General
-
Target
12048.exe
-
Size
250KB
-
Sample
211208-nnvp2aaabr
-
MD5
41fd1099e6e46ddd0015c7c0ed9425a5
-
SHA1
9f9ee018b7deeffa22ab15ffac3326fddc70a0a2
-
SHA256
99ee7cf74c8de999f2a1cc8cefacad3c866a86e78c87a56323729bfad967a4e9
-
SHA512
3c7962c1e699046f7be9005a5ba2ece6f56f6e07fdae0f5ad0cb1c83aa55159f21f506f5c6dcf1490f35e00e72fcb1c340f047459f0f339a90303801dca95a9b
Static task
static1
Behavioral task
behavioral1
Sample
12048.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
12048.exe
Resource
win10-en-20211104
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Targets
-
-
Target
12048.exe
-
Size
250KB
-
MD5
41fd1099e6e46ddd0015c7c0ed9425a5
-
SHA1
9f9ee018b7deeffa22ab15ffac3326fddc70a0a2
-
SHA256
99ee7cf74c8de999f2a1cc8cefacad3c866a86e78c87a56323729bfad967a4e9
-
SHA512
3c7962c1e699046f7be9005a5ba2ece6f56f6e07fdae0f5ad0cb1c83aa55159f21f506f5c6dcf1490f35e00e72fcb1c340f047459f0f339a90303801dca95a9b
Score10/10-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-