Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-01-2021 06:58
Static task
static1
Behavioral task
behavioral1
Sample
Buran.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Buran.exe
Resource
win10v20201028
General
-
Target
Buran.exe
-
Size
214KB
-
MD5
2f1ecf99dd8a2648dd013c5fe6ecb6f5
-
SHA1
121c377693b96eef8e84861f091ef47e6fb6cae5
-
SHA256
442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024
-
SHA512
793eb6a3f3d0323b0749a35e372c9fcde15a912f32d74fc5fa0fc104c32d8348f431347fefd1c34e3d51d9b20432f8e66b9ae3b9523b4b4b21e76b6fd2ae8219
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
uspex1@cock.li
uspex2@cock.li
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Buran.exedescription ioc process File opened (read-only) \??\T: Buran.exe File opened (read-only) \??\Q: Buran.exe File opened (read-only) \??\J: Buran.exe File opened (read-only) \??\H: Buran.exe File opened (read-only) \??\G: Buran.exe File opened (read-only) \??\I: Buran.exe File opened (read-only) \??\W: Buran.exe File opened (read-only) \??\V: Buran.exe File opened (read-only) \??\S: Buran.exe File opened (read-only) \??\P: Buran.exe File opened (read-only) \??\O: Buran.exe File opened (read-only) \??\N: Buran.exe File opened (read-only) \??\K: Buran.exe File opened (read-only) \??\E: Buran.exe File opened (read-only) \??\A: Buran.exe File opened (read-only) \??\X: Buran.exe File opened (read-only) \??\U: Buran.exe File opened (read-only) \??\R: Buran.exe File opened (read-only) \??\L: Buran.exe File opened (read-only) \??\B: Buran.exe File opened (read-only) \??\Z: Buran.exe File opened (read-only) \??\Y: Buran.exe File opened (read-only) \??\M: Buran.exe File opened (read-only) \??\F: Buran.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 geoiptool.com -
Drops file in Program Files directory 19961 IoCs
Processes:
Buran.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up-pressed.gif.611-63B-EB4 Buran.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\ui-strings.js Buran.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT Buran.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\ui-strings.js Buran.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar.611-63B-EB4 Buran.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-150.png Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\SmallTile.scale-100.png Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-150_contrast-white.png Buran.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif.611-63B-EB4 Buran.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif Buran.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-80_contrast-black.png Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\desktop\en-US\toc.xml Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\AppxSignature.p7x Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\common.lua Buran.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0.611-63B-EB4 Buran.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML.611-63B-EB4 Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256_altform-unplated.png Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\LargeTile.scale-100.png Buran.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PICTIM32.FLT.611-63B-EB4 Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\strings\officehubintl.lang-en-us.resw Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-60_altform-unplated.png Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\handshake.png Buran.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt Buran.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.611-63B-EB4 Buran.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.611-63B-EB4 Buran.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\LargeTile.scale-200.png Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100.png Buran.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoInternetConnection_120x80.svg Buran.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left.gif.611-63B-EB4 Buran.