Overview

overview

10

Static

static

e826.exe

windows7_x64

10

e826.exe

windows10_x64

10

Analysis

  • max time kernel
    93s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-04-2021 07:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e826.exe

  • Size

    371KB

  • MD5

    e38ccca299db41904493bfc51ced614d

  • SHA1

    4b9a2c510913dc92cf8f5f879ab198fe5e54f544

  • SHA256

    fa789f56ef3f5075fc02c53cd937fe1580ae46217cf0a82bd4871043276fb086

  • SHA512

    961b03275cd76f4074e1c622216903678067f6115ce6f004be3c62939a13653891f87718e587a9155de999bf9d7c167a687290b7bab40443cf3395f9486ce654

Score
10/10
buranransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: rootiunik@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: rootiunik@cock.li Reserved email: TimothyCrabtree@protonmail.com Your personal ID: A38-0F7-12B Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

rootiunik@cock.li

TimothyCrabtree@protonmail.com

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e826.exe
    "C:\Users\Admin\AppData\Local\Temp\e826.exe"
    1⤵
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3756
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3052
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
      2⤵
        PID:3776
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
        2⤵
          PID:3840
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2144
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:932
        • C:\Users\Admin\AppData\Local\Temp\e826.exe
          "C:\Users\Admin\AppData\Local\Temp\e826.exe" -agent 0
          2⤵
          • Modifies extensions of user files
          • Drops file in Program Files directory
          • Drops file in Windows directory
          PID:2044
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1188
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic shadowcopy delete
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2308
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:2204
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
          2⤵
            PID:3596
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe
            2⤵
            • Deletes itself
            PID:2388
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4036

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        File Deletion

        2
        T1107

        Install Root Certificate

        1
        T1130

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Inhibit System Recovery

        2
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
          MD5

          ef572e2c7b1bbd57654b36e8dcfdc37a

          SHA1

          b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

          SHA256

          e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

          SHA512

          b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

          Download Submit
        • C:\Users\Admin\Desktop\CompressUpdate.m3u.rootiunik.A38-0F7-12B
          MD5

          3c7b35c69b0d70507a5377dde0452347

          SHA1

          dc230c535e98111f223839c17ae48f73bfa2fcd8

          SHA256

          5f1a1636dabd0316c1e0db62529398bdbe511deaabd3796cf0fd4a4b0195883d

          SHA512

          b9a3001eaa36eff612f8a2f7d45318733c70e58876edb4ac8a627f0002948f4335570e4529b72af475d2013764fa3b5b32ea27bf614e62a8fd58dc01c6678eb3

          Download Submit
        • C:\Users\Admin\Desktop\ConvertFromEnter.vstm.rootiunik.A38-0F7-12B
          MD5

          fa2e0af31e19386a2d085fff843d719b

          SHA1

          563ea5bdbb3f95d5addda8a0a811c58e4e3a3e14

          SHA256

          3793deb3702b80285707879c299384c7166a54cdbc6abee8103a300df6e3de06

          SHA512

          1e0e1ffc606d171029e6dc505deca0bfa62e4046d7219be0f3e66026ad133c625d529ab630604de8f675146754e014efdb6b32944df271f18c701c9e41fe6418

          Download Submit
        • C:\Users\Admin\Desktop\ConvertProtect.png.rootiunik.A38-0F7-12B
          MD5

          bbafe49cf5a842049765f8d095a487cd

          SHA1

          0d381ff077c4ea5c87d23ef798b78cfbdecb5415

          SHA256

          03648f864fdcf39553a550c97f76f09e1e75553b793810b024e94fca06352333

          SHA512

          4afe7246b293403db57155d1ba83e1ed990d2c9afa4ecc40f4f4159199b14ca4a99c4181fcedff0b5b2c345635e3204c2456e5424c0e096324bd27a68646b0f3

          Download Submit
        • C:\Users\Admin\Desktop\DenyOpen.html.rootiunik.A38-0F7-12B
          MD5

          8d0eee59e19b4032b2d470b046240627

          SHA1

          257b0b3bd459c93dfdfe3a3317101282a65198ab

          SHA256

          2fdce71a8922609bc0a7f67ae3ac4a285e23525423f1deb99f112bf73d2ecaff

          SHA512

          2a896c404ef6dc172b471b7fcd300ef1705fa3e5fe02e560bf695d78fed420777cdd4414814288d3141996f1ef74688a139df74a5c96957ddbcd6a1cd83e1f38

