Windows Analysis Report
4.exe

Overview

General Information

Sample name: 4.exe
Analysis ID: 1579345
MD5: c82121875584b5607f9d8a9c5c10889a
SHA1: 4bc0ed52931c44261aa1d40c42d01255427c683b
SHA256: 01d4ced698c9826e5879e235a74bab2b794e85df04b3c693345ef1925a20aeb9
Infos:

Detection

Babuk
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Babuk Ransomware
AI detected suspicious sample
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Machine Learning detection for sample
Program does not show much activity (idle)

Classification

Name Description Attribution Blogpost URLs Link
Babuk Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 4.exe ReversingLabs: Detection: 83%
Source: 4.exe Virustotal: Detection: 78% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.8% probability
Machine Learning detection for sample
Source: 4.exe Joe Sandbox ML: detected
Source: 4.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking
barindex
Found Tor onion address
Source: 4.exe, 00000000.00000002.1666262820.00007FF656D19000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Do not interrupt the encryption process, don't stop or reboot your machines until the encryption is complete. Otherwise the data may be corrupted.In addition to the encrypted infrastructure, we have downloaded a lot of confidential information from your systems. The publication of these documents may cause the termination of your commercial activities, contracts with your clients and partners, and multiple lawsuits.If you ignore this warning and do not contact us, your sensitive data will be posted on our blog: https://cactusbloguuodvqjmnzlwetjlpj6aggc6iocwhuupb47laukux7ckid.onion/In your best interest is to avoid contacting law enforcement and data recovery companies. They can't help you with the recovery, will cause more problems and expenses, and delay the return to normal work significantly.Besides, if you contact the police we will immediately publish your data.We offer the best solution to the problem, to receive our decryption software and prevent disclosure of your sensitive information contact us directly.A quick recovery is very important to keep your business running at full capacity and minimize losses. This is why you need to begin negotiations as soon as possible. By the way, if you don't contact us within 5 days, we will start publishing your data.
Source: 4.exe, 00000000.00000002.1666262820.00007FF656D19000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://cactusbloguuodvqjmnzlwetjlpj6aggc6iocwhuupb47laukux7ckid.onion/In

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Babuk Ransomware
Source: Yara match File source: 00000000.00000002.1666262820.00007FF656D19000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4.exe PID: 7328, type: MEMORYSTR
Deletes shadow drive data (may be related to ransomware)
Source: 4.exe, 00000000.00000002.1666262820.00007FF656D19000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: steam.exethebat.exemsftesql.exesqlagent.exesqlbrowser.exesqlwriter.exeoracle.exeocssd.exedbsnmp.exesynctime.exexfssvccon.exesqlservr.exemydesktopservice.exeocautoupds.exeagntsvc.exeencsvc.exefirefoxconfig.exetbirdconfig.exemydesktopqos.exeocomm.exemysqld.exemysqld-nt.exemysqld-opt.exedbeng5o.exesqbcoreservice.exeexcel.exeinfopath.exemsaccess.exemspub.exeonenote.exeoutlook.exepowerpnt.exethunderbird.exevisio.exewinword.exewordpad.exesql.exeagntsvc.exeisqlplussvc.exeencsvc.exefirefox.exedbeng50.exenotepad.exephonesvcveeammemtassqlbackupvsssophossvc$mepocsmsexchangegxvssgxblrgxfwdgxcvdgxcimgrvssadmin delete shadows /all /quietC:\Windows\System32\vssadmin.exeWMIC shadowcopy deleteC:\Windows\System32\wbem\WMIC.exebcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\bcdedit.exebcdedit /set {default} recoveryenabled nobasic_string: construction from null is not valid
Source: classification engine Classification label: mal72.rans.evad.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: C:\Users\user\Desktop\4.exe Mutant created: \Sessions\1\BaseNamedObjects\rnxe-b4ou-eplg-zyr5cAcTuS
Source: C:\Users\user\Desktop\4.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 4.exe ReversingLabs: Detection: 83%
Source: 4.exe Virustotal: Detection: 78%
Source: unknown Process created: C:\Users\user\Desktop\4.exe "C:\Users\user\Desktop\4.exe"
Source: C:\Users\user\Desktop\4.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\4.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\4.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\4.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\4.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\4.exe Section loaded: ntmarta.dll Jump to behavior
Source: 4.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: 4.exe Static file information: File size 4777351 > 1048576
Source: 4.exe Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x20aa00
Source: 4.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579345 Sample: 4.exe Startdate: 21/12/2024 Architecture: WINDOWS Score: 72 11 Multi AV Scanner detection for submitted file 2->11 13 Yara detected Babuk Ransomware 2->13 15 Machine Learning detection for sample 2->15 17 AI detected suspicious sample 2->17 6 4.exe 1 2->6         started        process3 signatures4 19 Found Tor onion address 6->19 21 Deletes shadow drive data (may be related to ransomware) 6->21 9 conhost.exe 6->9         started        process5
No contacted IP infos