Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-02-2021 07:19
General
-
Target
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe
-
Size
271KB
-
MD5
f8ca42285e4979fc25e1e358aaaf3ee3
-
SHA1
83bb7336deceeb094574714c1043ce9d3d420ee8
-
SHA256
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
-
SHA512
00bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
threesixnine@ctemplar.com
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe"C:\Users\Admin\AppData\Local\Temp\d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
d8b0ff3ef0cac177c2f16157834442b1
SHA183504ee29a466c5b6412b7e72c131cd8f975d536
SHA256667366e5abac32446a226d1cfaef36ebd721bf00334e26b984b477f5c146789c
SHA5125dafefa8e8677369dca0241512b8b6667f14595770b2f2f1ea7b7ee1717b70f42079c85b1edcea4a45f6fd4896b7a0040264d9b1f63188aba2dd0e5bc25a7eea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
c105de5d82dc4fa359f03f82cb0bf797
SHA178ec4e7c84b5b941c6ef4814d7eab379d2a7a12b
SHA256ada540f3499dc0ec44782e7b52f064fc3ae96159a98d34f130deed0fa1dc8ccc
SHA512c9251ad48cda6ea6b455f99e162040cecdc934eb73f0bda14ad8c32b0458119f0f90f509da942207d87618933dbe3555cfc414d116f7be9d8eb54b259d583e07
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
c8f5dcc04731e23047a7e0609731c468
SHA15f4b7ec761c1d2f3a24417c06e20619216a9678e
SHA256de35f9bd437d0839a51b5c3cb5c4e2d6c6f586e703b99bfe63e60bea054b0a97
SHA5122ca4ab3cd0937f82d6e2eecbd9a21c4fc1a73ec1f19dcc8b635ad96b0cbf25383b3e2a552b9f20b59ef671af6c20f21bfcca99b48733f6bd3a9ebf140ac22caa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
a7b751c312facb7f86eab87f00447b04
SHA109353192280aa9ed20271dc0be32011ff0544f27
SHA256d4a2304df3a137ad269b27e5674d22362b5263890772995e6ab75300f98fceaf
SHA5124b4f6ebf3c5b263ae107790e7f71f9b74f06094e1a0f04ab544de7f2d4fc6ea72cff00c4796f3794bf31badd57c67697bfd9736e68cf64be96fbbaf8d038cc4e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
e2469a1dc29c98043a203c637ebd9844
SHA1e2a3e9ecec4364c8259a0ec376ab65c9feb54e01
SHA256bf422364f3d58ca462cab43e2dc96dd852f7be1d2536c16443b7bc1c40ebfa5c
SHA512dca6979f3726161b48764429d276e50a3c196c7057d2f9642fa4b0f8760f533cae386da217541bccf91af5f72a6d4236ee0485888b17aa9c6629154961313101
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
fdf96a8e00bbc16e8a2b649de06b8c60
SHA1b7968713582a869939e49fe1d774528a24d930d6
SHA25628cc95f56ab8a561b0facf3a7bcac8d535d396561e1c03a7d3c7adccfe56084e
SHA512b152c7148eb8ef97049a35f33d2c4df7086409b8853ffd82054355dba3d5dc193badddd320dc26b743285004218cd0329613d7220ddd2271902f767e53d50894
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\XHW8A468.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\TAW9RV0I.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exeMD5
f8ca42285e4979fc25e1e358aaaf3ee3
SHA183bb7336deceeb094574714c1043ce9d3d420ee8
SHA256d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
SHA51200bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exeMD5
f8ca42285e4979fc25e1e358aaaf3ee3
SHA183bb7336deceeb094574714c1043ce9d3d420ee8
SHA256d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
SHA51200bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exeMD5
f8ca42285e4979fc25e1e358aaaf3ee3
SHA183bb7336deceeb094574714c1043ce9d3d420ee8
SHA256d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
SHA51200bddc7a539b957f9dfb74941c56bab532221f4783d1ec90bde4019b9af68a79886d36d2e12fd9511836a8447cbecd56ee4a988b1e0dd6c6dc170b9c60b20a54
-
memory/188-32-0x0000000000000000-mapping.dmp
-
memory/636-2-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/636-4-0x0000000000400000-0x0000000000541000-memory.dmpFilesize
1.3MB
-
memory/636-3-0x00000000001C0000-0x00000000001F7000-memory.dmpFilesize
220KB
-
memory/2648-33-0x0000000000000000-mapping.dmp
-
memory/2680-27-0x0000000000000000-mapping.dmp
-
memory/2816-9-0x0000000000000000-mapping.dmp
-
memory/2816-8-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/2840-22-0x0000000000000000-mapping.dmp
-
memory/2896-30-0x0000000000000000-mapping.dmp
-
memory/3148-10-0x0000000000D00000-0x0000000000D01000-memory.dmpFilesize
4KB
-
memory/3148-5-0x0000000000000000-mapping.dmp
-
memory/3612-26-0x0000000000000000-mapping.dmp
-
memory/3616-28-0x0000000000000000-mapping.dmp
-
memory/3616-34-0x0000000000E00000-0x0000000000E01000-memory.dmpFilesize
4KB
-
memory/3824-25-0x0000000000000000-mapping.dmp
-
memory/3836-23-0x0000000000000000-mapping.dmp
-
memory/3844-35-0x0000000000000000-mapping.dmp
-
memory/3920-24-0x0000000000000000-mapping.dmp