          Download Submit
        • C:\Users\Admin\Desktop\EnableRedo.wdp.rootiunik.A38-0F7-12B
          MD5

          b0c7d771f47152908cded715ccbe3e59

          SHA1

          3a121d16401f2661e7c0f0612aafe7ef64200cff

          SHA256

          b8fef85e12e4a9c521892a5727c2ed8b943bb047632d6e36f5f4088b536b863f

          SHA512

          934e6244993157c7832820cbc74b941b7749872b4d2e3515432de4918ef21c254fbfe2d4ddeed25d1d776c212a8c3b33e640fcd3149c7a51db60ac65c331871a

          Download Submit
        • C:\Users\Admin\Desktop\GetSearch.zip.rootiunik.A38-0F7-12B
          MD5

          3461d3d017b3a67cbd616eae7c346b40

          SHA1

          70d8e22ba41bc9efda8a9e24c6cd6bc22d24253f

          SHA256

          de0496e7da5d8afc4c39c8daef84dc70d799e986192c4906fcfc8bd582d3a231

          SHA512

          f4b14c6d496ed4072fd4ac8e3b810363eab1c285112a9faf3738bababd2b0b5e61aafeffc1c6a00ec8c773e5147f7d384dbc5c466af07aee0c590e6b416e811d

          Download Submit
        • C:\Users\Admin\Desktop\JoinDisable.gif.rootiunik.A38-0F7-12B
          MD5

          66e7205b88755e871656b18445573363

          SHA1

          346193bb5131bd90573ab07bfdb547e41016abb9

          SHA256

          577ee1c639ae532d7bceedfb8d6deddbffa0d5ffa399b78b4f56c81b1014016f

          SHA512

          b9631b7d760f7a8b8978196bccb53a9388948862c7130084efc0a63f4ffe8d9a7ac0c3ec23f60dd002d3413aea1742b59bbdb23027f17db68c4b47b87c426ecf

          Download Submit
        • C:\Users\Admin\Desktop\MeasureConnect.mov.rootiunik.A38-0F7-12B
          MD5

          07f7eca017ae311c99e95e1812f0c91a

          SHA1

          3d038c9d72bca23ec3dd5af50327e681cfd2431b

          SHA256

          ef9846a5b48d381e42d1cd83194931b59ddaa74d310b3a88b489457cd4d7ef58

          SHA512

          d9b8bd1897d1dd0552af3e00485592b86284c9927cdbe4f02e3adaac4247cc35bc45d8c6a7416ddf0f90ef6108033d8581ebf23fd6d6a6101d3c68fab60c8c60

          Download Submit
        • C:\Users\Admin\Desktop\MergeRename.temp.rootiunik.A38-0F7-12B
          MD5

          b519bf1bffaa94592a4e4d4fc98953e0

          SHA1

          39a9278d5c49700bdc7e81559d1b9a444dbf4d0f

          SHA256

          96b60dbedbb4555b0c0c489fa9fe3df20463d264410dbfe362fba3b49929b77b

          SHA512

          8de8c8cde8b9354ac43e870ecd42e9a4099044da0c24f80ab35a1b2d141ae6d3f438a2a0548bfb7ba47832faf2f35dc2ddd6af793d511804ebd8ab5a2d592d0a

          Download Submit
        • C:\Users\Admin\Desktop\RedoClose.au3.rootiunik.A38-0F7-12B
          MD5

          c2452935a58f753fd36886f856c1c042

          SHA1

          b0a5c4ae3ac056d2247e89bdad85a3fb3254b959

          SHA256

          9956923802935204246342eb1db8011229db854d7268ded2552f074013bb22e7

          SHA512

          e2cdf5f569ce56e2b1bcbda477aabda62de90f2191396df59ce1236c7a020f75512f0c461e6489782f899bc4956bdcd630d1a014b8f3678baf184c22c5d8dd78

          Download Submit
        • C:\Users\Admin\Desktop\RedoStart.crw.rootiunik.A38-0F7-12B
          MD5

          ba17bbbc7546e274308950946440b172

          SHA1

          28d528a114a6b02ba247c81c82f53e2dc61d7706

          SHA256

          b78ce620e838c990700be54a166645d2bce30dab67894756ae48ee9667f5db04

          SHA512

          c81b36a4f8c382994f7595e2840f381548d9ebe0cbd6d5523b547bf702695d8cafe511fb6065666b3cc58bbaa702bd36a19b26ddf1294ab19338fa8833eac604

          Download Submit
        • C:\Users\Admin\Desktop\RepairRedo.vbe.rootiunik.A38-0F7-12B
          MD5

