General
-
Target
Delivery-77426522.doc
-
Size
118KB
-
Sample
201104-d43dfayxys
-
MD5
29584bef6e963b191cb0a900a75585db
-
SHA1
3c298a6f35cfdf61fc271a8cad59ea84b827335f
-
SHA256
0f81f4eb37083c821598ffd57cff12a082f19ca2de57c86faff65755ef332686
-
SHA512
c4084c658ade731ee3dae206b75ec47cb488c21b95963375a9ad8b016585b5f046c1e635fc65c57f271d99f6a0b0804998056e386c774775b5259a0f00ae8350
Static task
static1
Behavioral task
behavioral1
Sample
Delivery-77426522.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Delivery-77426522.doc
Resource
win10v20201028
Malware Config
Extracted
http://vidrioindustrial.com/
http://forcecareer.com/
http://onw.kx1.in/
http://hos365llc.com/
http://testwebsite.taxauctioninvestors.com/
http://shradhajewellers.com/
https://educationmillion.com/
http://geozone.at/
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kassmaster@danwin1210.me
kassmaster@tutanota.com
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kassmaster@danwin1210.me
kassmaster@tutanota.com
Targets
-
-
Target
Delivery-77426522.doc
-
Size
118KB
-
MD5
29584bef6e963b191cb0a900a75585db
-
SHA1
3c298a6f35cfdf61fc271a8cad59ea84b827335f
-
SHA256
0f81f4eb37083c821598ffd57cff12a082f19ca2de57c86faff65755ef332686
-
SHA512
c4084c658ade731ee3dae206b75ec47cb488c21b95963375a9ad8b016585b5f046c1e635fc65c57f271d99f6a0b0804998056e386c774775b5259a0f00ae8350
Score10/10-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Modifies service
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Modify Existing Service
1Defense Evasion
File Deletion
2Hidden Files and Directories
2Modify Registry
4Install Root Certificate
1