Overview

overview

10

Static

static

ransom.exe.zip

windows7_x64

1

ransom.exe.zip

windows10_x64

1

TrustedIns...ew.exe

windows7_x64

10

TrustedIns...ew.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    107s
  • platform
    windows10_x64
  • resource
    win10v200217
  • submitted
    20-02-2020 12:54

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TrustedInstaller.exe.new.exe

  • Size

    210KB

  • MD5

    98d24623bd39d9fcfa1c2431a9391a07

  • SHA1

    113df2b19ccfa8d8ff8a2a5b72bda05fe517118a

  • SHA256

    b0c1e89ebf16baa03b431b797aece48eeb3da6bb6eabf12fa6a3aefd93f5890e

  • SHA512

    c114fa0bdf4b7694a07a8cbee268f53287f9dbb66d4f29817c581fb86d831be9e351770e9cb4a6d3dc3c36eee1e9594139f638242a7042b33928fae6d3e6ac53

Score
10/10
ransomwarepersistenceburan

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: puljaipopre1981@protonmail.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: puljaipopre1981@protonmail.com Reserved email: viomukinam1978@protonmail.com Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

puljaipopre1981@protonmail.com

viomukinam1978@protonmail.com

Signatures

  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Deletes itself 1 IoCs
  • Discovering connected drives 3 TTPs 5 IoCs
    ransomware
  • Drops file in Program Files directory 26424 IoCs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8144 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Adds Run entry to start application 2 TTPs 2 IoCs
    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe.new.exe
    "C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe.new.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Discovering connected drives
    • Suspicious use of WriteProcessMemory
    • Adds Run entry to start application
    PID:1592
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Discovering connected drives
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3940
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        PID:4024
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
          PID:2028
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
          3⤵
            PID:3100
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
              PID:3080
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
              3⤵
                PID:3876
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
                3⤵
                  PID:3920
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
                  3⤵
                    PID:3844
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3716
                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                      wmic shadowcopy delete
                      4⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4048
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2900
                    • C:\Windows\SysWOW64\vssadmin.exe
                      vssadmin delete shadows /all /quiet
                      4⤵
                      • Interacts with shadow copies
                      PID:2028
                • C:\Windows\SysWOW64\notepad.exe
                  notepad.exe
                  2⤵
                  • Deletes itself
                  PID:3576
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                • Modifies service
                PID:3972

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              Modify Registry

              2
              T1112

              File Deletion

              2
              T1107

              Credential Access

              Discovery

              Query Registry

              1
              T1012

              Peripheral Device Discovery

              1
              T1120

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Inhibit System Recovery

              2
              T1490

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
                Download Submit