Overview

overview

10

Static

static

7114.js

windows7_x64

10

7114.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7114.js

  • Size

    924KB

  • Sample

    210810-89dl5weby2

  • MD5

    07f090249cbb74e99d45ef1b7736fb4d

  • SHA1

    17a7c3ccdf04a6cbc08b514e818ba26a150dbea9

  • SHA256

    ce60311f972334032b25221385076f68474c28b6249e292b6925af9f16acb07e

  • SHA512

    4a54a6824ab0e99ca656100e230f348289f9a56c6f69298f83e08b81c08267d47d2518175ae68d1d7729ed7252b8b08815926e0b0f8da6f56737bb2d7b817440

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: kd8eby0@inboxhub.net and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: kd8eby0@inboxhub.net Reserved email: kd8eby0@onionmail.org Reserved email: kd8eby0@nuke.africa Your personal ID: 135-E79-87E Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

kd8eby0@onionmail.org

kd8eby0@nuke.africa

Targets

    • Target

      7114.js

    • Size

      924KB

    • MD5

      07f090249cbb74e99d45ef1b7736fb4d

    • SHA1

      17a7c3ccdf04a6cbc08b514e818ba26a150dbea9

    • SHA256

      ce60311f972334032b25221385076f68474c28b6249e292b6925af9f16acb07e

    • SHA512

      4a54a6824ab0e99ca656100e230f348289f9a56c6f69298f83e08b81c08267d47d2518175ae68d1d7729ed7252b8b08815926e0b0f8da6f56737bb2d7b817440

    Score
    10/10
    buranpersistenceransomware

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

      ransomwareburan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Tasks