Overview

overview

10

Static

static

3346.js

windows7_x64

10

3346.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3346.zip

  • Size

    319KB

  • Sample

    210811-al1kb163g2

  • MD5

    6744b64d318cfeea92c755301cb93a95

  • SHA1

    dc8acdc92897111d6322b1eb016793f944ebcc39

  • SHA256

    84825c5810241c7a092119d19b92165b11774135d9557d7c54212bd6ccaa5a24

  • SHA512

    893b8b1026ccd8f0e4b3497b78b7577322f57ddb77cdfa3431b2b7f7523940a39b9d0d772eebf4a1684f2159f5b44b704c4f6b2a1d8a0f4da8caa4afa8050e86

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: kd8eby0@inboxhub.net and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: kd8eby0@inboxhub.net Reserved email: kd8eby0@onionmail.org Reserved email: kd8eby0@nuke.africa Your personal ID: 12B-343-43A Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

kd8eby0@onionmail.org

kd8eby0@nuke.africa

Targets

    • Target

      3346.js

    • Size

      530KB

    • MD5

      7e23a9a840725f3431ef5825c6ab6839

    • SHA1

      b9f307ac96ded5c42d931f7c4355756164ca0123

    • SHA256

      09eeec589e425f4da6dc1587e49f7f32c17f4c9e026b10c2360e5b3f72699ca7

    • SHA512

      51f027140d19f3b493d91a664d4c8bf2514b38c210f28178948a21d56fcde0ed99a068d7c0d04b9b3012ad03fc5be6e88d8e0f78aeb55bb919a2170a7e47da92

    Score
    10/10
    buranpersistenceransomware

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

      ransomwareburan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Tasks