Overview

overview

10

Static

static

1184.exe

windows10_x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    1184.exe

  • Size

    250KB

  • Sample

    211209-x7479afaar

  • MD5

    17ba757ef56ce371b152db6a3c0dd288

  • SHA1

    094f68da6ba10ce0b30815e9179aa59f67b454ef

  • SHA256

    4091eb184d556bdb2234d8cc85042546264defc1fcc791538813b755d9255c86

  • SHA512

    6b375cdf488498f3fae0992d7636ea1d701625abdc07425be244a1524d89887908f2ec548cf9bb8a72578adc0bfd9509559c3dced1be3f5c0bfe3484d00868ae

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 4AE-A5A-936 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      1184.exe

    • Size

      250KB

    • MD5

      17ba757ef56ce371b152db6a3c0dd288

    • SHA1

      094f68da6ba10ce0b30815e9179aa59f67b454ef

    • SHA256

      4091eb184d556bdb2234d8cc85042546264defc1fcc791538813b755d9255c86

    • SHA512

      6b375cdf488498f3fae0992d7636ea1d701625abdc07425be244a1524d89887908f2ec548cf9bb8a72578adc0bfd9509559c3dced1be3f5c0bfe3484d00868ae

    Score
    10/10
    buranpersistenceransomware

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

      ransomwareburan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks