buran | 885cbe8d8cd781d68071ff84bb751a26efbf9f8412876b5b676f83c2e14d1cc6

General

Target

TrustedInstaller.exe.new.exe
Size

210KB
MD5

98d24623bd39d9fcfa1c2431a9391a07
SHA1

113df2b19ccfa8d8ff8a2a5b72bda05fe517118a
SHA256

b0c1e89ebf16baa03b431b797aece48eeb3da6bb6eabf12fa6a3aefd93f5890e
SHA512

c114fa0bdf4b7694a07a8cbee268f53287f9dbb66d4f29817c581fb86d831be9e351770e9cb4a6d3dc3c36eee1e9594139f638242a7042b33928fae6d3e6ac53

Score

10^/10

ransomware persistence buran

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: puljaipopre1981@protonmail.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: puljaipopre1981@protonmail.com Reserved email: viomukinam1978@protonmail.com Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

puljaipopre1981@protonmail.com

viomukinam1978@protonmail.com

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1540 vssadmin.exe

pid	process
1540	vssadmin.exe

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TrustedInstaller.exe.new.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\Run	TrustedInstaller.exe.new.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	TrustedInstaller.exe.new.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1896 notepad.exe

pid	process
1896	notepad.exe

Discovering connected drives 3 TTPs 5 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskeng.exeTrustedInstaller.exe.new.exe

description	ioc	process
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\C:	TrustedInstaller.exe.new.exe
File opened (read-only)	\??\F:	taskeng.exe

Drops file in Program Files directory 23588 IoCs

Processes:

taskeng.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar.192-9D1-41C	taskeng.exe
File renamed	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml => C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.192-9D1-41C	taskeng.exe
File renamed	C:\Program Files\Microsoft Office\Document Themes 14\Opulent.thmx => C:\Program Files\Microsoft Office\Document Themes 14\Opulent.thmx.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp	taskeng.exe
File renamed	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar => C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar.192-9D1-41C	taskeng.exe
File renamed	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD00403_.WMF => C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD00403_.WMF.192-9D1-41C	taskeng.exe
File renamed	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG => C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\CAGCAT10.MMW	taskeng.exe
File renamed	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe => C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\content-types.properties	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0199475.WMF.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02227_.WMF.192-9D1-41C	taskeng.exe
File renamed	C:\Program Files\Microsoft Office\Document Themes 14\Origin.thmx => C:\Program Files\Microsoft Office\Document Themes 14\Origin.thmx.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0305493.WMF.192-9D1-41C	taskeng.exe
File renamed	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica => C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica.192-9D1-41C	taskeng.exe
File renamed	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml => C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml.192-9D1-41C	taskeng.exe
File renamed	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml => C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar	taskeng.exe
File renamed	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar => C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\ACCTBOX.POC	taskeng.exe
File renamed	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml => C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0199303.WMF.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01744_.GIF.192-9D1-41C	taskeng.exe
File renamed	C:\Program Files\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.DPV => C:\Program Files\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.DPV.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar.192-9D1-41C	taskeng.exe
File renamed	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml => C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0198377.WMF.192-9D1-41C	taskeng.exe
File renamed	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TAIL.WMF => C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TAIL.WMF.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\CONVERT\OLADD.FAE.192-9D1-41C	taskeng.exe
File renamed	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\utilityfunctions.js => C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\utilityfunctions.js.192-9D1-41C	taskeng.exe
File renamed	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga => C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.192-9D1-41C	taskeng.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0187883.WMF.192-9D1-41C	taskeng.exe
File renamed	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0305257.WMF => C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0305257.WMF.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BD19827_.WMF	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02413_.WMF.192-9D1-41C	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\.zeppelin	taskeng.exe
File renamed	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo => C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\javafx.properties	taskeng.exe
File renamed	C:\Program Files\Java\jre7\lib\zi\America\Whitehorse => C:\Program Files\Java\jre7\lib\zi\America\Whitehorse.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14832_.GIF.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_over.gif.192-9D1-41C	taskeng.exe
File deleted	C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\.zeppelin	taskeng.exe
File created	C:\Program Files\Microsoft Office\Templates\1033\.zeppelin	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Malta.192-9D1-41C	taskeng.exe
File renamed	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar => C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE02296_.WMF.192-9D1-41C	taskeng.exe
File renamed	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP => C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP.192-9D1-41C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml.192-9D1-41C	taskeng.exe

