Overview

overview

10

Static

static

TrustedInstaller.exe

windows7_x64

10

TrustedInstaller.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    11-12-2020 17:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TrustedInstaller.exe

  • Size

    449KB

  • MD5

    574f031251f67bcc6ea9168364d2fbfd

  • SHA1

    f5d6140140829eaa550d2ef57b3ca8281b3d79bb

  • SHA256

    438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

  • SHA512

    d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: yongloun@tutanota.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: wiruxa@airmail.cc Reserved email: anygrishevich@yandex.ru Your personal ID: 186-14C-97B Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

wiruxa@airmail.cc

anygrishevich@yandex.ru

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 24137 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 7548 IoCs
  • Suspicious use of AdjustPrivilegeToken 89 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\TrustedInstaller.exe"
    1⤵
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1300
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4600
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        3⤵
          PID:1372
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 0
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:4044
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4088
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1616
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:3644
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:4484
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
          3⤵
            PID:1584
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
            3⤵
              PID:1392
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe
            2⤵
            • Deletes itself
            PID:3084
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2152

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        File Deletion

        2
        T1107

        Modify Registry

        2
        T1112

        Install Root Certificate

        1
        T1130

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Inhibit System Recovery

        2
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
          MD5

          85934f14cc9248f76c58dc21180b4f15

          SHA1

          5ae41d9bea1cd413260de621f2302febd1e00323

          SHA256

          0d0b47c2e46b455f2d5b2bc0893585790da8a86e36f4a45311bf0a579a5efe58

          SHA512

          8496972fcf149a5df72b1a9aef3865c27fe0b9cba9e3af03b0a562c8b64a89d8834a3c18008d1610fab0741decadfdb1c14f9c1b9d1307bbb23a0b6a148b5e88

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
          MD5

          4bddfe3851f7aa064be1b88af5e4516d

          SHA1

          2619398420a8e45f8f68c7c02ff2fd8c5ae3f18a

          SHA256

          1427416bef65c2419a8fc224206c5131d6d7b391bc74faae87859640ce0fc3dc

          SHA512

          1874f93cc946fe5a1f1852f0bb740247cb8835993d7cd217e1347af794b6f606c9ad9c1b6b0604c229296d170961c88d0b31824b9f854d326fe8b10557e84040

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
          MD5

          a54e6020d8dade29e93e679d7d067676

          SHA1

          1ff53fa146566b3dc7a4dc43c91650a89b0bca5f

          SHA256

          3762d5141f299aa6d5bb5197aa8459d1741a4602c875a14531b77ebc861c7bbb

          SHA512

          87da29500b7ca80c15eea68253298c50073e2c643aae474b700ddd8117f7eac6bd53fc9a5358aa2bebe513e2041ca101337a13f21f0ef16450607ecc7f57b43d

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
          MD5

          97a8e1cae869b8ac29230c492eea91ac

          SHA1

          0e5b9287473b03ad8572fd32e2920f3b5a132a68

          SHA256

          6858ebdfe4bfbf413341819a084fe30cdcfb9e585c0341298d61f3232cc4e301

          SHA512

          df8c4316fca3b128ab8300f75c34b57eeea380f042135a04fd371979a642e2bf9926bd53dd6df490cdb773faf1309dce8b585390fb51e53e661ce0e74f1da2b4

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
          MD5

          dce233405b27b5b41c202114bf2c3697

          SHA1

          0808537e8bc2fba4a69de7d8a055d40f4fa1f7e2

          SHA256

          4a61a89734c0b6895ec05679932e9e3d3984b64e91fbdadf3c28f234d0b095ad

          SHA512

          42aca8ca3ddf73cc3b9680b2a6c5c096c177038e256270ab6448934df749573a0aa7d0d98bf8bacf7a94e646cac8f676a61b59ac76030d636aa513bbda6e99c8

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
          MD5

          f519687c88f855776a232bf71b6b9ac0

          SHA1

          313300e3c980ac778276860f24419771c5e6b35d

          SHA256

          4c35fadbbb5816490d0c23f1073a7c4b3f056941655a4b0450dd7991d51b6473

          SHA512

          1af49e2a4beee405f6c74fa6643b29729ea6b4dc59fcae18e186b9fdcc51016bb9681e466be6b358f8a1b3e33e4223d2b33bab0a582fd52338ba3fb8cca0a594

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JGAO043J\P0VW6L9F.htm
          MD5

          6b17a59cec1a7783febae9aa55c56556

          SHA1

          01d4581e2b3a6348679147a915a0b22b2a66643a

          SHA256

          66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

          SHA512

          3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S7PGJ114\K8HNMTCO.htm
          MD5

          b1cd7c031debba3a5c77b39b6791c1a7

          SHA1

          e5d91e14e9c685b06f00e550d9e189deb2075f76

          SHA256

          57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

          SHA512

          d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
          MD5

          ef572e2c7b1bbd57654b36e8dcfdc37a

          SHA1

          b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

          SHA256

          e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

          SHA512

          b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
          MD5

          574f031251f67bcc6ea9168364d2fbfd

          SHA1

          f5d6140140829eaa550d2ef57b3ca8281b3d79bb

          SHA256

          438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

          SHA512

          d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
          MD5

          574f031251f67bcc6ea9168364d2fbfd

          SHA1

          f5d6140140829eaa550d2ef57b3ca8281b3d79bb

          SHA256

          438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

          SHA512

          d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
          MD5

          574f031251f67bcc6ea9168364d2fbfd

          SHA1

          f5d6140140829eaa550d2ef57b3ca8281b3d79bb

          SHA256

          438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

          SHA512

          d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

          Download Submit
        • memory/1300-15-0x0000000000000000-mapping.dmp
          Download
        • memory/1372-16-0x0000000000000000-mapping.dmp
          Download
        • memory/1392-17-0x0000000000000000-mapping.dmp
          Download
        • memory/1584-18-0x0000000000000000-mapping.dmp
          Download
        • memory/1616-25-0x0000000000000000-mapping.dmp
          Download
        • memory/1768-19-0x0000000000000000-mapping.dmp
          Download
        • memory/2092-2-0x0000000000000000-mapping.dmp
          Download
        • memory/3084-6-0x0000000000000000-mapping.dmp
          Download
        • memory/3084-5-0x00000000006D0000-0x00000000006D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3644-27-0x0000000000000000-mapping.dmp
          Download
        • memory/4044-21-0x0000000000000000-mapping.dmp
          Download
        • memory/4088-20-0x0000000000000000-mapping.dmp
          Download
        • memory/4484-23-0x0000000000000000-mapping.dmp
          Download
        • memory/4600-26-0x0000000000000000-mapping.dmp
          Download