Overview

overview

10

Static

static

March 4.scr.exe

windows7_x64

8

March 4.scr.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-03-2021 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    March 4.scr.exe

  • Size

    812KB

  • MD5

    5181f541a6d97bab854d5eba326ea7d9

  • SHA1

    16d9967a2658ac765d7acbea18c556b927b810be

  • SHA256

    b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83

  • SHA512

    c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: filescrps@protonmail.ch and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: filescrp@420blaze.it Reserved email: filescrp@yandex.ru Your personal ID: 43E-34E-563 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

filescrp@420blaze.it

filescrp@yandex.ru

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\March 4.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\March 4.scr.exe"
    1⤵
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:524
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        3⤵
          PID:3932
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
            PID:360
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
              PID:2348
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2308
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows /all /quiet
                4⤵
                • Interacts with shadow copies
                PID:652
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3128
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic shadowcopy delete
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2772
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows /all /quiet
                4⤵
                • Interacts with shadow copies
                PID:3504
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
              3⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              PID:2292
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe
            2⤵
            • Deletes itself
            PID:2844
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1696

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        File Deletion

        2
        T1107

        Modify Registry

        2
        T1112

        Install Root Certificate

        1
        T1130

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Inhibit System Recovery

        2
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
          MD5

          b388079096b39c202c4f06293efd160b

          SHA1

          915f86a54d95244ae5a1cb12354efcdce9eefd1f

          SHA256

          b50779980da5ab62a212a45640357707bdfe43e7a0b2dd1d3d6a45988be32b88

          SHA512

          5093255fe506cf5c472fafa016fe577bee6fb4085ebe9405d62c7d4b6fcaced58c52d62a59f032e93e6f7311722693f4578e4bf0424a04b9de2b3e90071e7fbc

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
          MD5

          ecb21e39b5b11be0a29330e1a20d696c

          SHA1

          e5563448ca649fdc76ddef52ca636b19dc31bfcc

          SHA256

          36dd36c96bb0f2e2fe9504d653235d44afee9edbcc8d65ac4df79a5fa27c417d

          SHA512

          8312cd9b331eedede74b0d1f4440fe8df50b01970394c6a98575f6df8b1f0c15d1b4023eb3b34c303232eaa4587c3966d877141db83bf6bdf601957cc4a484b9

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
          MD5

          899e9694777b7b35087a51ffcc729d43

          SHA1

          8359dcd3ca4c8bde585b012ccccc84bf135d3797

          SHA256

          98e3871c94e70237460ff3e42aef8f87b5bedfe9b85d38e699046827dadcee75

          SHA512

          5ca781a78900afa2f192d2dfd8178997cd727444cca8b14844ea2c5cdff470cf588eb769acb60a4ffe2ebf1cfaeb02a6abfe71e674b282e01935570da190e182

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
          MD5

          1d694fcf12c9d5a0703156e979adc123

          SHA1

          d8d8ca0c43e95a069add93f25dde36cf822fbc81

          SHA256

          bc7cd45033bd23192b2b19e34ab54e2e3b4e7e3c49616865a804b7602f9b4e9f

          SHA512

          5abedaf836818b1e725a9f2fb678472a0c838548147ef97542671191d1da02b2edf8f739323c9c96d0035ebcc6a1f74a8de2c0e0244f00059ffa82480c6e7550

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
          MD5

          6686218ab9240cc3e1ff265fa36c2146

          SHA1

          6bd42ac9baac42ea04b8a1092f30663e77e4592b

          SHA256

          248e7f5c3c1e8319ef56afa2f55ee66d7bd9cac9433cb22c9c2461f474689402

          SHA512

          b6f2e787bce2e8d33f17340a1739225e8b6bba50ccc137228b61fa18c298f59475a4a1fffd6ae08ea269c433cb83817a328a36444fd5b867384c37c2795e7c5f

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
          MD5

          695f2727d127876dfae7e25a771843a0

          SHA1

          81d7594575e1cbdf8585b9e6c01c2adfb07cd8ad

          SHA256

          d405486ef6d4a48ab24201b92d9fde60943acda828d0f26548cf88069c3429b0

          SHA512

          9daca59d021e79c00fd08ad905574f0b978bcc4b35076e1b64c5ea83f2ba986eeaf3e5198e4dacb2289730442bd87b53cbd0229ec5948a95f29217c1f6ae14d8

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\55NCNXJE.htm
          MD5

          b1cd7c031debba3a5c77b39b6791c1a7

          SHA1

          e5d91e14e9c685b06f00e550d9e189deb2075f76

          SHA256

          57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

          SHA512

          d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\SAT0VDYG.htm
          MD5

          8615e70875c2cc0b9db16027b9adf11d

          SHA1

          4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

          SHA256

          da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

          SHA512

          cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
          MD5

          ef572e2c7b1bbd57654b36e8dcfdc37a

          SHA1

          b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

          SHA256

          e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

          SHA512

          b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
          MD5

          5181f541a6d97bab854d5eba326ea7d9

          SHA1

          16d9967a2658ac765d7acbea18c556b927b810be

          SHA256

          b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83

          SHA512

          c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
          MD5

          5181f541a6d97bab854d5eba326ea7d9

          SHA1

          16d9967a2658ac765d7acbea18c556b927b810be

          SHA256

          b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83

          SHA512

          c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
          MD5

          5181f541a6d97bab854d5eba326ea7d9

          SHA1

          16d9967a2658ac765d7acbea18c556b927b810be

          SHA256

          b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83

          SHA512

          c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa

          Download Submit
        • memory/360-22-0x0000000000000000-mapping.dmp
          Download
        • memory/524-30-0x0000000000000000-mapping.dmp
          Download
        • memory/652-28-0x0000000000000000-mapping.dmp
          Download
        • memory/828-2-0x0000000007550000-0x000000000C7AC000-memory.dmp
          Filesize

          82.4MB

          Download
        • memory/828-3-0x0000000000400000-0x000000000565C000-memory.dmp
          Filesize

          82.4MB

          Download
        • memory/1348-10-0x0000000007400000-0x000000000C65C000-memory.dmp
          Filesize

          82.4MB

          Download
        • memory/1348-4-0x0000000000000000-mapping.dmp
          Download
        • memory/1480-20-0x0000000000000000-mapping.dmp
          Download
        • memory/2292-26-0x0000000000000000-mapping.dmp
          Download
        • memory/2292-33-0x00000000072E0000-0x000000000C53C000-memory.dmp
          Filesize

          82.4MB

          Download
        • memory/2308-24-0x0000000000000000-mapping.dmp
          Download
        • memory/2348-23-0x0000000000000000-mapping.dmp
          Download
        • memory/2772-31-0x0000000000000000-mapping.dmp
          Download
        • memory/2844-8-0x0000000000000000-mapping.dmp
          Download
        • memory/2844-7-0x0000000002A40000-0x0000000002A41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3128-25-0x0000000000000000-mapping.dmp
          Download
        • memory/3504-32-0x0000000000000000-mapping.dmp
          Download
        • memory/3932-21-0x0000000000000000-mapping.dmp
          Download