Overview

overview

10

Static

static

442bf867c8...24.exe

windows7_x64

10

442bf867c8...24.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294208s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    05-03-2022 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe

  • Size

    214KB

  • MD5

    2f1ecf99dd8a2648dd013c5fe6ecb6f5

  • SHA1

    121c377693b96eef8e84861f091ef47e6fb6cae5

  • SHA256

    442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024

  • SHA512

    793eb6a3f3d0323b0749a35e372c9fcde15a912f32d74fc5fa0fc104c32d8348f431347fefd1c34e3d51d9b20432f8e66b9ae3b9523b4b4b21e76b6fd2ae8219

Score
10/10
buranransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: uspex1@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: uspex1@cock.li Reserved email: uspex2@cock.li Your personal ID: 42A-DB3-1AF Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

uspex1@cock.li

uspex2@cock.li

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
    "C:\Users\Admin\AppData\Local\Temp\442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe"
    1⤵
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1832
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:744
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        2⤵
          PID:1320
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1728
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:540
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
          2⤵
            PID:1868
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1660
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic shadowcopy delete
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1684
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin delete shadows /all /quiet
              3⤵
              • Interacts with shadow copies
              PID:1748
          • C:\Users\Admin\AppData\Local\Temp\442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe
            "C:\Users\Admin\AppData\Local\Temp\442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe" -agent 0
            2⤵
            • Modifies extensions of user files
            • Drops file in Program Files directory
            PID:2004
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1136
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 196
              3⤵
              • Program crash
              PID:1740
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1980

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        File Deletion

        2
        T1107

        Install Root Certificate

        1
        T1130

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Inhibit System Recovery

        2
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
          MD5

          ef572e2c7b1bbd57654b36e8dcfdc37a

          SHA1

          b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

          SHA256

          e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

          SHA512

          b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

          Download Submit
        • C:\Users\Admin\Desktop\ConvertFromCopy.vsd.42A-DB3-1AF
          MD5

          d911cc2b188defb8cbbd06dd96dae331

          SHA1

          de68da4414f8fe148ef1ac78c81f49242930b709

          SHA256

          1e31f1c5c237f8a916aa8948db9191b041a64e50e9d54d8041f3c8cc4bd771a4

          SHA512

          1e8a66f3ddf863d16653d39041097e7fc68d58ff7db1a9c167093aa228371136eb8909df4da5b3f89749506d506a3d4db5ede84bb8d4209a1ff3e5860834e144

          Download Submit
        • C:\Users\Admin\Desktop\DisableBlock.contact.42A-DB3-1AF
          MD5

          1a1c540a7bcc7f186a2b7b3a41340d58

          SHA1

          6c6f80e0b6669e6bee971a62e28dddf1b32c2fc7

          SHA256

          5530fe4575064f3166b89f7f83c6cf3f00b53427d53bdf55f7ec48ea8c601951

          SHA512

          058cf05d5c0e929369c0992acc35f559ca72b284d86118288d2a8aa1539b09c1a9628e7b9bc166c8465f5a2c4f7c77b30e0c7bd483ed826de7cf733a91b7ad9c

          Download Submit
        • C:\Users\Admin\Desktop\DisconnectDebug.mht.42A-DB3-1AF
          MD5

          b27ce1968aace270ec36f933da8a37bf

          SHA1

          0c658c0ca313c22aa4ad324c55305d2f9f72f010

          SHA256

          ed53220ead700f057b78c4fd4870ce8a9a9132a8f5140c4d3c4d87006e65b9c2

          SHA512

          07d2740ce835cd07185daeac20a5430e0e9f942d35bb04a7992ab115404cdf401c18ec3ce1cc2753d45b48ccbfbd7bc5ab0098b193a0ae101754724cbd3e8750

          Download Submit
        • C:\Users\Admin\Desktop\EnableProtect.vsd.42A-DB3-1AF
          MD5