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml Buran.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\MSB1ENFR.ITS Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\ProgressBar\progress_foreground.jpg Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-30_altform-unplated.png Buran.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\LargeTile.scale-125.png Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-125_contrast-black.png Buran.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe.611-63B-EB4 Buran.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.611-63B-EB4 Buran.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.611-63B-EB4 Buran.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo.611-63B-EB4 Buran.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview_selected-hover.svg.611-63B-EB4 Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\Ungroup.scale-100.png Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\46.jpg Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\CommonUtils.winmd Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ai_16x11.png Buran.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html Buran.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar Buran.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar Buran.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-80.png Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24_altform-fullcolor.png Buran.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-32_altform-unplated.png Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-100.png Buran.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar.611-63B-EB4 Buran.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt Buran.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.INF.611-63B-EB4 Buran.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.INF Buran.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.611-63B-EB4 Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Popups\FUE2_Image_4.png Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\OneConnectWideTile.scale-100.png Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\OneConnectSmallTile.scale-125.png Buran.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorStoreLogo.contrast-white_scale-100.png Buran.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\ui-strings.js Buran.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgePackages.h Buran.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3040 vssadmin.exe 2272 vssadmin.exe -
Processes:
Buran.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Buran.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Buran.exe -
Suspicious use of AdjustPrivilegeToken 87 IoCs
Processes:
WMIC.exeWMIC.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 672 WMIC.exe Token: SeSecurityPrivilege 672 WMIC.exe Token: SeTakeOwnershipPrivilege 672 WMIC.exe Token: SeLoadDriverPrivilege 672 WMIC.exe Token: SeSystemProfilePrivilege 672 WMIC.exe Token: SeSystemtimePrivilege 672 WMIC.exe Token: SeProfSingleProcessPrivilege 672 WMIC.exe Token: SeIncBasePriorityPrivilege 672 WMIC.exe Token: SeCreatePagefilePrivilege 672 WMIC.exe Token: SeBackupPrivilege 672 WMIC.exe Token: SeRestorePrivilege 672 WMIC.exe Token: SeShutdownPrivilege 672 WMIC.exe Token: SeDebugPrivilege 672 WMIC.exe Token: SeSystemEnvironmentPrivilege 672 WMIC.exe Token: SeRemoteShutdownPrivilege 672 WMIC.exe Token: SeUndockPrivilege 672 WMIC.exe Token: SeManageVolumePrivilege 672 WMIC.exe Token: 33 672 WMIC.exe Token: 34 672 WMIC.exe Token: 35 672 WMIC.exe Token: 36 672 WMIC.exe Token: SeIncreaseQuotaPrivilege 1324 WMIC.exe Token: SeSecurityPrivilege 1324 WMIC.exe Token: SeTakeOwnershipPrivilege 1324 WMIC.exe Token: SeLoadDriverPrivilege 1324 WMIC.exe Token: SeSystemProfilePrivilege 1324 WMIC.exe Token: SeSystemtimePrivilege 1324 WMIC.exe Token: SeProfSingleProcessPrivilege 1324 WMIC.exe Token: SeIncBasePriorityPrivilege 1324 WMIC.exe Token: SeCreatePagefilePrivilege 1324 WMIC.exe Token: SeBackupPrivilege 1324 WMIC.exe Token: