Overview

overview

10

Static

static

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

7

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

9

Ransomware...KB.exe

windows10-ltsc_2021-x64

9

Ransomware...KB.ps1

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.msi

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Resubmissions

31/03/2025, 00:22

250331-apdw1ssjs8 10

28/03/2025, 22:52

250328-2tfd7avl15 10

25/03/2025, 14:57

250325-sb3mbsxxht 10

Analysis

  • max time kernel
    646s
  • max time network
    660s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    31/03/2025, 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RansomwareSamples/Babik_04_01_2021_31KB.exe

  • Size

    30KB

  • MD5

    e10713a4a5f635767dcd54d609bed977

  • SHA1

    320d799beef673a98481757b2ff7e3463ce67916

  • SHA256

    8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9

  • SHA512

    fed1cb7e1798ea0d131a0d4962a2b9f6c700ee3e1c9482c7837be930ce5167196ac7b1e715d9c9a5c171c349f3df3dde1a42db8e439459bc742928f9d19b38a7

  • SSDEEP

    768:S4DnL4DGrUVvP917yo6Xee7amb26ZghLybmGJ87tHvg7jzTzt:SILd639NdCbXZxbytH6

Score
10/10
babukcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\bg-BG\How To Restore Your Files.txt

Family

babuk

Ransom Note
----------- [ Hello! ] -------------> ****BY BABUK LOCKER**** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to contact us? ---------------------------------------------- Using TOR Browser ( https://www.torproject.org/download/ ): http://babukq4e2p4wu4iq.onion/login.php?id=8M60J4vCbbkKgM6QnA07E9qpkn0Qk7 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!
URLs

http://babukq4e2p4wu4iq.onion/login.php?id=8M60J4vCbbkKgM6QnA07E9qpkn0Qk7

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Babuk family
    babuk
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (2120) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe
    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4384
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5628
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1392
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:5536
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1644
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
      PID:4432
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4016

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
      Filesize

      10KB

      MD5

      b2119e3441ef48bea7c71fb753df7b31

      SHA1

      4fcee5fc19db54a22772eeef0ba9746b287aa018

      SHA256

      87cce0792e0714cab104bfc0d6e304f18dac1267b4bdeb9fdca4abc8cff9cd61

      SHA512

      b0a2e8458d6c6f9e77de571fdd1446e7d68f3b029aed1230196acb941363cd0f058b4e2e99e79299b65f70217ce120ac4ec1f7b1929085be1fceda6557aee2ad

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
      Filesize

      11KB

      MD5

      db3aaf7ad7d9a67c309214e7f93600bf

      SHA1

      691a8e45a6797f52f2447632cf1d0d071bf59f7b

      SHA256

      0d154d395d3316b472c17407b77e724e4ed0665113e9694bb70fb380ed427e81

      SHA512

      df59ae978a56a02afd33e1ed94f35436dd4762f47abcfc68e7323c0e4b19d135719751b49d2059d50a005c66e2f4bbaf6dd291bc559580cb0704efff2394f677

      Download Submit

    • \Device\HarddiskVolume1\Boot\bg-BG\How To Restore Your Files.txt
      Filesize

      1KB

      MD5

      b6e97028103bc6b18214f4b2bd0e0d23

      SHA1

      4c202c77782d55af635c28fa71b2ba58b294415e

      SHA256

      db1c8cafdedfc4be8dd6b81aa086b998ae49ad929b8a260d4030c7b5ca373a45

      SHA512

      214f7e9354a76f031bc3d28c6c20b3d5fafed32e5cb2d7414b7c2d185637d2f47e3538b62c722ba8b018cb3e6e3d9ff11bd6437d3f2af8eca9cd8504eb8c0f7d

      Download Submit