General

  • Target

    lsass.exe

  • Size

    214KB

  • Sample

    200709-hypr6l8dse

  • MD5

    7789e69306b9dd1dde3f46e12d068e6c

  • SHA1

    d06c49fe36ba5ae37fd4bc81924a106d8cafa116

  • SHA256

    da75d48c48022aae0f3134dcb66c3a8180003b014cb12b4727dc02a8e1a83b10

  • SHA512

    7e7733b225a729f16932e4423601cea1232002e2ecab8950ba9a8385897ff0a2b5f06c91008c05f1d4e0b0def856bea8b748873bbcd4149503e67d7fcbdacccd

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE STOLEN and ENCRYPTED !!! All your files, documents, databases and other important files are STOLEN and ENCRYPTED. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send 4 crypt file an email: mvpwesam@protonmail.com and decrypt one random file for free. But this file should be of not valuable! Do you really want to restore your files? you must transfer 1110 bitcoins to wallet : 125WPKS5eEtrhiRmZPX1MrAzeAG8AmzrG8 Write to email: mvpwesam@protonmail.com if there is no payment, in 30 DAYS this information will be PUBLIC. Some of the data will be sold on the DarkWeb, and some will be publicly available for cyber crime. After payment this information is guaranteed to be DELETED! Your personal ID: 582-22C-A06 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

mvpwesam@protonmail.com

Targets

    • Target

      lsass.exe

    • Size

      214KB

    • MD5

      7789e69306b9dd1dde3f46e12d068e6c

    • SHA1

      d06c49fe36ba5ae37fd4bc81924a106d8cafa116

    • SHA256

      da75d48c48022aae0f3134dcb66c3a8180003b014cb12b4727dc02a8e1a83b10

    • SHA512

      7e7733b225a729f16932e4423601cea1232002e2ecab8950ba9a8385897ff0a2b5f06c91008c05f1d4e0b0def856bea8b748873bbcd4149503e67d7fcbdacccd

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run entry to start application

    • Enumerates connected drives

    • Modifies service

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Modify Existing Service

1
T1031

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Impact

Inhibit System Recovery

2
T1490

Tasks