SeRestorePrivilege 1324 WMIC.exe Token: SeShutdownPrivilege 1324 WMIC.exe Token: SeDebugPrivilege 1324 WMIC.exe Token: SeSystemEnvironmentPrivilege 1324 WMIC.exe Token: SeRemoteShutdownPrivilege 1324 WMIC.exe Token: SeUndockPrivilege 1324 WMIC.exe Token: SeManageVolumePrivilege 1324 WMIC.exe Token: 33 1324 WMIC.exe Token: 34 1324 WMIC.exe Token: 35 1324 WMIC.exe Token: 36 1324 WMIC.exe Token: SeBackupPrivilege 1620 vssvc.exe Token: SeRestorePrivilege 1620 vssvc.exe Token: SeAuditPrivilege 1620 vssvc.exe Token: SeIncreaseQuotaPrivilege 1324 WMIC.exe Token: SeSecurityPrivilege 1324 WMIC.exe Token: SeTakeOwnershipPrivilege 1324 WMIC.exe Token: SeLoadDriverPrivilege 1324 WMIC.exe Token: SeSystemProfilePrivilege 1324 WMIC.exe Token: SeSystemtimePrivilege 1324 WMIC.exe Token: SeProfSingleProcessPrivilege 1324 WMIC.exe Token: SeIncBasePriorityPrivilege 1324 WMIC.exe Token: SeCreatePagefilePrivilege 1324 WMIC.exe Token: SeBackupPrivilege 1324 WMIC.exe Token: SeRestorePrivilege 1324 WMIC.exe Token: SeShutdownPrivilege 1324 WMIC.exe Token: SeDebugPrivilege 1324 WMIC.exe Token: SeSystemEnvironmentPrivilege 1324 WMIC.exe Token: SeRemoteShutdownPrivilege 1324 WMIC.exe Token: SeUndockPrivilege 1324 WMIC.exe Token: SeManageVolumePrivilege 1324 WMIC.exe Token: 33 1324 WMIC.exe Token: 34 1324 WMIC.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
Buran.execmd.execmd.execmd.exedescription pid process target process PID 500 wrote to memory of 3608 500 Buran.exe cmd.exe PID 500 wrote to memory of 3608 500 Buran.exe cmd.exe PID 500 wrote to memory of 3608 500 Buran.exe cmd.exe PID 500 wrote to memory of 2684 500 Buran.exe cmd.exe PID 500 wrote to memory of 2684 500 Buran.exe cmd.exe PID 500 wrote to memory of 2684 500 Buran.exe cmd.exe PID 500 wrote to memory of 188 500 Buran.exe cmd.exe PID 500 wrote to memory of 188 500 Buran.exe cmd.exe PID 500 wrote to memory of 188 500 Buran.exe cmd.exe PID 500 wrote to memory of 196 500 Buran.exe cmd.exe PID 500 wrote to memory of 196 500 Buran.exe cmd.exe PID 500 wrote to memory of 196 500 Buran.exe cmd.exe PID 500 wrote to memory of 3476 500 Buran.exe cmd.exe PID 500 wrote to memory of 3476 500 Buran.exe cmd.exe PID 500 wrote to memory of 3476 500 Buran.exe cmd.exe PID 500 wrote to memory of 1364 500 Buran.exe cmd.exe PID 500 wrote to memory of 1364 500 Buran.exe cmd.exe PID 500 wrote to memory of 1364 500 Buran.exe cmd.exe PID 500 wrote to memory of 2184 500 Buran.exe Buran.exe PID 500 wrote to memory of 2184 500 Buran.exe Buran.exe PID 500 wrote to memory of 2184 500 Buran.exe Buran.exe PID 3476 wrote to memory of 2272 3476 cmd.exe vssadmin.exe PID 3476 wrote to memory of 2272 3476 cmd.exe vssadmin.exe PID 3476 wrote to memory of 2272 3476 cmd.exe vssadmin.exe PID 3608 wrote to memory of 1324 3608 cmd.exe WMIC.exe PID 3608 wrote to memory of 1324 3608 cmd.exe WMIC.exe PID 3608 wrote to memory of 1324 3608 cmd.exe WMIC.exe PID 1364 wrote to memory of 672 1364 cmd.exe WMIC.exe PID 1364 wrote to memory of 672 1364 cmd.exe WMIC.exe PID 1364 wrote to memory of 672 1364 cmd.exe WMIC.exe PID 1364 wrote to memory of 3040 1364 cmd.exe vssadmin.exe PID 1364 wrote to memory of 3040 1364 cmd.exe vssadmin.exe PID 1364 wrote to memory of 3040 1364 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Buran.exe"C:\Users\Admin\AppData\Local\Temp\Buran.exe"1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\Buran.exe"C:\Users\Admin\AppData\Local\Temp\Buran.exe" -agent 02⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
memory/188-4-0x0000000000000000-mapping.dmp
-
memory/196-5-0x0000000000000000-mapping.dmp
-
memory/672-12-0x0000000000000000-mapping.dmp
-
memory/1324-11-0x0000000000000000-mapping.dmp
-
memory/1364-7-0x0000000000000000-mapping.dmp
-
memory/2184-8-0x0000000000000000-mapping.dmp
-
memory/2272-10-0x0000000000000000-mapping.dmp
-
memory/2684-3-0x0000000000000000-mapping.dmp
-
memory/3040-13-0x0000000000000000-mapping.dmp
-
memory/3476-6-0x0000000000000000-mapping.dmp
-
memory/3608-2-0x0000000000000000-mapping.dmp