Loads dropped DLL 9 IoCs

Processes:

TrustedInstaller.exe.new.exetaskeng.exetaskeng.exe

pid	process
1836	TrustedInstaller.exe.new.exe
1836	TrustedInstaller.exe.new.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1924	taskeng.exe
1924	taskeng.exe
1924	taskeng.exe

Suspicious use of WriteProcessMemory 104 IoCs

Processes:

TrustedInstaller.exe.new.exetaskeng.exe

description	pid	process	target process
PID 1836 wrote to memory of 1860	1836	TrustedInstaller.exe.new.exe	taskeng.exe
PID 1836 wrote to memory of 1860	1836	TrustedInstaller.exe.new.exe	taskeng.exe
PID 1836 wrote to memory of 1860	1836	TrustedInstaller.exe.new.exe	taskeng.exe
PID 1836 wrote to memory of 1860	1836	TrustedInstaller.exe.new.exe	taskeng.exe
PID 1836 wrote to memory of 1860	1836	TrustedInstaller.exe.new.exe	taskeng.exe
PID 1836 wrote to memory of 1860	1836	TrustedInstaller.exe.new.exe	taskeng.exe
PID 1836 wrote to memory of 1860	1836	TrustedInstaller.exe.new.exe	taskeng.exe
PID 1836 wrote to memory of 1896	1836	TrustedInstaller.exe.new.exe	notepad.exe
PID 1836 wrote to memory of 1896	1836	TrustedInstaller.exe.new.exe	notepad.exe
PID 1836 wrote to memory of 1896	1836	TrustedInstaller.exe.new.exe	notepad.exe
PID 1836 wrote to memory of 1896	1836	TrustedInstaller.exe.new.exe	notepad.exe
PID 1836 wrote to memory of 1896	1836	TrustedInstaller.exe.new.exe	notepad.exe
PID 1836 wrote to memory of 1896	1836	TrustedInstaller.exe.new.exe	notepad.exe
PID 1836 wrote to memory of 1896	1836	TrustedInstaller.exe.new.exe	notepad.exe
PID 1836 wrote to memory of 1896	1836	TrustedInstaller.exe.new.exe	notepad.exe
PID 1836 wrote to memory of 1896	1836	TrustedInstaller.exe.new.exe	notepad.exe
PID 1836 wrote to memory of 1896	1836	TrustedInstaller.exe.new.exe	notepad.exe
PID 1860 wrote to memory of 1924	1860	taskeng.exe	taskeng.exe
PID 1860 wrote to memory of 1924	1860	taskeng.exe	taskeng.exe
PID 1860 wrote to memory of 1924	1860	taskeng.exe	taskeng.exe
PID 1860 wrote to memory of 1924	1860	taskeng.exe	taskeng.exe
PID 1860 wrote to memory of 1924	1860	taskeng.exe	taskeng.exe
PID 1860 wrote to memory of 1924	1860	taskeng.exe	taskeng.exe
PID 1860 wrote to memory of 1924	1860	taskeng.exe	taskeng.exe
PID 1860 wrote to memory of 1952	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1952	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1952	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1952	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1952	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1952	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1952	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1976	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1976	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1976	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1976	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1976	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1976	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1976	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 2000	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 2000	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 2000	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 2000	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 2000	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 2000	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 2000	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 2024	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 2024	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 2024	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 2024	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 2024	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 2024	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 2024	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1012	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1012	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1012	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1012	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1012	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1012	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 1012	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 848	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 848	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 848	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 848	1860	taskeng.exe	cmd.exe
PID 1860 wrote to memory of 848	1860	taskeng.exe	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

taskeng.exetaskeng.exe

pid process

1860 taskeng.exe
1924 taskeng.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

