Overview

overview

10

Static

static

5613.js

windows7_x64

10

5613.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5613.js

  • Size

    137KB

  • Sample

    210831-ten5p7srbs

  • MD5

    220af76150e7b8e51b12c322002d36db

  • SHA1

    b5befee69c32ecaa162808192f3c0f42cde731cd

  • SHA256

    924b39a646b7ba75fff348033897597b52f1a81af1830beeb279dca1556bd39b

  • SHA512

    d540686c0415d11be1bd65e1f55313ee0e0a7bd543eda231188daee9a39aa5c2471b19e730b74a397d5d5826e7c9ee21e86f2168b696c7ff8e5a8b7a261b2328

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://jolantagraban.pl/log/57843441668980/dll/assistant.php

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 287-562-BB8 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      5613.js

    • Size

      137KB

    • MD5

      220af76150e7b8e51b12c322002d36db

    • SHA1

      b5befee69c32ecaa162808192f3c0f42cde731cd

    • SHA256

      924b39a646b7ba75fff348033897597b52f1a81af1830beeb279dca1556bd39b

    • SHA512

      d540686c0415d11be1bd65e1f55313ee0e0a7bd543eda231188daee9a39aa5c2471b19e730b74a397d5d5826e7c9ee21e86f2168b696c7ff8e5a8b7a261b2328

    Score
    10/10
    buranpersistenceransomware

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

      ransomwareburan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks