Overview

overview

10

Static

static

66fc6e71a9...in.exe

windows7_x64

10

66fc6e71a9...in.exe

windows10_x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin

  • Size

    256KB

  • Sample

    201106-2cl6klxjw6

  • MD5

    ada523db2c2418fa37398c41b370c125

  • SHA1

    7c2c197b14447cbf4bd0d040a36493ec1d9d8bc7

  • SHA256

    66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af

  • SHA512

    849e06f1308ef00d1cf5ac71d9deb5699bae0e3985bca11525d3a95879325d1c11ad30f7c1bf80ef51ccc71032ab793ac2bef305c051391c9cefd91253621343

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: uspex1@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: uspex1@cock.li Reserved email: uspex2@cock.li Your personal ID: EFA-3F4-E9A Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

uspex1@cock.li

uspex2@cock.li

Targets

    • Target

      66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin

    • Size

      256KB

    • MD5

      ada523db2c2418fa37398c41b370c125

    • SHA1

      7c2c197b14447cbf4bd0d040a36493ec1d9d8bc7

    • SHA256

      66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af

    • SHA512

      849e06f1308ef00d1cf5ac71d9deb5699bae0e3985bca11525d3a95879325d1c11ad30f7c1bf80ef51ccc71032ab793ac2bef305c051391c9cefd91253621343

    Score
    10/10
    buranpersistenceransomware

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

      ransomwareburan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • ServiceHost packer

      Detects ServiceHost packer used for .NET malware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Tasks