9695b

      SHA256

      2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf

      SHA512

      b99be65ddc6154128992b510aa1b053b56dbad7f91f9102e42a06ada2f3c58f5ac6423483728648c20adce862c6f0e136913c6d0441a47391cedc76194c2936f

      Download Submit

    • memory/3704-248-0x00000224E6D90000-0x00000224E6D91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3704-260-0x00000224E6D90000-0x00000224E6D91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3704-259-0x00000224E6D90000-0x00000224E6D91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3704-258-0x00000224E6D90000-0x00000224E6D91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3704-257-0x00000224E6D90000-0x00000224E6D91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3704-256-0x00000224E6D90000-0x00000224E6D91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3704-255-0x00000224E6D90000-0x00000224E6D91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3704-254-0x00000224E6D90000-0x00000224E6D91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3704-250-0x00000224E6D90000-0x00000224E6D91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3704-249-0x00000224E6D90000-0x00000224E6D91000-memory.dmp

      Filesize

      4KB

      Download