General
-
Target
hci0xn0zip
-
Size
3.3MB
-
Sample
201104-cebgax7bdx
-
MD5
d18bf81dbc8acce488abd633d8058cf5
-
SHA1
1d6dcade355b4867e9435961655a9b9caa373528
-
SHA256
4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
-
SHA512
10a6b3994b1b0d37c9f3833e700baded6b89b0162078442b4de5a9747c23027d8943016c5941ba2e530ee5263b87c31a7714aa7bcb5051e5d63cf0a3cd88756f
Static task
static1
Behavioral task
behavioral1
Sample
hci0xn0zip.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
hci0xn0zip.exe
Resource
win10v20201028
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kassmaster@danwin1210.me
kassmaster@tutanota.com
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kassmaster@danwin1210.me
kassmaster@tutanota.com
Targets
-
-
Target
hci0xn0zip
-
Size
3.3MB
-
MD5
d18bf81dbc8acce488abd633d8058cf5
-
SHA1
1d6dcade355b4867e9435961655a9b9caa373528
-
SHA256
4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
-
SHA512
10a6b3994b1b0d37c9f3833e700baded6b89b0162078442b4de5a9747c23027d8943016c5941ba2e530ee5263b87c31a7714aa7bcb5051e5d63cf0a3cd88756f
Score10/10-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies service
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Modify Existing Service
1Defense Evasion
File Deletion
2Hidden Files and Directories
2Modify Registry
3Install Root Certificate
1