Overview

overview

10

Static

static

Aksip.bin.exe

windows7_x64

10

Aksip.bin.exe

windows10_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Aksip.bin

  • Size

    344KB

  • Sample

    200728-nzvd3g7j66

  • MD5

    61506482ddd28756e443b3de05a3b1cf

  • SHA1

    8d7effb5a456289d13f725486a30bed727a01be0

  • SHA256

    15e3107a2c30da16832db6f9cdadd38c7a202d72b6a43899b9642d3b695d6f50

  • SHA512

    18a7178209e6e9edd15e22c97ad15b049370fe457fcec815fe702d75514014460f80326e3a4ae6ca496582467c57398cdb250bf826b76e62bf2c56e1f38efe46

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: msupport2019@protonmail.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: msupport2019@protonmail.com Reserved email: msupport@elude.in Your personal ID: 1A4-8A1-A5A Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

msupport2019@protonmail.com

msupport@elude.in

Targets

    • Target

      Aksip.bin

    • Size

      344KB

    • MD5

      61506482ddd28756e443b3de05a3b1cf

    • SHA1

      8d7effb5a456289d13f725486a30bed727a01be0

    • SHA256

      15e3107a2c30da16832db6f9cdadd38c7a202d72b6a43899b9642d3b695d6f50

    • SHA512

      18a7178209e6e9edd15e22c97ad15b049370fe457fcec815fe702d75514014460f80326e3a4ae6ca496582467c57398cdb250bf826b76e62bf2c56e1f38efe46

    Score
    10/10
    ransomwareburanpersistence

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

      ransomwareburan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Tasks