General

  • Target

    March 4.scr.exe

  • Size

    812KB

  • Sample

    210308-wpm8vyg2tx

  • MD5

    5181f541a6d97bab854d5eba326ea7d9

  • SHA1

    16d9967a2658ac765d7acbea18c556b927b810be

  • SHA256

    b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83

  • SHA512

    c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: filescrps@protonmail.ch and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: filescrp@420blaze.it Reserved email: filescrp@yandex.ru Your personal ID: 6E3-F5F-F7F Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

filescrp@420blaze.it

filescrp@yandex.ru

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: filescrps@protonmail.ch and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: filescrp@420blaze.it Reserved email: filescrp@yandex.ru Your personal ID: D79-C4F-B40 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

filescrp@420blaze.it

filescrp@yandex.ru

Targets

    • Target

      March 4.scr.exe

    • Size

      812KB

    • MD5

      5181f541a6d97bab854d5eba326ea7d9

    • SHA1

      16d9967a2658ac765d7acbea18c556b927b810be

    • SHA256

      b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83

    • SHA512

      c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Tasks