TrustedInstaller.exe.new.exetaskeng.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1836	TrustedInstaller.exe.new.exe
Token: SeDebugPrivilege	1836	TrustedInstaller.exe.new.exe
Token: SeRestorePrivilege	1836	TrustedInstaller.exe.new.exe
Token: SeBackupPrivilege	1836	TrustedInstaller.exe.new.exe
Token: SeDebugPrivilege	1860	taskeng.exe
Token: SeIncreaseQuotaPrivilege	1372	WMIC.exe
Token: SeSecurityPrivilege	1372	WMIC.exe
Token: SeTakeOwnershipPrivilege	1372	WMIC.exe
Token: SeLoadDriverPrivilege	1372	WMIC.exe
Token: SeSystemProfilePrivilege	1372	WMIC.exe
Token: SeSystemtimePrivilege	1372	WMIC.exe
Token: SeProfSingleProcessPrivilege	1372	WMIC.exe
Token: SeIncBasePriorityPrivilege	1372	WMIC.exe
Token: SeCreatePagefilePrivilege	1372	WMIC.exe
Token: SeBackupPrivilege	1372	WMIC.exe
Token: SeRestorePrivilege	1372	WMIC.exe
Token: SeShutdownPrivilege	1372	WMIC.exe
Token: SeDebugPrivilege	1372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1372	WMIC.exe
Token: SeRemoteShutdownPrivilege	1372	WMIC.exe
Token: SeUndockPrivilege	1372	WMIC.exe
Token: SeManageVolumePrivilege	1372	WMIC.exe
Token: 33	1372	WMIC.exe
Token: 34	1372	WMIC.exe
Token: 35	1372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1372	WMIC.exe
Token: SeSecurityPrivilege	1372	WMIC.exe
Token: SeTakeOwnershipPrivilege	1372	WMIC.exe
Token: SeLoadDriverPrivilege	1372	WMIC.exe
Token: SeSystemProfilePrivilege	1372	WMIC.exe
Token: SeSystemtimePrivilege	1372	WMIC.exe
Token: SeProfSingleProcessPrivilege	1372	WMIC.exe
Token: SeIncBasePriorityPrivilege	1372	WMIC.exe
Token: SeCreatePagefilePrivilege	1372	WMIC.exe
Token: SeBackupPrivilege	1372	WMIC.exe
Token: SeRestorePrivilege	1372	WMIC.exe
Token: SeShutdownPrivilege	1372	WMIC.exe
Token: SeDebugPrivilege	1372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1372	WMIC.exe
Token: SeRemoteShutdownPrivilege	1372	WMIC.exe
Token: SeUndockPrivilege	1372	WMIC.exe
Token: SeManageVolumePrivilege	1372	WMIC.exe
Token: 33	1372	WMIC.exe
Token: 34	1372	WMIC.exe
Token: 35	1372	WMIC.exe
Token: SeBackupPrivilege	336	vssvc.exe
Token: SeRestorePrivilege	336	vssvc.exe
Token: SeAuditPrivilege	336	vssvc.exe
Token: SeDebugPrivilege	1860	taskeng.exe
Token: SeDebugPrivilege	1860	taskeng.exe
Token: SeRestorePrivilege	1860	taskeng.exe
Token: SeBackupPrivilege	1860	taskeng.exe

Suspicious behavior: EnumeratesProcesses 3366 IoCs

Processes:

taskeng.exe

pid	process
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe
1860	taskeng.exe

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe.new.exe
"C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe.new.exe"
1⤵
- Adds Run entry to start application
- Discovering connected drives
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
2⤵
- Discovering connected drives
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1860

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
3⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Executes dropped EXE
PID:1924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
3⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
3⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete backup
3⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
PID:1236

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
PID:1400

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1540

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:968

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:1896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Download Submit
C:\Users\Admin\Desktop\AddGroup.xsl.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\CheckpointRestore.vssm.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\ConnectWait.pptx.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\ConvertFromTrace.scf.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\EditExpand.3gp2.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\EditOut.au.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\ExpandDeny.wvx.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\FindRemove.rtf.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\GroupStop.ADTS.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\InitializeSplit.emf.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\InstallRename.xlsx.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\MountSync.avi.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\NewStop.cab.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\OutUninstall.pptm.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\ReceiveUnprotect.xlsm.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\RedoTrace.midi.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\RemoveConvertTo.MTS.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\RemoveUnpublish.pdf.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\RestartDismount.jpeg.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\RestoreExit.sql.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\SaveMerge.DVR.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\SyncCheckpoint.mpeg3.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\TestGroup.zip.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\TraceRename.cfg.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\UnlockRedo.wmf.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\UnregisterPop.mov.192-9D1-41C

Download Submit
C:\Users\Admin\Desktop\WaitClose.cab.192-9D1-41C

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads