Overview

overview

10

Static

static

6772641fa3...f9.exe

windows7_x64

8

6772641fa3...f9.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    06-03-2022 00:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6772641fa3c9e918f0c887ee1bd67d3ce65c4cd28888d96f927c5d1b72851bf9.exe

  • Size

    2.6MB

  • MD5

    811527176b1b2357e96f357e141c7f29

  • SHA1

    8d00d383b6c4825edcf46a620d7b7a3e5f53e09d

  • SHA256

    6772641fa3c9e918f0c887ee1bd67d3ce65c4cd28888d96f927c5d1b72851bf9

  • SHA512

    597aaab2e64ad2917aa308d8c65811024de20eee1c3c19f624c77a62174d08fd26daf95c6e50b3e74c338fecceab466b2d84517b759f2f24cd26e4d3331bea92

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 35D-15C-65F Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6772641fa3c9e918f0c887ee1bd67d3ce65c4cd28888d96f927c5d1b72851bf9.exe
    "C:\Users\Admin\AppData\Local\Temp\6772641fa3c9e918f0c887ee1bd67d3ce65c4cd28888d96f927c5d1b72851bf9.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:4064
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3912
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:560
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
          PID:1856
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
          3⤵
            PID:3980
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            PID:2812
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3548
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic shadowcopy delete
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3364
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
            3⤵
              PID:2828
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
              3⤵
                PID:1928
            • C:\Windows\SysWOW64\notepad.exe
              notepad.exe
              2⤵
                PID:1616
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
                PID:2904

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              File Deletion

              1
              T1107

              Modify Registry

              2
              T1112

              Install Root Certificate

              1
              T1130

              Credential Access

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              3
              T1082

              Peripheral Device Discovery

              1
              T1120

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Web Service

              1
              T1102

              Impact

              Inhibit System Recovery

              1
              T1490

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
                MD5

                0af9873e7d694b6af100acc5d66d625f

                SHA1

                4e382572f28043136ff10d6e80f09ea2153a8ec1

                SHA256

                983ea452db6d000be67b0e2d5ddf8beb2d42454e9108adcdfec5fdb04afcdc60

                SHA512

                b8ece43a58a5004a74fc888ab9f2140f10ffbefed2bdc3e78a586aa05e396486be67f6035e1c21eff48717651647fcf107937c2365b023280faeaff719d905e7

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
                MD5

                5bfa51f3a417b98e7443eca90fc94703

                SHA1

                8c015d80b8a23f780bdd215dc842b0f5551f63bd

                SHA256

                bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

                SHA512

                4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B1230D967FD647CD5194F3FFA6C7E7E4
                MD5

                0f96cf32580efc867ff48db74bc92e4b

                SHA1

                2d16ce1151807b1cc5445db9bd511d0a2c90cf01

                SHA256

                7176b87dd59195a7e0fb8624010b143d1ca991161748e2cd38a88a4eec91a8da

                SHA512

                9d9e74180ef53053ebcfe25dd50659b002a4422c9253b82c78804b97329b57ea1ee19edf9eadec09d45f1b034270a15a7da5e5943406415dc259ca58fa459dbe

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                MD5

                aa4b7669eef55fc7705d31672b88980d

                SHA1

                131a6930acf0f1e90ffe67faa4e68055cc525118

                SHA256

                f964c248ccfb020296430658f3cdf78b18f7904611c5a4f67ce9b3bb3c7464f8

                SHA512

                414a578a7141ac0c0b28d894ea942baee758c362aceb81724baeb59abf4d0bfc1486c7ef9206a08ffad243cb543abfe2a70947223f7a58831070734056c36cac

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
                MD5

                1aa237d03fe099482b418a6d25e662da

                SHA1

                89ac021cebc0484e7d539ae8dc42637db253ecba

                SHA256

                68ee606015b10dbb3af1a45659b1b8696314b1ec53102f6df14062735132782c

                SHA512

                360a129968d88bf1aec8e4c07141d98654543ab31761d238865aa9bbd6df2de978e3939248c403dda3e23a0c2ccac295559fdd7c0799b86b574a9a6519104b7d

