Overview

overview

10

Static

static

1016366f5a...70.exe

windows7_x64

10

1016366f5a...70.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    05-03-2022 20:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe

  • Size

    2.7MB

  • MD5

    4301b4d1cb937816ffe288401d8938bf

  • SHA1

    14126bcc7b1a7ec96114fb28a74c6a4d7e008246

  • SHA256

    1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070

  • SHA512

    82b0ebf62016f0b578384858b4d88fa97c70022a6e5e67871d93da5de2777553f949d40e6968ab9755cec4b48c8e40bdbc2ef4a1bd7a2db3ce52070e12b292bd

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 7D4-071-1F1 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe
    "C:\Users\Admin\AppData\Local\Temp\1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:220
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2524
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
          PID:2992
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
          3⤵
            PID:3768
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
              PID:3788
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
              3⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              PID:3808
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3816
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic shadowcopy delete
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1492
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
              3⤵
                PID:3664
            • C:\Windows\SysWOW64\notepad.exe
              notepad.exe
              2⤵
                PID:3792
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
                PID:3304

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              File Deletion

              1
              T1107

              Modify Registry

              2
              T1112

              Install Root Certificate

              1
              T1130

              Credential Access

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              3
              T1082

              Peripheral Device Discovery

              1
              T1120

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Web Service

              1
              T1102

              Impact

              Inhibit System Recovery

              1
              T1490

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
                MD5

                0af9873e7d694b6af100acc5d66d625f

                SHA1

                4e382572f28043136ff10d6e80f09ea2153a8ec1

                SHA256

                983ea452db6d000be67b0e2d5ddf8beb2d42454e9108adcdfec5fdb04afcdc60

                SHA512

                b8ece43a58a5004a74fc888ab9f2140f10ffbefed2bdc3e78a586aa05e396486be67f6035e1c21eff48717651647fcf107937c2365b023280faeaff719d905e7

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
                MD5

                5bfa51f3a417b98e7443eca90fc94703

                SHA1

                8c015d80b8a23f780bdd215dc842b0f5551f63bd

                SHA256

                bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

                SHA512

                4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B1230D967FD647CD5194F3FFA6C7E7E4
                MD5

                0f96cf32580efc867ff48db74bc92e4b

                SHA1

                2d16ce1151807b1cc5445db9bd511d0a2c90cf01

                SHA256

                7176b87dd59195a7e0fb8624010b143d1ca991161748e2cd38a88a4eec91a8da

                SHA512

                9d9e74180ef53053ebcfe25dd50659b002a4422c9253b82c78804b97329b57ea1ee19edf9eadec09d45f1b034270a15a7da5e5943406415dc259ca58fa459dbe

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                MD5

                aa4b7669eef55fc7705d31672b88980d

                SHA1

                131a6930acf0f1e90ffe67faa4e68055cc525118

                SHA256

                f964c248ccfb020296430658f3cdf78b18f7904611c5a4f67ce9b3bb3c7464f8

                SHA512

                414a578a7141ac0c0b28d894ea942baee758c362aceb81724baeb59abf4d0bfc1486c7ef9206a08ffad243cb543abfe2a70947223f7a58831070734056c36cac

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
                MD5

                194f1bb4ce6ee664b88af7846d0d353a

                SHA1

                c545f05a6a3d5a0c35988cc96c8da8dffd2e1bf4

                SHA256

                286a785c97d8eae46b3cd9a7516c14cd16b7ff03c4292c388673b8170aa124a5

                SHA512

                a8a150b6a31f462dfcdbc10677b26c6d1b86f7d7028a6180eab88ec53d00fb186a58d5738b723c3d352082489d0b479aa38a0b27fe7cdb3a3251d1fc7a3d4911

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
                MD5

                14fba37fe971e9928a1b53039b85ceb9

                SHA1

                4b2a48f2c93ca188664ab7136c4dff0318c4e4bf

                SHA256

                382e57099b77382c0cb675825531cbb2149e3c23159f97a8c9b6b7a42727205e

                SHA512

                4eb9cb6456c4b3280f7485db14aeb0ff4b7af28ec68ef08c89885bd73fa6d348efcf9b491efd15e8e3ca172d945c0b3e6101312e325aa8e4189a94cbe53fd04e

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B1230D967FD647CD5194F3FFA6C7E7E4
                MD5

                6100c6a42b6c15a50373833767279290

                SHA1

                d9451e70d135cc6f1b48eb3636caf8d339fdaa38

                SHA256

                50102e33e825f938691fd26c07e27dfdce9b95bdf0c4d479beba1f7af45b1a70

                SHA512

                cc47eb3141af1e8b0c6576345c117624cbff0cd2802cb0d60cc160307dcfbb923dbc3348492dc41178acd9c704dc81e26885bcb157f88cf7b770667e2dcb35de

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                MD5

                673b61c0752acb96f5e96d754468aae2

                SHA1

                d9bd2d0e3352fbeafabaa22e4c9255101e90948f

                SHA256

                b3d9ce0843b764248488c8d99bb16dc6253471812ca34c63c6d1f35943ef1d92

                SHA512

                e25ca91b280d944e6dfe10956b75a575ab758c9a59e5e504ef603ce2374fa8a70a745f2008941376d5067c278a978ae37bebbf941135b1a8a376bf797bd1f003

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GS28O9WE\XZQ1ZCXJ.htm
                MD5

                8615e70875c2cc0b9db16027b9adf11d

                SHA1

                4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

                SHA256

                da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

                SHA512

                cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VMAZW8LB\9QG8GP3A.htm
                MD5

                b1cd7c031debba3a5c77b39b6791c1a7

                SHA1

                e5d91e14e9c685b06f00e550d9e189deb2075f76

                SHA256

                57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

                SHA512

                d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
                MD5

                ef572e2c7b1bbd57654b36e8dcfdc37a

                SHA1

                b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

                SHA256

                e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

                SHA512

                b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
                MD5

                4301b4d1cb937816ffe288401d8938bf

                SHA1

                14126bcc7b1a7ec96114fb28a74c6a4d7e008246

                SHA256

                1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070

                SHA512

                82b0ebf62016f0b578384858b4d88fa97c70022a6e5e67871d93da5de2777553f949d40e6968ab9755cec4b48c8e40bdbc2ef4a1bd7a2db3ce52070e12b292bd

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
                MD5

                4301b4d1cb937816ffe288401d8938bf

                SHA1

                14126bcc7b1a7ec96114fb28a74c6a4d7e008246

                SHA256

                1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070

                SHA512

                82b0ebf62016f0b578384858b4d88fa97c70022a6e5e67871d93da5de2777553f949d40e6968ab9755cec4b48c8e40bdbc2ef4a1bd7a2db3ce52070e12b292bd

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
                MD5

                4301b4d1cb937816ffe288401d8938bf

                SHA1

                14126bcc7b1a7ec96114fb28a74c6a4d7e008246

                SHA256

                1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070

                SHA512

                82b0ebf62016f0b578384858b4d88fa97c70022a6e5e67871d93da5de2777553f949d40e6968ab9755cec4b48c8e40bdbc2ef4a1bd7a2db3ce52070e12b292bd

                Download Submit
              • memory/3792-134-0x00000000030B0000-0x00000000030B1000-memory.dmp
                Filesize

                4KB

                Download