Overview

overview

10

Static

static

522d6e25e6...74.exe

windows7_x64

10

522d6e25e6...74.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    161s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    12-02-2022 06:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe

  • Size

    214KB

  • MD5

    82663d9b96e1cb72bab78a9f56a50678

  • SHA1

    29a5bd379073cd3073764a4f45fac283b0febcd2

  • SHA256

    522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774

  • SHA512

    3b2ba0a58482d310a4b3f044bfa88b5ce91b7a293e4241c8dc2e477029cd78e2df7d00dfee8b4213f87a26dce9c84e31807f8e503becbc64a97fe1f3bf5ac36c

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Telegram @payransom500 Btc 500$ adress bc1qas8m3c2jv4uyurxacdt99ujj6gp6xt4tqeul8l Your personal ID: 106-812-35C Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe
    "C:\Users\Admin\AppData\Local\Temp\522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:4072
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4408
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
            PID:3208
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
            PID:1828
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
            3⤵
              PID:1660
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
              3⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              PID:2368
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2780
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -ExecutionPolicy ByPass -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4028
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                WMIC.exe shadowcopy delete /nointeractive
                4⤵
                  PID:1712
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
                3⤵
                  PID:2756
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
                  3⤵
                    PID:3592
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                1⤵
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                PID:3680
              • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                1⤵
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                PID:1700
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                  PID:4624

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Registry Run Keys / Startup Folder

                1
                T1060

                Privilege Escalation

                Defense Evasion

                File Deletion

                1
                T1107

                Modify Registry

                2
                T1112

                Install Root Certificate

                1
                T1130

                Credential Access

                Discovery

                Query Registry

                2
                T1012

                System Information Discovery

                3
                T1082

                Peripheral Device Discovery

                1
                T1120

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Web Service

                1
                T1102

                Impact

                Inhibit System Recovery

                1
                T1490

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
                  MD5

                  9eb7ce9761202f845d2e6dd6a5d38c64

                  SHA1

                  f1d6b983f61571913df7c347ed6380f49b3e6ae5

                  SHA256

                  e3c600d6a414bc83b7a0d9920f0c1d41f962c55dc8fa966fcadc927461a6f7cf

                  SHA512

                  ec25fe836cfd4b9f0d1e12250e071ba84409361f67925057c1e7cd609a1ac891b1bbae164d28df8456d5a700c600403184fcaa7b277ebefb5889fe603d89cda1

                  Download Submit
                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
                  MD5

                  5bfa51f3a417b98e7443eca90fc94703

                  SHA1

                  8c015d80b8a23f780bdd215dc842b0f5551f63bd

                  SHA256

                  bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

                  SHA512

                  4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

                  Download Submit
                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B1230D967FD647CD5194F3FFA6C7E7E4
                  MD5

                  f6fc284186499b1ec74e7b0e97540cb8

                  SHA1

                  36f163f8543d1cd0c4a36ed9cbf4aecaf2d382af

                  SHA256

                  09420bf65f3acdd595e388a9331e127003da5eb0520e86d9f27dcaf55b713192

                  SHA512

                  689e2aa233815780a2ad015e18d06dd47d2768cd08f0d30ccfdbe66382e4a3c76d1f421c099874b8cfb9ec70905e7175c6b24884579dd3b7b9d2ccb6051248a3

                  Download Submit
                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                  MD5

                  b0f8c16035b066b326999c9f26422098

                  SHA1

                  389a9e669628fcbedc35d908dcd4675f8dba9e79

                  SHA256

                  4c0c8af07363f3d178b6dd9ae0def73e9fbec4df49a8ab1dcf60d37ead768d78

                  SHA512

                  54ee8966beccd0ad9e9650b91191eca726a5b37e86fcabd75b41f8f0544b2328f9e2bbd2ff3e9e2098feaa36f6a769e9367db2f6f74e9910be0d3b5a29081369

                  Download Submit
                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
                  MD5

                  b8e20e62eef9cd25837d3fe341c933c7

                  SHA1

                  a0b4e4091acb21ce4b5d81c449f740d0fa50bb5f

                  SHA256

                  67ba58fbf3d6e64374b01e2b2b5579233cc7650ed05dd055a2f962b73ac5e01b

                  SHA512

                  13b38acddb33d1ca2ed7bf0d69eb0cdb862f5c4c9a1668ec642ea157f7893672ecbe9096e7d4e7c47007811d88f12bb3cb2f90848e3747b2f30a6f2e73471238

                  Download Submit
                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
                  MD5

                  d417aa085a9594a69b9e4762fd32b15b

                  SHA1

                  b46a2912c5fa9c58c80628a49f782705a2a7ff41

                  SHA256

                  dcbfd588ca2ea7dc0ee168ae4e835549b9db850923b1fe72063824bd2523ef0c

                  SHA512

                  64f9fab6ede543a1a62d8e482b7ead4d3cb6ddb6572e8b0971ea70d9f02efbfe33605948716060a0d6b717dbe1a22d95cdfbb3a72e7466bd79127bf0c81f1b88

                  Download Submit
                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B1230D967FD647CD5194F3FFA6C7E7E4
                  MD5