          70f7ad310bca0a41fb027bd23cca577b

          SHA1

          5e3580b3e348b72971bdc782dd4e42a2bb2e8f7d

          SHA256

          a9f123111c7c04f878d915368bfbaf1bbe4fd22315516c14184722f82bb7cd8f

          SHA512

          7f0eabf04a13f5b062023107d3a89a47b67d68cae3817747d66dc149da2fcd5105ff84475275341bdc577b30a8248f1e7fc4d33d55d44bebb4fa713d36ab76f7

          Download Submit
        • C:\Users\Admin\Desktop\ResetInvoke.ppsx.rootiunik.A38-0F7-12B
          MD5

          ca410ff23a73c1193bbed466a1979299

          SHA1

          a37cf57ba672706f2d9b1b4baa183c8dc5d2876b

          SHA256

          42ef9e320574b8a1fc93de8be9d43f01bd315ebc8c6175622377aeaa4c48c227

          SHA512

          eb4af9244a6cdb11f794bb47b117221daf3e5ce73c0474b3bd38befc42df776a524956e34b044a072576c1b2b267c6065d53f6bac7dbf141dc3ae097a60842dc

          Download Submit
        • C:\Users\Admin\Desktop\RestoreSelect.ram.rootiunik.A38-0F7-12B
          MD5

          6d0627ea66397247b5bf6110b9dc96b9

          SHA1

          b1c9c9664a7d79fa9470bf8ece5d4d938a0e741f

          SHA256

          c67fbac38af777f0871cd22b5733ece556345349b52f24b5eb473abe6e2d73e6

          SHA512

          ab77d0c264552a8ae0db216ddf374a2644071fe081fec3a83d7fe0ac065cb7f6fb424bae30ef504e0208ada6210c0af15f965ac936bfe4aa50431c62a340c350

          Download Submit
        • C:\Users\Admin\Desktop\RevokeGroup.scf.rootiunik.A38-0F7-12B
          MD5

          4e772a837e33cb09973e3e3480357529

          SHA1

          d57b364f06f82e0edf94c8cde8d9276d1ce2ca36

          SHA256

          4debb21757220f4250a41840654042af39bc7f80dfa5a57dac6609b382ace35c

          SHA512

          3e8f2079286a582327287190b77149c55564ce4f945785486d58f98c1619acafbf8e9d9e08702248a62e42ba1502e18aa202f67e39e01ae4becf0aff304d1e50

          Download Submit
        • C:\Users\Admin\Desktop\RevokePush.m3u.rootiunik.A38-0F7-12B
          MD5

          845755406531406e53046009abde07ba

          SHA1

          3fac6b269a849a7dcb089a76b3eb0cc5c6a6a4f1

          SHA256

          660a3ffc6d1a9189533b40563eb86fadc150ebd86d3eb31b11fa75a02771c8b7

          SHA512

          a2f0587a078ae0dc101fe166398d4bb1bbc0f2ecef154d5ff67fcc60982ddedb0233e33963053c9460970a246f5bafdff27f7e5a9d78cf520ad98f4ec79395f4

          Download Submit
        • C:\Users\Admin\Desktop\SearchPing.ico.rootiunik.A38-0F7-12B
          MD5

          9d703a0522935fa4e7f41c39a095cf9b

          SHA1

          5f130048127faece2c95572a83a3b170943634ee

          SHA256

          0095ca35c62e574d611e27956541833e4a3a3e9fe5015114d6831d255ab3280a

          SHA512

          022df0cb2c2b4d5f59a2663b40e704069e7f873c1aa003e36b966c345b400095095d062b76a4e39fb07717ef3b4e095b6f589f3459762ba4ebb3ae20e58c75db

          Download Submit
        • C:\Users\Admin\Desktop\ShowMove.xps.rootiunik.A38-0F7-12B
          MD5

          b26b6eea4bc7c2a45f7e681034a2a1be

          SHA1

          7194eea3acdf90a95658396e7a33a7d208d12a37

          SHA256

          301a17608a547bdd60fc357c393b4329d152be850638e7df5fd40e2270364bfd

          SHA512

          97e79413089eda3b299abd9c6955f725c7d5fbde04ace58e7956a9ded7bcf8c588141f2b6cc2f7ef0a8935c2203762b96169e1d1d0ffb16b014f821a551bef41

          Download Submit
        • C:\Users\Admin\Desktop\StartMeasure.pcx.rootiunik.A38-0F7-12B
          MD5

          425ca685072317daf77b18f00c2f1dda

          SHA1

          e71a0c2a5288477678ba54b41340088c5cc71ed8

          SHA256

          caaaafcb452f10f569e83c7590ad43d56061ecec9b9ade59044b7784c94ec03b

          SHA512

          83eeeb958b7b5810e4dc7819a47e756dc5b31118d76e73bc8e33ee06a909c013a87e4c08b42063f4dea87efd3cf17a06e87539f04c20f7f7ba5d9de443022cd5

          Download Submit
        • C:\Users\Admin\Desktop\StopSplit.ttc.rootiunik.A38-0F7-12B
          MD5

          7e527d0c6ed0897a0133b63aa9bcc269

          SHA1

          a0e0af0b9596b96025b3b85f6415ed885e2df72f

          SHA256

          2143c6452ca1caa7f652c1661e86a1ebb4a1426caa19c8c32ae6ccf0133061a8

          SHA512

          8ea2255695f5a1c8301176aaddefc0ac44e31866bc3b6088cae3769e81a4c2a4326799e795f479b4531eb9e0e7062ae210eb516a540e57047b2c100e468b5bbc

          Download Submit
        • C:\Users\Admin\Desktop\UndoRequest.otf.rootiunik.A38-0F7-12B
          MD5

          66e3d1760cc8f8d4958fef3db3c671c3

          SHA1

          2a6993d3f42bbfe84e5bcd936439fc24514eb7ce

          SHA256

          cbb927d0bf165ba403086dedb18ef7ee2f8e4982439fd4ee6294627cb3627018

          SHA512

          3d24dd79c15262c02cf448982a35a3f54e8eb9af3d7955989943fd36a68cff7dcda7a1b12bd49c9cf388afa5fd667d3a055d8d0181748153528c87e2bef7c178

          Download Submit
        • C:\Users\Admin\Desktop\UnpublishShow.M2T.rootiunik.A38-0F7-12B
          MD5

          4b64ce1e1398e237540d686c4345985b

          SHA1

          f3a78852d478eafef24bb5ed08fc28087bdf3913

          SHA256

          42e6d5efb7868d4af36bb19cc57919ae90cae66cbba78d842a3f3f7403898931

          SHA512

          f7e0af722702012bf02b337e0e046d7f72b94d00d73a34493d2c9bf2a76866b8f0096143d223dca05e85bc368e282aa364867fee57fe3d7bd103cf525bec6364

          Download Submit
        • C:\Users\Admin\Desktop\WatchStop.mov.rootiunik.A38-0F7-12B
          MD5

          933d1bbb2bf59948f2729aa29f6f1c71

          SHA1

          51cf7aa01381fe05b5558ba2479ee1eb3c4fc327

          SHA256

          7a5e0b1d96cd15b1616d2a375447a02c7836c4d19c9543b836db153bd3e99848

          SHA512

          4ba412f4f91f43a15536e2ef21b45334d82571b9fa7f9b443a0a0559672a4f24d4c3b42586f0288d276125adb00558a6e3f420a0a83b80260af9be29945f8eb4

          Download Submit
        • memory/932-124-0x0000000000000000-mapping.dmp
          Download
        • memory/1188-121-0x0000000000000000-mapping.dmp
          Download
        • memory/2044-122-0x0000000000000000-mapping.dmp
          Download
        • memory/2044-128-0x00000000024C0000-0x00000000024F7000-memory.dmp
          Filesize

          220KB

          Download
        • memory/2044-129-0x0000000000400000-0x0000000000855000-memory.dmp
          Filesize

          4.3MB

          Download
        • memory/2144-120-0x0000000000000000-mapping.dmp
          Download
        • memory/2204-127-0x0000000000000000-mapping.dmp
          Download
        • memory/2308-126-0x0000000000000000-mapping.dmp
          Download
        • memory/2388-153-0x0000000000000000-mapping.dmp
          Download
        • memory/2388-154-0x0000000000B60000-0x0000000000B61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3052-123-0x0000000000000000-mapping.dmp
          Download
        • memory/3596-118-0x0000000000000000-mapping.dmp
          Download
        • memory/3756-116-0x0000000000000000-mapping.dmp
          Download
        • memory/3776-117-0x0000000000000000-mapping.dmp
          Download
        • memory/3840-119-0x0000000000000000-mapping.dmp
          Download
        • memory/3944-114-0x0000000000970000-0x0000000000ABA000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3944-115-0x0000000000400000-0x0000000000855000-memory.dmp
          Filesize

          4.3MB

          Download