General

  • Target

    SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043

  • Size

    437KB

  • Sample

    200827-5bhw2szgs6

  • MD5

    e26982b170856ca8ca96a2f41b2306fb

  • SHA1

    e467f2bc6f01f2a13effaf8f6283d616ccf40e2e

  • SHA256

    8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6

  • SHA512

    80a636ae53f5049e1ec34e092d91be8f8cc11d1f96eb919bfabd814c677c1e68a773c102b4fd28f2335427173f76203815b60f133d1d4cf0834bded85931af0e

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: crioso@protonmail.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: crioso@protonmail.com Reserved email: wiruxa@airmail.cc If you do not receive a response after 1 hours, then resend the message to our backup email: wiruxa@airmail.cc yongloun@tutanota.com anygrishevich@yandex.ru Your personal ID: 195-83A-216 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

crioso@protonmail.com

wiruxa@airmail.cc

Targets

    • Target

      SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043

    • Size

      437KB

    • MD5

      e26982b170856ca8ca96a2f41b2306fb

    • SHA1

      e467f2bc6f01f2a13effaf8f6283d616ccf40e2e

    • SHA256

      8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6

    • SHA512

      80a636ae53f5049e1ec34e092d91be8f8cc11d1f96eb919bfabd814c677c1e68a773c102b4fd28f2335427173f76203815b60f133d1d4cf0834bded85931af0e

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Tasks