Overview

overview

10

Static

static

8

Delivery-77426522.doc

windows7_x64

10

Delivery-77426522.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Delivery-77426522.doc

  • Size

    118KB

  • Sample

    201104-d43dfayxys

  • MD5

    29584bef6e963b191cb0a900a75585db

  • SHA1

    3c298a6f35cfdf61fc271a8cad59ea84b827335f

  • SHA256

    0f81f4eb37083c821598ffd57cff12a082f19ca2de57c86faff65755ef332686

  • SHA512

    c4084c658ade731ee3dae206b75ec47cb488c21b95963375a9ad8b016585b5f046c1e635fc65c57f271d99f6a0b0804998056e386c774775b5259a0f00ae8350

Score
10/10
buranevasionmacropersistenceransomwareupx

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://vidrioindustrial.com/
exe.dropper

http://forcecareer.com/
exe.dropper

http://onw.kx1.in/
exe.dropper

http://hos365llc.com/
exe.dropper

http://testwebsite.taxauctioninvestors.com/
exe.dropper

http://shradhajewellers.com/
exe.dropper

https://educationmillion.com/
exe.dropper

http://geozone.at/

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: kassmaster@danwin1210.me and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: kassmaster@danwin1210.me Reserved email: kassmaster@tutanota.com Your personal ID: 7E7-686-D4D Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

kassmaster@danwin1210.me

kassmaster@tutanota.com

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: kassmaster@danwin1210.me and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: kassmaster@danwin1210.me Reserved email: kassmaster@tutanota.com Your personal ID: 2BE-C57-121 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

kassmaster@danwin1210.me

kassmaster@tutanota.com

Targets

    • Target

      Delivery-77426522.doc

    • Size

      118KB

    • MD5

      29584bef6e963b191cb0a900a75585db

    • SHA1

      3c298a6f35cfdf61fc271a8cad59ea84b827335f

    • SHA256

      0f81f4eb37083c821598ffd57cff12a082f19ca2de57c86faff65755ef332686

    • SHA512

      c4084c658ade731ee3dae206b75ec47cb488c21b95963375a9ad8b016585b5f046c1e635fc65c57f271d99f6a0b0804998056e386c774775b5259a0f00ae8350

    Score
    10/10
    buranevasionpersistenceransomwareupx

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

      ransomwareburan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Hidden Files and Directories

2
T1158

Modify Registry

4
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Tasks