General

  • Target

    ransom.exe

  • Size

    115KB

  • Sample

    200220-4btgkjw29e

  • MD5

    75774dda6b6be3f370bff5126830b170

  • SHA1

    a9778da3a940c57b2ea2c3764e73a545884cd715

  • SHA256

    885cbe8d8cd781d68071ff84bb751a26efbf9f8412876b5b676f83c2e14d1cc6

  • SHA512

    3427320c121966dc230b6c84245b9fa224e73ed603d233c09e316191b66d364ac3f7da6fb38955500ea9072b53d5be33749b44fbf0487f9d9f7ee2f3b884b1dc

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: puljaipopre1981@protonmail.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: puljaipopre1981@protonmail.com Reserved email: viomukinam1978@protonmail.com Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

puljaipopre1981@protonmail.com

viomukinam1978@protonmail.com

Targets

    • Target

      ransom.exe

    • Size

      115KB

    • MD5

      75774dda6b6be3f370bff5126830b170

    • SHA1

      a9778da3a940c57b2ea2c3764e73a545884cd715

    • SHA256

      885cbe8d8cd781d68071ff84bb751a26efbf9f8412876b5b676f83c2e14d1cc6

    • SHA512

      3427320c121966dc230b6c84245b9fa224e73ed603d233c09e316191b66d364ac3f7da6fb38955500ea9072b53d5be33749b44fbf0487f9d9f7ee2f3b884b1dc

    Score
    1/10
    • Target

      TrustedInstaller.exe.new

    • Size

      210KB

    • MD5

      98d24623bd39d9fcfa1c2431a9391a07

    • SHA1

      113df2b19ccfa8d8ff8a2a5b72bda05fe517118a

    • SHA256

      b0c1e89ebf16baa03b431b797aece48eeb3da6bb6eabf12fa6a3aefd93f5890e

    • SHA512

      c114fa0bdf4b7694a07a8cbee268f53287f9dbb66d4f29817c581fb86d831be9e351770e9cb4a6d3dc3c36eee1e9594139f638242a7042b33928fae6d3e6ac53

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run entry to start application

    • Discovering connected drives

    • Modifies service

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Modify Existing Service

1
T1031

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Impact

Inhibit System Recovery

2
T1490

Tasks