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
                MD5

                4f4296da3d648b2d530e1594b7052a05

                SHA1

                a6ef353ec0da38da3bb40a854faa0ade799b460e

                SHA256

                ef9567abb8c7e36bcbafdb4bce62a08971f76b32bdb8f63edc392fa63607b34d

                SHA512

                2a130bec655161cd096d89351309b0c1ad4a0c9a573d8dda1a57b116014b63e3fa3e856f837038633883dac8e971205b63f438e1a0c597f726f4bd8099014de4

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B1230D967FD647CD5194F3FFA6C7E7E4
                MD5

                0a55d2cbc265501553259f29ecc4f630

                SHA1

                80eb5873ebbefd641d8bb6183c3f0394a1adde99

                SHA256

                2fa02bc89bc7577a8397ac8bdac8c95477ff48a3abf9377a98de24e918c5fa7c

                SHA512

                5ac9cc223e5e41860e43ba8b71dbdb16e4214da623081b23693af2e03653cfd1c09bea99db18b437d233d4455ed5aa227010bc680c88594d4553a8fbeb79ed63

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                MD5

                a663a42ebcfb450889f57520f7e22e64

                SHA1

                dbfcce80cf0dcc5c7361ed06105de2a9a3ad6562

                SHA256

                e30963fcdc6e734916c1f13906ce70e4113765d8dccbd5c06cabb9049894ac5f

                SHA512

                5caf3192e52aa58f5c1d583bc8b9884514a6ac86ad06553ecd157aa45e5e212dd9fa2a4f034204dc4afc5b06640d9e91d8f153fa08e7c03c5cdc28de4580724e

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GS28O9WE\6OIPT6U7.htm
                MD5

                8615e70875c2cc0b9db16027b9adf11d

                SHA1

                4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

                SHA256

                da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

                SHA512

                cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VMAZW8LB\PMGRCJIO.htm
                MD5

                b1cd7c031debba3a5c77b39b6791c1a7

                SHA1

                e5d91e14e9c685b06f00e550d9e189deb2075f76

                SHA256

                57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

                SHA512

                d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
                MD5

                ef572e2c7b1bbd57654b36e8dcfdc37a

                SHA1

                b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

                SHA256

                e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

                SHA512

                b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
                MD5

                811527176b1b2357e96f357e141c7f29

                SHA1

                8d00d383b6c4825edcf46a620d7b7a3e5f53e09d

                SHA256

                6772641fa3c9e918f0c887ee1bd67d3ce65c4cd28888d96f927c5d1b72851bf9

                SHA512

                597aaab2e64ad2917aa308d8c65811024de20eee1c3c19f624c77a62174d08fd26daf95c6e50b3e74c338fecceab466b2d84517b759f2f24cd26e4d3331bea92

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
                MD5

                811527176b1b2357e96f357e141c7f29

                SHA1

                8d00d383b6c4825edcf46a620d7b7a3e5f53e09d

                SHA256

                6772641fa3c9e918f0c887ee1bd67d3ce65c4cd28888d96f927c5d1b72851bf9

                SHA512

                597aaab2e64ad2917aa308d8c65811024de20eee1c3c19f624c77a62174d08fd26daf95c6e50b3e74c338fecceab466b2d84517b759f2f24cd26e4d3331bea92

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
                MD5

                811527176b1b2357e96f357e141c7f29

                SHA1

                8d00d383b6c4825edcf46a620d7b7a3e5f53e09d

                SHA256

                6772641fa3c9e918f0c887ee1bd67d3ce65c4cd28888d96f927c5d1b72851bf9

                SHA512

                597aaab2e64ad2917aa308d8c65811024de20eee1c3c19f624c77a62174d08fd26daf95c6e50b3e74c338fecceab466b2d84517b759f2f24cd26e4d3331bea92

                Download Submit
              • memory/1616-142-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
                Filesize

                4KB

                Download