          9a31863af4c5d7c80a539847dfd7a626

          SHA1

          86aa8f1aa17d32e83aff1cb3d23489bd791b414c

          SHA256

          d286ce65d537f0b173170dc86e49a9892ba48d3f708dbb14174036acf27fddaf

          SHA512

          f752858d71d12348e0cb7dbeab0ab75e428e9c2b9c55a8eab46480531fe4e0a6fbeff1f40695c2778fa4bfe8ecc31dcaba0b248feabfd79cf8954ac86638aafc

          Download Submit
        • C:\Users\Admin\Desktop\EnterExpand.dib.42A-DB3-1AF
          MD5

          a7b19f63c38f6fd7b3f8fdf749bba797

          SHA1

          af5caf53cbfd4b9dec8ef404adab4d3a053b19e1

          SHA256

          702b2cc4f83fc014df136ad47cf1cd297a670d746dda3db2e5a239b51816a4ff

          SHA512

          6ed9c7d845351ee19a925613e2dd80ac039c211215fec8334d780de1f54775b37832c65c1a8214b981f5589186919e0efb78c7cf653a87d8e374b56198dc7cf4

          Download Submit
        • C:\Users\Admin\Desktop\GetSuspend.mpe.42A-DB3-1AF
          MD5

          448062c21b0a384f15afd3f3093195de

          SHA1

          dba80a1c87287c9bf3a310a74086ab6bf6db2fca

          SHA256

          c3815317654e2c1433b5c38b8230d40454cf8f8f5e1d0f4a1e11eb89fd338134

          SHA512

          78d8358b727e8adf27920707e54074b027f379eaac27094e9ac62b1318822fa164f820c8d767b2fa6d248f6e620e877d6307e9fa7642f75f791f27cb69e98bb9

          Download Submit
        • C:\Users\Admin\Desktop\GroupBlock.txt.42A-DB3-1AF
          MD5

          09baeb96c08babc646163c8da3a69cb9

          SHA1

          7074f66a258e1ee4812148f665e197b715d3f992

          SHA256

          8b6d145ba48852a1fd277cce6229c0aeafd677c29179b8485ed1d9c49b813465

          SHA512

          81664176903713fe0d4838f1e1af5d491f39228264164711dd29d56a7c82079eb4c3546185387facc49592213684405470e70f8bcc51fbc1104853830a005945

          Download Submit
        • C:\Users\Admin\Desktop\HideUpdate.jpg.42A-DB3-1AF
          MD5

          a3a4f8825c7cbafbc16b501751044dbf

          SHA1

          14a057a2aea5f5a43c38f7c1bcf5beb325190940

          SHA256

          4870ccdfde81f38384c3255cc43782e117b4f32dc93c5db825aa222b6c60de54

          SHA512

          c82317255796aa9a4c78d0dbed4160c981b3524896274902ffe01a4483b392643d2fadea712e2cae355d392ca1501bda17f905a82b88c058dc9a20257469b3cc

          Download Submit
        • C:\Users\Admin\Desktop\MountSearch.iso.42A-DB3-1AF
          MD5

          e006d6c02cd7c388027fb975e801492d

          SHA1

          b24e551729e7a837e6041f6bcf754d4dd2a03fdd

          SHA256

          6561d336387f0faa7b792407fb5136b76792c5220b715c44c05132eba60557ec

          SHA512

          85b401231b23f2cc5352e7963606457b8da3c5ed857b3cf1b3c164895b06854728b1c27fa7990a094ad97cb6bafdbd166820a26bcdd1ae81be71264b534c0b3b

          Download Submit
        • C:\Users\Admin\Desktop\OpenGroup.vbe.42A-DB3-1AF
          MD5

          17d25e40bb8d38bceb2148026fb3e06a

          SHA1

          4a1c08c630725f57e90815eddffd3a901a232e0b

          SHA256

          60e59a72b4393cc23f9e038fdce9aeb436e2e43cb31a76af5dc4efa96ca59001

          SHA512

          c564f906cabbaf0c10b0a54332f84390357ebc1401c0cacd54a57802fe57621f2fabc318791ac9b4018b9f1b7855f122740ecd8f2c5a5a035f1f16adcd81d02c

          Download Submit
        • C:\Users\Admin\Desktop\PopComplete.vst.42A-DB3-1AF
          MD5

          b40269c796101e8ae5a337b5c7560275

          SHA1

          c3beb542ef5bc66078d116629645f579dd28cf6d

          SHA256

          c1b3e5b679f2611138c95a88bedf85f391d750e2c396e33201d26a9ba3fcd94a

          SHA512

          ffa5bd16712599aeed1c3399a3ae35b2c6f07870674ad1ac58a726f7d3ef3d7c6a6b306ca1ede4569ac19d262f483f80649f7aab6ea666a0f4a2e81413b1f11a

          Download Submit
        • C:\Users\Admin\Desktop\PopReset.pps.42A-DB3-1AF
          MD5

          790d6fc7b3a40cc4dde2a98a2fc49791

          SHA1

          d7b210e673598bef8c15abccc8c657c86b72fa6c

          SHA256

          2f4fb97a1801cc8bbcbb75576010d56224c836ea94963d76f4cd0004d9cacc75

          SHA512

          b07a5d2b3c350c69ac7e92366a48a1b609c7bb1f49592f3dcf53db61560d93e3dc275c57bcfbaa4c8ffbc7fa3d91f49ee38f7c522137a65825a97ecbcd3d8847

          Download Submit
        • C:\Users\Admin\Desktop\ReadLimit.rtf.42A-DB3-1AF
          MD5

          8f345f49f9ef07049c828c008e158d36

          SHA1

          e95ff32048b0111fcc6a14734058a6277f25a8ef

          SHA256

          0c76558a48073b684aebd51774a4eee72de0bdb031b4a9e36455a63c26955634

          SHA512

          19748d13b6899b12841ecb20d98e795a86e9cc3f7d3906cf520299b8968b0dbfc07068f0649032c2fdee7efc5f093909dd9db0a8464071cdee6b05ddf48f49b6

          Download Submit
        • C:\Users\Admin\Desktop\RepairConvertTo.iso.42A-DB3-1AF
          MD5

          335e234a45ba5e752bf55564a473db62

          SHA1

          a801c596a8b9c0b5d4c5c017e01f8bfa04000fcb

          SHA256

          ce559d3ab8541bafd12802cf36aac5b8206e468fdc339f87109ebddffffed94d

          SHA512

          11aac73e5ea4509eacc8381c47a8cbd2e5564f70edf25662d3634ff6e1454d7c61da5cc19e66e8e42f502273e14a5be18e80f869c14633d76ad354eeb380e990

          Download Submit
        • C:\Users\Admin\Desktop\RequestProtect.mhtml.42A-DB3-1AF
          MD5

          472e6f627cf64f3fb888f59c6d25c3a7

          SHA1

          4a0997926d12537fb3da57556e5a1b626f053ddd

          SHA256

          56d7a687c2c1037fe0ef144bf8c7e21c97ca8070c0a73716e4e28acb6ffebc6a

          SHA512

          1749777538875b98802e70058143f188b94c971b41a26fbd8d368595f67d12d815914dcce38e042a2aabce389ac6243810f8f4599f9aacbe84bfdd35daebece5

          Download Submit
        • C:\Users\Admin\Desktop\ResolveInstall.wma.42A-DB3-1AF
          MD5

          abbdcc6ae87f1908e2137cc664038a94

          SHA1

          38155d07d4291d99f203f9cac23922d7cd4f2723

          SHA256

          92d55f1950ee0bcf876bb2c1086caab32211392529807fca49c70845c1ba3eb4

          SHA512

          43be620624899f7fd3641778313384303dae275453a326fae3c26bea4c6d1ae963f218bc74494ae4f871ae3e6f2ce65f0aef33506f55716c99cd1b63ddd7932e

          Download Submit
        • C:\Users\Admin\Desktop\SaveExit.ex_.42A-DB3-1AF
          MD5

          b3be15cd2994ce67db6197d74f016428

          SHA1

          1b2c022232a10480440b1bb3588c6caeb6c5125c

          SHA256

          3a3e53a4996afe8c14ea58d0aca86cddefa600e2bad7047d130501a5adc3618b

          SHA512

          bcf0dc85f6ab14738965080512dee720308b0ad6706b0ad77b446f0722dd59aeb1be4dd603069baed57f0424c7a0b45d8cab96d4f9a87dd67f58ae6505579a43