                  8b53f04a2ee2664ee7dd9201f01c698d

                  SHA1

                  dbf17228c52a9baf8b422e57abda31423c591a18

                  SHA256

                  f820b4e016ed9ddc28e640bf48ba3d81fdf991bf2f81d715f86fc7210b596b9a

                  SHA512

                  dceb7495cd49e11c752ef2666e918261fac9d29df99219e09d7b711dfeb8c50ab486e990aa0a372bcd2a541453f74e13c3f387a939496cad4567453c7572eb1c

                  Download Submit
                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                  MD5

                  86f8345dc4d3a092871cad207d606c46

                  SHA1

                  100b670e62343e74f56168083432dc9f97a4f939

                  SHA256

                  050d1939d836d5453141bc131bad27f1dc997521c7ccee2cc4bcb789af1f72ea

                  SHA512

                  ecc1c1ec16bbf32511a3802df05ddadcde60adc3fe255e782a2988ff7ed65cd59d2ee83a974be45c4a23231d5c1c9c6b1cdc63a108749c431d2a1b94a4827631

                  Download Submit
                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K6H59MEI\DYSYYABC.htm
                  MD5

                  b1cd7c031debba3a5c77b39b6791c1a7

                  SHA1

                  e5d91e14e9c685b06f00e550d9e189deb2075f76

                  SHA256

                  57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

                  SHA512

                  d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

                  Download Submit
                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMK7HR9K\LVU1ZDUG.htm
                  MD5

                  6b17a59cec1a7783febae9aa55c56556

                  SHA1

                  01d4581e2b3a6348679147a915a0b22b2a66643a

                  SHA256

                  66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

                  SHA512

                  3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
                  MD5

                  e6545ccb3660f88529716ed4e647c713

                  SHA1

                  ecd628f29985599a24c5c1d23083c689917dd74e

                  SHA256

                  e802bf0c4481bef693d4d1f307aba48301e330d3728dd46a4ec97c4a96b4d4a7

                  SHA512

                  f745e7d5dd006083234e783dd5dc7fb83043a7d0479ea2a91a2ddbc8c20ca47343516efbd155271768c675a22b32e88febdfe51551ec42dfdb64805c62c3188d

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
                  MD5

                  82663d9b96e1cb72bab78a9f56a50678

                  SHA1

                  29a5bd379073cd3073764a4f45fac283b0febcd2

                  SHA256

                  522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774

                  SHA512

                  3b2ba0a58482d310a4b3f044bfa88b5ce91b7a293e4241c8dc2e477029cd78e2df7d00dfee8b4213f87a26dce9c84e31807f8e503becbc64a97fe1f3bf5ac36c

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
                  MD5

                  82663d9b96e1cb72bab78a9f56a50678

                  SHA1

                  29a5bd379073cd3073764a4f45fac283b0febcd2

                  SHA256

                  522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774

                  SHA512

                  3b2ba0a58482d310a4b3f044bfa88b5ce91b7a293e4241c8dc2e477029cd78e2df7d00dfee8b4213f87a26dce9c84e31807f8e503becbc64a97fe1f3bf5ac36c

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
                  MD5

                  82663d9b96e1cb72bab78a9f56a50678

                  SHA1

                  29a5bd379073cd3073764a4f45fac283b0febcd2

                  SHA256

                  522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774

                  SHA512

                  3b2ba0a58482d310a4b3f044bfa88b5ce91b7a293e4241c8dc2e477029cd78e2df7d00dfee8b4213f87a26dce9c84e31807f8e503becbc64a97fe1f3bf5ac36c

                  Download Submit
                • memory/3680-144-0x0000017398AC0000-0x0000017398AC4000-memory.dmp
                  Filesize

                  16KB

                  Download
                • memory/3680-143-0x0000017395DA0000-0x0000017395DB0000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/3680-142-0x0000017395D40000-0x0000017395D50000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/4028-153-0x0000000005800000-0x0000000005866000-memory.dmp
                  Filesize

                  408KB

                  Download
                • memory/4028-154-0x0000000005870000-0x00000000058D6000-memory.dmp
                  Filesize

                  408KB

                  Download
                • memory/4028-149-0x0000000002700000-0x0000000002701000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4028-150-0x0000000002702000-0x0000000002703000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4028-151-0x00000000050D0000-0x00000000056F8000-memory.dmp
                  Filesize

                  6.2MB

                  Download
                • memory/4028-152-0x0000000004F00000-0x0000000004F22000-memory.dmp
                  Filesize

                  136KB

                  Download
                • memory/4028-147-0x00000000734CE000-0x00000000734CF000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4028-148-0x0000000002560000-0x0000000002596000-memory.dmp
                  Filesize

                  216KB

                  Download
                • memory/4028-155-0x0000000005E40000-0x0000000005E5E000-memory.dmp
                  Filesize

                  120KB

                  Download
                • memory/4028-156-0x0000000002705000-0x0000000002707000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/4028-157-0x00000000070A0000-0x0000000007136000-memory.dmp
                  Filesize

                  600KB

                  Download
                • memory/4028-158-0x0000000006390000-0x00000000063AA000-memory.dmp
                  Filesize

                  104KB

                  Download
                • memory/4028-159-0x0000000006410000-0x0000000006432000-memory.dmp
                  Filesize

                  136KB

                  Download
                • memory/4028-160-0x00000000076F0000-0x0000000007C94000-memory.dmp
                  Filesize

                  5.6MB

                  Download