buran | 442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024

General

Target

Buran.exe
Size

214KB
MD5

2f1ecf99dd8a2648dd013c5fe6ecb6f5
SHA1

121c377693b96eef8e84861f091ef47e6fb6cae5
SHA256

442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024
SHA512

793eb6a3f3d0323b0749a35e372c9fcde15a912f32d74fc5fa0fc104c32d8348f431347fefd1c34e3d51d9b20432f8e66b9ae3b9523b4b4b21e76b6fd2ae8219

Score

10^/10

buran ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: uspex1@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: uspex1@cock.li Reserved email: uspex2@cock.li Your personal ID: 611-63B-EB4 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

uspex1@cock.li

uspex2@cock.li

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Buran.exe

description	ioc	process
File opened (read-only)	\??\T:	Buran.exe
File opened (read-only)	\??\Q:	Buran.exe
File opened (read-only)	\??\J:	Buran.exe
File opened (read-only)	\??\H:	Buran.exe
File opened (read-only)	\??\G:	Buran.exe
File opened (read-only)	\??\I:	Buran.exe
File opened (read-only)	\??\W:	Buran.exe
File opened (read-only)	\??\V:	Buran.exe
File opened (read-only)	\??\S:	Buran.exe
File opened (read-only)	\??\P:	Buran.exe
File opened (read-only)	\??\O:	Buran.exe
File opened (read-only)	\??\N:	Buran.exe
File opened (read-only)	\??\K:	Buran.exe
File opened (read-only)	\??\E:	Buran.exe
File opened (read-only)	\??\A:	Buran.exe
File opened (read-only)	\??\X:	Buran.exe
File opened (read-only)	\??\U:	Buran.exe
File opened (read-only)	\??\R:	Buran.exe
File opened (read-only)	\??\L:	Buran.exe
File opened (read-only)	\??\B:	Buran.exe
File opened (read-only)	\??\Z:	Buran.exe
File opened (read-only)	\??\Y:	Buran.exe
File opened (read-only)	\??\M:	Buran.exe
File opened (read-only)	\??\F:	Buran.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 geoiptool.com

flow	ioc
9	geoiptool.com

Drops file in Program Files directory 19961 IoCs

Processes:

Buran.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up-pressed.gif.611-63B-EB4	Buran.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\ui-strings.js	Buran.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	Buran.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\ui-strings.js	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar.611-63B-EB4	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-150.png	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\SmallTile.scale-100.png	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-150_contrast-white.png	Buran.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif.611-63B-EB4	Buran.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif	Buran.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-80_contrast-black.png	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\desktop\en-US\toc.xml	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\common.lua	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0.611-63B-EB4	Buran.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML.611-63B-EB4	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256_altform-unplated.png	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\LargeTile.scale-100.png	Buran.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PICTIM32.FLT.611-63B-EB4	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\strings\officehubintl.lang-en-us.resw	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-60_altform-unplated.png	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\handshake.png	Buran.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.611-63B-EB4	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.611-63B-EB4	Buran.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\LargeTile.scale-200.png	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100.png	Buran.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoInternetConnection_120x80.svg	Buran.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left.gif.611-63B-EB4	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	Buran.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\MSB1ENFR.ITS	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\ProgressBar\progress_foreground.jpg	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-30_altform-unplated.png	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\LargeTile.scale-125.png	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-125_contrast-black.png	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe.611-63B-EB4	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.611-63B-EB4	Buran.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.611-63B-EB4	Buran.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo.611-63B-EB4	Buran.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview_selected-hover.svg.611-63B-EB4	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\Ungroup.scale-100.png	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\46.jpg	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\CommonUtils.winmd	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ai_16x11.png	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-80.png	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24_altform-fullcolor.png	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-32_altform-unplated.png	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-100.png	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar.611-63B-EB4	Buran.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt	Buran.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.INF.611-63B-EB4	Buran.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.INF	Buran.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.611-63B-EB4	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Popups\FUE2_Image_4.png	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\OneConnectWideTile.scale-100.png	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\OneConnectSmallTile.scale-125.png	Buran.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorStoreLogo.contrast-white_scale-100.png	Buran.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\ui-strings.js	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgePackages.h	Buran.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

3040 vssadmin.exe
2272 vssadmin.exe

pid	process
3040	vssadmin.exe
2272	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Buran.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Buran.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Buran.exe

Suspicious use of AdjustPrivilegeToken 87 IoCs

Processes:

WMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	672	WMIC.exe
Token: SeSecurityPrivilege	672	WMIC.exe
Token: SeTakeOwnershipPrivilege	672	WMIC.exe
Token: SeLoadDriverPrivilege	672	WMIC.exe
Token: SeSystemProfilePrivilege	672	WMIC.exe
Token: SeSystemtimePrivilege	672	WMIC.exe
Token: SeProfSingleProcessPrivilege	672	WMIC.exe
Token: SeIncBasePriorityPrivilege	672	WMIC.exe
Token: SeCreatePagefilePrivilege	672	WMIC.exe
Token: SeBackupPrivilege	672	WMIC.exe
Token: SeRestorePrivilege	672	WMIC.exe
Token: SeShutdownPrivilege	672	WMIC.exe
Token: SeDebugPrivilege	672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	672	WMIC.exe
Token: SeRemoteShutdownPrivilege	672	WMIC.exe
Token: SeUndockPrivilege	672	WMIC.exe
Token: SeManageVolumePrivilege	672	WMIC.exe
Token: 33	672	WMIC.exe
Token: 34	672	WMIC.exe
Token: 35	672	WMIC.exe
Token: 36	672	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1324	WMIC.exe
Token: SeSecurityPrivilege	1324	WMIC.exe
Token: SeTakeOwnershipPrivilege	1324	WMIC.exe
Token: SeLoadDriverPrivilege	1324	WMIC.exe
Token: SeSystemProfilePrivilege	1324	WMIC.exe
Token: SeSystemtimePrivilege	1324	WMIC.exe
Token: SeProfSingleProcessPrivilege	1324	WMIC.exe
Token: SeIncBasePriorityPrivilege	1324	WMIC.exe
Token: SeCreatePagefilePrivilege	1324	WMIC.exe
Token: SeBackupPrivilege	1324	WMIC.exe
Token: SeRestorePrivilege	1324	WMIC.exe
Token: SeShutdownPrivilege	1324	WMIC.exe
Token: SeDebugPrivilege	1324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1324	WMIC.exe
Token: SeRemoteShutdownPrivilege	1324	WMIC.exe
Token: SeUndockPrivilege	1324	WMIC.exe
Token: SeManageVolumePrivilege	1324	WMIC.exe
Token: 33	1324	WMIC.exe
Token: 34	1324	WMIC.exe
Token: 35	1324	WMIC.exe
Token: 36	1324	WMIC.exe
Token: SeBackupPrivilege	1620	vssvc.exe
Token: SeRestorePrivilege	1620	vssvc.exe
Token: SeAuditPrivilege	1620	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1324	WMIC.exe
Token: SeSecurityPrivilege	1324	WMIC.exe
Token: SeTakeOwnershipPrivilege	1324	WMIC.exe
Token: SeLoadDriverPrivilege	1324	WMIC.exe
Token: SeSystemProfilePrivilege	1324	WMIC.exe
Token: SeSystemtimePrivilege	1324	WMIC.exe
Token: SeProfSingleProcessPrivilege	1324	WMIC.exe
Token: SeIncBasePriorityPrivilege	1324	WMIC.exe
Token: SeCreatePagefilePrivilege	1324	WMIC.exe
Token: SeBackupPrivilege	1324	WMIC.exe
Token: SeRestorePrivilege	1324	WMIC.exe
Token: SeShutdownPrivilege	1324	WMIC.exe
Token: SeDebugPrivilege	1324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1324	WMIC.exe
Token: SeRemoteShutdownPrivilege	1324	WMIC.exe
Token: SeUndockPrivilege	1324	WMIC.exe
Token: SeManageVolumePrivilege	1324	WMIC.exe
Token: 33	1324	WMIC.exe
Token: 34	1324	WMIC.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

Buran.execmd.execmd.execmd.exe

description	pid	process	target process
PID 500 wrote to memory of 3608	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 3608	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 3608	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 2684	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 2684	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 2684	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 188	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 188	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 188	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 196	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 196	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 196	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 3476	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 3476	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 3476	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 1364	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 1364	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 1364	500	Buran.exe	cmd.exe
PID 500 wrote to memory of 2184	500	Buran.exe	Buran.exe
PID 500 wrote to memory of 2184	500	Buran.exe	Buran.exe
PID 500 wrote to memory of 2184	500	Buran.exe	Buran.exe
PID 3476 wrote to memory of 2272	3476	cmd.exe	vssadmin.exe
PID 3476 wrote to memory of 2272	3476	cmd.exe	vssadmin.exe
PID 3476 wrote to memory of 2272	3476	cmd.exe	vssadmin.exe
PID 3608 wrote to memory of 1324	3608	cmd.exe	WMIC.exe
PID 3608 wrote to memory of 1324	3608	cmd.exe	WMIC.exe
PID 3608 wrote to memory of 1324	3608	cmd.exe	WMIC.exe
PID 1364 wrote to memory of 672	1364	cmd.exe	WMIC.exe
PID 1364 wrote to memory of 672	1364	cmd.exe	WMIC.exe
PID 1364 wrote to memory of 672	1364	cmd.exe	WMIC.exe
PID 1364 wrote to memory of 3040	1364	cmd.exe	vssadmin.exe
PID 1364 wrote to memory of 3040	1364	cmd.exe	vssadmin.exe
PID 1364 wrote to memory of 3040	1364	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\Buran.exe
"C:\Users\Admin\AppData\Local\Temp\Buran.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
2⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
2⤵
PID:196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2272

C:\Users\Admin\AppData\Local\Temp\Buran.exe
"C:\Users\Admin\AppData\Local\Temp\Buran.exe" -agent 0
2⤵
- Drops file in Program Files directory
PID:2184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
memory/188-4-0x0000000000000000-mapping.dmp

Download
memory/196-5-0x0000000000000000-mapping.dmp

Download
memory/672-12-0x0000000000000000-mapping.dmp

Download
memory/1324-11-0x0000000000000000-mapping.dmp

Download
memory/1364-7-0x0000000000000000-mapping.dmp

Download
memory/2184-8-0x0000000000000000-mapping.dmp

Download
memory/2272-10-0x0000000000000000-mapping.dmp

Download
memory/2684-3-0x0000000000000000-mapping.dmp

Download
memory/3040-13-0x0000000000000000-mapping.dmp

Download
memory/3476-6-0x0000000000000000-mapping.dmp

Download
memory/3608-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads