Analysis
-
max time kernel
135s -
max time network
126s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-01-2021 06:58
Static task
static1
Behavioral task
behavioral1
Sample
Buran.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Buran.exe
Resource
win10v20201028
General
-
Target
Buran.exe
-
Size
214KB
-
MD5
2f1ecf99dd8a2648dd013c5fe6ecb6f5
-
SHA1
121c377693b96eef8e84861f091ef47e6fb6cae5
-
SHA256
442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024
-
SHA512
793eb6a3f3d0323b0749a35e372c9fcde15a912f32d74fc5fa0fc104c32d8348f431347fefd1c34e3d51d9b20432f8e66b9ae3b9523b4b4b21e76b6fd2ae8219
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
uspex1@cock.li
uspex2@cock.li
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1920 notepad.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Buran.exedescription ioc process File opened (read-only) \??\Z: Buran.exe File opened (read-only) \??\V: Buran.exe File opened (read-only) \??\N: Buran.exe File opened (read-only) \??\M: Buran.exe File opened (read-only) \??\I: Buran.exe File opened (read-only) \??\B: Buran.exe File opened (read-only) \??\A: Buran.exe File opened (read-only) \??\Y: Buran.exe File opened (read-only) \??\R: Buran.exe File opened (read-only) \??\K: Buran.exe File opened (read-only) \??\H: Buran.exe File opened (read-only) \??\G: Buran.exe File opened (read-only) \??\F: Buran.exe File opened (read-only) \??\U: Buran.exe File opened (read-only) \??\S: Buran.exe File opened (read-only) \??\Q: Buran.exe File opened (read-only) \??\P: Buran.exe File opened (read-only) \??\L: Buran.exe File opened (read-only) \??\J: Buran.exe File opened (read-only) \??\X: Buran.exe File opened (read-only) \??\W: Buran.exe File opened (read-only) \??\T: Buran.exe File opened (read-only) \??\O: Buran.exe File opened (read-only) \??\E: Buran.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 geoiptool.com -
Drops file in Program Files directory 15044 IoCs
Processes:
Buran.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Country.gif Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid.gif Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN092.XML Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RES98.POC Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ulaanbaatar.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml Buran.exe File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT Buran.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Oriel.thmx Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADVZIP.DIC.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01759_.WMF.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar Buran.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\La_Paz.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00345_.WMF Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignright.gif.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml Buran.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200521.WMF Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\grvschema.xsd Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105846.WMF.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BORDERBB.DPV.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.XML Buran.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02862_.WMF Buran.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\JNGLE_01.MID.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01244_.GIF Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18214_.WMF.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_F_COL.HXK.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL082.XML Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02124_.WMF Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACCL.ICO.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICTPH.POC Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey Buran.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98.POC Buran.exe File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT Buran.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewDblClick.js.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR31F.GIF.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107734.WMF Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay Buran.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.7E0-36C-F53 Buran.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10267_.GIF.7E0-36C-F53 Buran.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1560 vssadmin.exe 1776 vssadmin.exe -
Processes:
Buran.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Buran.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Buran.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Buran.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Buran.exe -
Suspicious use of AdjustPrivilegeToken 85 IoCs
Processes:
WMIC.exeWMIC.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 520 WMIC.exe Token: SeSecurityPrivilege 520 WMIC.exe Token: SeTakeOwnershipPrivilege 520 WMIC.exe Token: SeLoadDriverPrivilege 520 WMIC.exe Token: SeSystemProfilePrivilege 520 WMIC.exe Token: SeSystemtimePrivilege 520 WMIC.exe Token: SeProfSingleProcessPrivilege 520 WMIC.exe Token: SeIncBasePriorityPrivilege 520 WMIC.exe Token: SeCreatePagefilePrivilege 520 WMIC.exe Token: SeBackupPrivilege 520 WMIC.exe Token: SeRestorePrivilege 520 WMIC.exe Token: SeShutdownPrivilege 520 WMIC.exe Token: SeDebugPrivilege 520 WMIC.exe Token: SeSystemEnvironmentPrivilege 520 WMIC.exe Token: SeRemoteShutdownPrivilege 520 WMIC.exe Token: SeUndockPrivilege 520 WMIC.exe Token: SeManageVolumePrivilege 520 WMIC.exe Token: 33 520 WMIC.exe Token: 34 520 WMIC.exe Token: 35 520 WMIC.exe Token: SeIncreaseQuotaPrivilege 520 WMIC.exe Token: SeSecurityPrivilege 520 WMIC.exe Token: SeTakeOwnershipPrivilege 520 WMIC.exe Token: SeLoadDriverPrivilege 520 WMIC.exe Token: SeSystemProfilePrivilege 520 WMIC.exe Token: SeSystemtimePrivilege 520 WMIC.exe Token: SeProfSingleProcessPrivilege 520 WMIC.exe Token: SeIncBasePriorityPrivilege 520 WMIC.exe Token: SeCreatePagefilePrivilege 520 WMIC.exe Token: SeBackupPrivilege 520 WMIC.exe Token: SeRestorePrivilege 520 WMIC.exe Token: SeShutdownPrivilege 520 WMIC.exe Token: SeDebugPrivilege 520 WMIC.exe Token: SeSystemEnvironmentPrivilege 520 WMIC.exe Token: SeRemoteShutdownPrivilege 520 WMIC.exe Token: SeUndockPrivilege 520 WMIC.exe Token: SeManageVolumePrivilege 520 WMIC.exe Token: 33 520 WMIC.exe Token: 34 520 WMIC.exe Token: 35 520 WMIC.exe Token: SeIncreaseQuotaPrivilege 1584 WMIC.exe Token: SeSecurityPrivilege 1584 WMIC.exe Token: SeTakeOwnershipPrivilege 1584 WMIC.exe Token: SeLoadDriverPrivilege 1584 WMIC.exe Token: SeSystemProfilePrivilege 1584 WMIC.exe Token: SeSystemtimePrivilege 1584 WMIC.exe Token: SeProfSingleProcessPrivilege 1584 WMIC.exe Token: SeIncBasePriorityPrivilege 1584 WMIC.exe Token: SeCreatePagefilePrivilege 1584 WMIC.exe Token: SeBackupPrivilege 1584 WMIC.exe Token: SeRestorePrivilege 1584 WMIC.exe Token: SeShutdownPrivilege 1584 WMIC.exe Token: SeDebugPrivilege 1584 WMIC.exe Token: SeSystemEnvironmentPrivilege 1584 WMIC.exe Token: SeRemoteShutdownPrivilege 1584 WMIC.exe Token: SeUndockPrivilege 1584 WMIC.exe Token: SeManageVolumePrivilege 1584 WMIC.exe Token: 33 1584 WMIC.exe Token: 34 1584 WMIC.exe Token: 35 1584 WMIC.exe Token: SeBackupPrivilege 1680 vssvc.exe Token: SeRestorePrivilege 1680 vssvc.exe Token: SeAuditPrivilege 1680 vssvc.exe Token: SeIncreaseQuotaPrivilege 1584 WMIC.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
Buran.execmd.execmd.execmd.exedescription pid process target process PID 1832 wrote to memory of 564 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 564 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 564 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 564 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 1424 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 1424 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 1424 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 1424 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 1200 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 1200 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 1200 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 1200 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 944 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 944 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 944 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 944 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 1152 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 1152 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 1152 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 1152 1832 Buran.exe cmd.exe PID 564 wrote to memory of 520 564 cmd.exe WMIC.exe PID 564 wrote to memory of 520 564 cmd.exe WMIC.exe PID 564 wrote to memory of 520 564 cmd.exe WMIC.exe PID 564 wrote to memory of 520 564 cmd.exe WMIC.exe PID 1832 wrote to memory of 1928 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 1928 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 1928 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 1928 1832 Buran.exe cmd.exe PID 1832 wrote to memory of 1056 1832 Buran.exe Buran.exe PID 1832 wrote to memory of 1056 1832 Buran.exe Buran.exe PID 1832 wrote to memory of 1056 1832 Buran.exe Buran.exe PID 1832 wrote to memory of 1056 1832 Buran.exe Buran.exe PID 1152 wrote to memory of 1776 1152 cmd.exe vssadmin.exe PID 1152 wrote to memory of 1776 1152 cmd.exe vssadmin.exe PID 1152 wrote to memory of 1776 1152 cmd.exe vssadmin.exe PID 1152 wrote to memory of 1776 1152 cmd.exe vssadmin.exe PID 1928 wrote to memory of 1584 1928 cmd.exe WMIC.exe PID 1928 wrote to memory of 1584 1928 cmd.exe WMIC.exe PID 1928 wrote to memory of 1584 1928 cmd.exe WMIC.exe PID 1928 wrote to memory of 1584 1928 cmd.exe WMIC.exe PID 1928 wrote to memory of 1560 1928 cmd.exe vssadmin.exe PID 1928 wrote to memory of 1560 1928 cmd.exe vssadmin.exe PID 1928 wrote to memory of 1560 1928 cmd.exe vssadmin.exe PID 1928 wrote to memory of 1560 1928 cmd.exe vssadmin.exe PID 1832 wrote to memory of 1920 1832 Buran.exe notepad.exe PID 1832 wrote to memory of 1920 1832 Buran.exe notepad.exe PID 1832 wrote to memory of 1920 1832 Buran.exe notepad.exe PID 1832 wrote to memory of 1920 1832 Buran.exe notepad.exe PID 1832 wrote to memory of 1920 1832 Buran.exe notepad.exe PID 1832 wrote to memory of 1920 1832 Buran.exe notepad.exe PID 1832 wrote to memory of 1920 1832 Buran.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Buran.exe"C:\Users\Admin\AppData\Local\Temp\Buran.exe"1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\Buran.exe"C:\Users\Admin\AppData\Local\Temp\Buran.exe" -agent 02⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\Desktop\ApproveMove.shtml.7E0-36C-F53MD5
f7b882ddd8d5ab4f1ea14dfbb2d72ca7
SHA1be10059073a674e367c08ac268b444b3215e160e
SHA256a8cda1fa51f6f8dbedaedc9a7f0b47f471efc2162b4c7256828cb20f986fc01c
