General
-
Target
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
-
Size
271KB
-
Sample
210228-lp1r6vql9x
-
MD5
f8ca42285e4979fc25e1e358aaaf3ee3
-
SHA1
83bb7336deceeb094574714c1043ce9d3d420ee8
-
SHA256
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
-
SHA512
00bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54
Static task
static1
Behavioral task
behavioral1
Sample
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
Resource
win10v20201028
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
threesixnine@ctemplar.com
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
threesixnine@ctemplar.com
Targets
-
-
Target
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
-
Size
271KB
-
MD5
f8ca42285e4979fc25e1e358aaaf3ee3
-
SHA1
83bb7336deceeb094574714c1043ce9d3d420ee8
-
SHA256
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
-
SHA512
00bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54
Score10/10-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-