          Download Submit
        • C:\Users\Admin\Desktop\ShowSend.xlsm.42A-DB3-1AF
          MD5

          5ff14d39df216422b40ee8c221be1102

          SHA1

          c7dd1453ab64d48ea078fe60c50e92fe16558b87

          SHA256

          edefa84d89f2669aac02aa1a465f9359eba8c790470098cff2e9de97c35ca81b

          SHA512

          5e37baa5325984f7f4fb056cf178c322c8b6d98e85679bff444de0faf144b2360069997ca4d42fc7992f6627c5268df3f097ee2dca92d4d38e2fec6c11ecccfb

          Download Submit
        • C:\Users\Admin\Desktop\SkipSubmit.vssx.42A-DB3-1AF
          MD5

          d5611b15a4dc4363408485d65fdb9c17

          SHA1

          31337f7cef29ab409b433fde4df8896d641a6cad

          SHA256

          8b7f647acc6181d3c44fbabd1d309a21edcb63250c3b87dc99c095e16387d7e9

          SHA512

          d379cd7b317827c880104fd94175efc0d46f48107fb5890364555b59f5ff71bde97c9f00de15e15ca416c3fe05788f736177302a7e4357b1f5112e4450131171

          Download Submit
        • C:\Users\Admin\Desktop\SplitNew.odp.42A-DB3-1AF
          MD5

          66d0f848f7993c02e0ca070d5a277adf

          SHA1

          9c6c1385aa22b9ed348765f19b679130030ccd08

          SHA256

          37f6d7ba82d1d79a00b8eb0415abc6f62460e6ce464c8b18fd2864e54fcfc80c

          SHA512

          55fd6350a368b4855c6ed954a5fbdcc94318936dab2e0821833fb5fe07127dce353ff75f883f280765cd8217bd3b97eee362e6d23ec75061f461989ec573df4b

          Download Submit
        • C:\Users\Admin\Desktop\SuspendRestore.mov.42A-DB3-1AF
          MD5

          f723f11e7adfea3cca376ae4fa997eec

          SHA1

          9309c5ef94acbd1905f7c6d89434c971b603d7ac

          SHA256

          714f606793b5fbe0f85c2df6953cc80b87eb85dd4a4d55e3b1edfb44bb297838

          SHA512

          2ae1194433bade9fa1106513609f156711f7a758dce614c68df0ed822509b7c21e5ad5105f6649d0c058f060700db30dc27c2d054e9db1e273d7840087992cc4

          Download Submit
        • C:\Users\Admin\Desktop\TraceRemove.raw.42A-DB3-1AF
          MD5

          b00452834663cff2de5cba9ccd0f8655

          SHA1

          c8d0524fd09250f951b04819df6752d0ad3277ba

          SHA256

          e2ba45fe1796e2a21201e1184f9b8ec4d9e8c1a4448bb4efdcd04e5e30676d61

          SHA512

          d4f08d3cb3a202947dcdcc69594a6fd67f0bee83f0b96dcc20685a3f384eab436fffe80eb6ffe52efd6e87baef670f11b3ad7c641dcd922fdc8af5547a6680bc

          Download Submit
        • C:\Users\Admin\Desktop\UnblockApprove.ps1.42A-DB3-1AF
          MD5

          8ddda32b5638ecdd22a21a9e999a0e4e

          SHA1

          9587a69bf37c35165e439b7039840956a4bcb718

          SHA256

          cba803f5f8438f8608f00de58dfdf3912edc2935492a293e3a9bf98067ddb9ae

          SHA512

          df91df31ff3d1e0da4d36ba6dfacd9225a27227e1f68f2f1c62c7bd3fbf33bf15514b134f4ac3502478daf871f601cf89fe3a595e2f87c961f13ccc1324a620b

          Download Submit
        • memory/1136-80-0x0000000000080000-0x0000000000081000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1160-54-0x00000000752A1000-0x00000000752A3000-memory.dmp
          Filesize

          8KB

          Download