Overview

overview

10

Static

static

4085.js

windows7_x64

10

4085.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4085.zip

  • Size

    473KB

  • Sample

    210810-zltdy216je

  • MD5

    5de02f78f0770567af9c1394dacaff85

  • SHA1

    789fdf4a4f55a8731b5726250d8ebd4603a64e44

  • SHA256

    1b6d6a929b270d3fd04c33dd11e0517bc96d6bc17f39ba9dc521e75209e1f410

  • SHA512

    fa4689350c6d069d9daa48a5f99fcaae5f853f22bea23dcb3fbd025d3686d624437e95eb55536874dd85cf1f9015b95dfb16f6ed3db4e429d6a7828c4c83992e

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: kd8eby0@inboxhub.net and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: kd8eby0@inboxhub.net Reserved email: kd8eby0@onionmail.org Reserved email: kd8eby0@nuke.africa Your personal ID: 3AD-FC4-CA7 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

kd8eby0@onionmail.org

kd8eby0@nuke.africa

Targets

    • Target

      4085.js

    • Size

      776KB

    • MD5

      b6e9c6f1113c92ad6757266ae75769a2

    • SHA1

      9190e8d268db4deb7cd97624b17cba6617244699

    • SHA256

      9fca4b9bb2238dec26fc6b6161dc9d62647883966f1cfd661537fb8c097ff4fe

    • SHA512

      1684c2350b540da9326159455cb57937a2fefc1b97f1231c12cc66ffa601f71ce52096d5c37737d644c49b1c9ae7b5e33eb86890b1405a79d2aa364afbc1f09b

    Score
    10/10
    buranpersistenceransomware

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

      ransomwareburan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Tasks