SHA5125b6223a5fce6272bf4a6da15aa1fda425de34ff42fc2ebd1e4324ebb5c08e9d7ce5e0c6c03ec37529b6342011b733632bf34894e2c63688f83d44b1b8e22680d
-
C:\Users\Admin\Desktop\CompareUninstall.pcx.7E0-36C-F53MD5
208757717818c604932f535ca7c694d8
SHA1d60eda8e3580e511c1e5c7cd10ffb54c4b8d4733
SHA2560865cdc499060a24e0353d5a17524beb5fbbd5f0bada5dbd313f97eaf4a0315d
SHA51203156c1697db9a069a10234b7928af8eb1900c83ee5e093e823e44c250d0783eec32edb1c245517418ec7e5bdbbab25abeedb02890ef84808ad2103c31a9d115
-
C:\Users\Admin\Desktop\CompleteProtect.mpg.7E0-36C-F53MD5
be5e118952c4e429932de2c57faee918
SHA1c64f4853674e4916d2820b0f435f6f2817cbc81a
SHA256526f7395ff4b4e01769faf1b37de7919eaef06748b2c2721208aa862e07aaccc
SHA5125a7997e18d5853ca26150425349e711dab43038954c98b067c2aff0885d42d75d73c0ffdf07a46a8adba484ffad4cefdc6fcabc98000f0a523218e7f380f4800
-
C:\Users\Admin\Desktop\DisableMeasure.ttc.7E0-36C-F53MD5
a879da0ab221b24d5aa825b9d4dedb8b
SHA12b6f7012c70f831b8482144ee5916e122bfd3b84
SHA256fee89af0ff61722a83e2c97f7d970651f2411abd6cd69f44a0061d2242bc8939
SHA51250b032e219038d6d7e2908cb52d4234353218c021d9da6d8223d7071a61837f2f20cff2e2c28253e9a5676d0d49a1d9dd798fd5e88e760b332a12590595e326d
-
C:\Users\Admin\Desktop\DisableSplit.mpe.7E0-36C-F53MD5
57070c58bf2b83e6219c177b51dbfdb6
SHA106693c29f85e90a3ac340ac399291e7ec678e736
SHA2567c7ecf73d835f586433e76db2537e523f35b5fd92ee2b7cdd7b2779ba91d0f34
SHA512ced7b2254bd1439dd4a49864deaa3fab3bdf4b85a5604a46d5f84501cd61ad85a2e8aeddf5cfca6e50ba921940d32e3bd175c2c82a5e9d11633d59cf25543634
-
C:\Users\Admin\Desktop\EnableExpand.doc.7E0-36C-F53MD5
83a46b0a11cb2c39a64ef0e38adc6773
SHA1396f2c55f9433147fcf721f95b4ef82aa37de12c
SHA256a2c344d6afaa74d6ad2663423411a8b1ec9a09efc86e10173936da094ce7baa9
SHA51232eb1593861e7c34caa9cfdac76697d15002cd536ca21c137815a873f0ac8eb9d7ac8b173bcd99e1707468c889948d9e94115ab80a3aac1b753f606d70455c10
-
C:\Users\Admin\Desktop\FormatBackup.contact.7E0-36C-F53MD5
4e9fca423deaa6db9de5372f8ff48c72
SHA172f4efafee378b3e1e0487188f2ef7099de14aad
SHA2566d92b324478b2db0f5772b207d880cacc5deee07c6b2afa615611679921bc219
SHA5124a9d519f344ebdd404d611c58e529c6a9ebab0655959019b797116624b496b701dea18b37725f9e1f63242e8ccb06cab9c22b024d0a19f349cc48c347358e083
-
C:\Users\Admin\Desktop\GrantSwitch.xlsx.7E0-36C-F53MD5
3e2e626fa2b0aa5417668cc9ee1ffd61
SHA192ce90cfb74f2a71fab670f41a177a6ae32a1233
SHA256ae7456acff18c4c722cc563cbe91189ae215e8be4299042c7f249af7e682708d
SHA5124059250dc2710badb44a8213b3ac31bcaf1212b584a32f2fab2c3a7c6edffdae0bf41c12f5128e2dfbbc4ed993fe32a0c1beea8a3e96818500d83f468409b6f4
-
C:\Users\Admin\Desktop\ImportDebug.rmi.7E0-36C-F53MD5
eecc8f2190a6d1b3c48194db2b4e0f3a
SHA1cc7c29b8580df8bb757de5e8ac2ab5aaedd4778b
SHA256a13b053282323009e402f7d561c5835e8ada602f36d4d5eab10cebff10ee86dd
SHA512d664ac42d42a3356ee045ed376007670af3b243f190ccfb4dfc91744916271462bcfac48ab65ea883dadca427295aca2e6d0ad6e881b34c27ec552174d71166f
-
C:\Users\Admin\Desktop\MountOpen.dwg.7E0-36C-F53MD5
badeda870da6318c56121bff313ea0aa
SHA1ee3097f7939ee2d8f6dc313e2159e49ba54a668e
SHA256f4800057a2523d2e12fe4dce611fb25e0cb9bc880847e61a6aa685a6b4cb2360
SHA512d133c7eabf07f7a4558f2548fcc2854c956c5e2dbbfd598c7c91afb583205db0c4230ba15e6fc797d0fda7d0946efb7e05f49be08b060bce1f6ded9406c13945
-
C:\Users\Admin\Desktop\ResolveStop.gif.7E0-36C-F53MD5
3be1bc48a891e5bbbe243b7297fe9b65
SHA102f8f32a398367db07ad8cf5e1aed70fd28190c1
SHA2566e03e3b2a60a322881454d785c739b41ef68a3e9ca7888ec7c636ba769c16a61
SHA5124a7fe11b7c23399ae49f5aab79b9dd4c486b295edf2c099961163ccac0f137d976480a4e654eca7fc2d595eaaef55859c4c09169d4be89b6dec9bc372e2cb3d0
-
C:\Users\Admin\Desktop\SplitStep.xps.7E0-36C-F53MD5
3083ba574099123231891e69813bc245
