General

  • Target

    eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5.bin

  • Size

    212KB

  • Sample

    201106-43ex7ajtxj

  • MD5

    da997e4d9f1fa7f863aabc3f0dc32216

  • SHA1

    b5e04a9003c57598ed64afa4fef7ac16c09a43a4

  • SHA256

    eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5

  • SHA512

    40d01957a62a9de6897416e1cd2dd65bc1725c23167c6f31681ff43f069361a023ea3cb4ced19c079bff8f7fbe233ee81d8d1d024f035cd26611fe60827c19e7

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: zeppelinz@airmail.cc and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: zeppelinz@airmail.cc Reserved email: zeppelinz@firemail.cc Your personal ID: 3D3-89A-3E1 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

zeppelinz@airmail.cc

zeppelinz@firemail.cc

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: zeppelinz@airmail.cc and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: zeppelinz@airmail.cc Reserved email: zeppelinz@firemail.cc Your personal ID: 4ED-A30-301 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

zeppelinz@airmail.cc

zeppelinz@firemail.cc

Targets

    • Target

      eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5.bin

    • Size

      212KB

    • MD5

      da997e4d9f1fa7f863aabc3f0dc32216

    • SHA1

      b5e04a9003c57598ed64afa4fef7ac16c09a43a4

    • SHA256

      eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5

    • SHA512

      40d01957a62a9de6897416e1cd2dd65bc1725c23167c6f31681ff43f069361a023ea3cb4ced19c079bff8f7fbe233ee81d8d1d024f035cd26611fe60827c19e7

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies service

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Modify Existing Service

1
T1031

Defense Evasion

File Deletion

2
T1107

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Tasks