Overview

overview

10

Static

static

SecuriteIn...49.exe

windows7_x64

10

SecuriteIn...49.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Trojan.Encoder.33750.22954.16449

  • Size

    216KB

  • Sample

    210402-2bl9d2hk3x

  • MD5

    75c1ff39aac846286257e7186dc0096e

  • SHA1

    2e953e5958353e2590fd14300a492a786d6930d5

  • SHA256

    63067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3

  • SHA512

    ac3875fc6eb8721c020365522e70f3e94464dc63fd7ba20d10c0c6baae41ab3d403c68d0a6785ee6b571d28647470548b79e07c13e19f69d207944f5581f16d8

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: kokolozombisam@gmail.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: kokolozombisam@gmail.com Telegraml: @Karla404 Your personal ID: 2D0-876-029 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

kokolozombisam@gmail.com

Targets

    • Target

      SecuriteInfo.com.Trojan.Encoder.33750.22954.16449

    • Size

      216KB

    • MD5

      75c1ff39aac846286257e7186dc0096e

    • SHA1

      2e953e5958353e2590fd14300a492a786d6930d5

    • SHA256

      63067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3

    • SHA512

      ac3875fc6eb8721c020365522e70f3e94464dc63fd7ba20d10c0c6baae41ab3d403c68d0a6785ee6b571d28647470548b79e07c13e19f69d207944f5581f16d8

    Score
    10/10
    buranpersistenceransomware

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

      ransomwareburan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Tasks