SHA15b1dc3b562d81549eaa9d5f6a29265c2b374af1f
SHA2563769a1dbd33790d803671bccc20a8d83e70cfbcaf435ffce2fcf16f44d442aab
SHA5124582e26293e2d0860a2489422a573e0d53101076d5eae5e647da1c4d485e392033cd0c59702e4f996cd67257a698bfac535622f2e56acaed247f192945caf662
-
C:\Users\Admin\Desktop\StartReset.nfo.7E0-36C-F53MD5
e3f0ad21d0a653e773a1f372da1fd97c
SHA18538b650b51d92737e3b9b60460ca3bb62fe112a
SHA25631b9432cd723a85c3c4316a8631bcc448d09790bf2bfb5b1cd03ff921d06b441
SHA512492f9ab9680e6dd117921b65af8ccc5533a5aa2ff81c6ec7769c86dc722697cfa39ee23a0c3a60ce3763e28910abf663264188e29aabc7f54544387ea5041670
-
C:\Users\Admin\Desktop\SubmitGroup.fon.7E0-36C-F53MD5
c5928cd76ef9e9757229993bb45e4302
SHA13763598538968b055afc111cb25ad3584049f77b
SHA25694b124427ee8e47d4f722704260cf9fc20d6c93fdf165e874cb2284fe6997a77
SHA5120ea3a3292b14f5772d54f66f057cd88cc55e0d4d37ad4bf46516372ebd92185ded0df82514cd9b05ef9785c85d50d127ae14bc0af1a87ebf426e4b0c77c57682
-
C:\Users\Admin\Desktop\SuspendRestart.ex_.7E0-36C-F53MD5
711bc1bdc730759437e68591a51f94a9
SHA18dd4084e20f572bafc0c2d0774d8276a6e1427c2
SHA25626bb6d19919c86c12e5e47df93a5b61ee0034839264f5ec71e9ac90e3d0c71f1
SHA512b241690f946025146f260d9fc6eac82a19a47e6a7cc6a792b79182120e62479527782f26ac4ee84e0af9f30e25b0217ed559ba79d8756c53787b5189a2b2af95
-
C:\Users\Admin\Desktop\TestHide.M2V.7E0-36C-F53MD5
065ee64e220c21f4792ff8ffea00b909
SHA101c18e333d1e493af690ae6ebd8e2350e3260802
SHA256fdc831ff7363572df73106cfa2a8888dd2df3f01755efd001fc241836703cfa2
SHA5127005f5af9d33c40408ac5ba2e1f440d905318feda7bc5ce77ca8241e82cd0c3f7b8a0d6e98a7709196c7d7afbd6054cfc2af1dcecdc2f7fc52705bb51f99ae8c
-
C:\Users\Admin\Desktop\TestSave.easmx.7E0-36C-F53MD5
7c4045cdf60c2ccdf2cc9a8088ebfb2f
SHA17f7c78ceaa57cc31c5d4032df996c1a26e1fc497
SHA256d012451ae8c35478f542565aa2633eea2ef1a39defe89388c1bebeab41e01264
SHA512dc2f35f58b7e5571d352a49a15f30ec4f51c67c38ad668f179b4a11a09af2748309abd4b74b1942d3ea15eae66ccb0dc2cc79dc858918c9ccba21b1c8b36caea
-
C:\Users\Admin\Desktop\TraceOptimize.svg.7E0-36C-F53MD5
dd342f932b6f552a0f08c6be392d574e
SHA19126393b635fae291718272ead1d211507d1acd5
SHA25639b5134c0de35bea8a98bb8f199e913d1f34b85e4c8576c29950ab832b37024d
SHA512b9e0cab75f2ccc4fde1b46656e9c60148e5a9a3be27f85179c38c00fc86856648f5091223a4e687760f1adeae79ff90542fbf48f04aed0426bb2604cd3a6ea5c
-
C:\Users\Admin\Desktop\UnregisterAdd.otf.7E0-36C-F53MD5
ac5400460807cbc4c2472be3bf5cc176
SHA10dc05adc7fe2591fe61ec7a8b4360e0f4ff08815
SHA2565de1c1d0675a2b68dd049aa347483f0fb9055ae6d7c459a629ae959ef3149c96
SHA512994ce8ccf082ad1b5a78fe6cec3a3ac27414d36fb2b7995938017ae67b510760f3246aba658b6fc45e29ef2072692f8dbcc8c0ff753f3491a6a81bcb5af53be8
-
C:\Users\Admin\Desktop\WriteResume.mpeg3.7E0-36C-F53MD5
1ae5b07fd6859aa7a309d4e0d5feb8e0
SHA1acaa48027d26e681817c2796c3ac197b2c61e285
SHA25616528a839218568217a05d9c369148e0416ed674b5d472ccc738d000536f3cec
SHA512a2f0f0612ca04b4bf71fe39f1d887389a2fabbbfdf8d05fc33d8e237f07368c588e8f77d65feec5168c9602875db873d90ecfb94b7ae5c34053681703f57ed95
-
memory/520-8-0x0000000000000000-mapping.dmp
-
memory/564-3-0x0000000000000000-mapping.dmp
-
memory/944-6-0x0000000000000000-mapping.dmp
-
memory/1056-10-0x0000000000000000-mapping.dmp
-
memory/1152-7-0x0000000000000000-mapping.dmp
-
memory/1200-5-0x0000000000000000-mapping.dmp
-
memory/1424-4-0x0000000000000000-mapping.dmp
-
memory/1560-14-0x0000000000000000-mapping.dmp
-
memory/1584-13-0x0000000000000000-mapping.dmp
-
memory/1712-2-0x000007FEF5D50000-0x000007FEF5FCA000-memory.dmpFilesize
2.5MB
-
memory/1776-11-0x0000000000000000-mapping.dmp
-
memory/1920-35-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1920-36-0x0000000000000000-mapping.dmp
-
memory/1928-9-0x0000000000000000-mapping.dmp