Overview

overview

10

Static

static

576b9b0e6d...d1.exe

windows7_x64

10

576b9b0e6d...d1.exe

windows10-2004_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1

  • Size

    214KB

  • Sample

    220305-yqxbraaggk

  • MD5

    e609a4e0e0a91ebc8771fcc3f25c0990

  • SHA1

    c552fbec8d6679017b5e9dedd4f03e29cb4c8718

  • SHA256

    576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1

  • SHA512

    0fab0c68eec67ce7e54b28651b0c85f6fd0401888e83e7b2346acc95a802d283185a77790cdb98f3850350a190cfe30b7e9d757fcfb95a8012adc34393eeffda

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Path

C:\!!! HOW TO BACK YOUR FILES !!!.TXT

Family

buran

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US: [email protected] ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER: Your personal ID: 304-A75-56B Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1

    • Size

      214KB

    • MD5

      e609a4e0e0a91ebc8771fcc3f25c0990

    • SHA1

      c552fbec8d6679017b5e9dedd4f03e29cb4c8718

    • SHA256

      576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1

    • SHA512

      0fab0c68eec67ce7e54b28651b0c85f6fd0401888e83e7b2346acc95a802d283185a77790cdb98f3850350a190cfe30b7e9d757fcfb95a8012adc34393eeffda

    Score
    10/10
    buranpersistenceransomware

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

      ransomwareburan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks