Overview

overview

10

Static

static

54f6ec27eb...71.exe

windows7_x64

10

54f6ec27eb...71.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    06-03-2022 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exe

  • Size

    446KB

  • MD5

    567204cbb8d1c5908a5316f9dfdcb353

  • SHA1

    cc7eca3c24883a3b563288c08cfab7cc248a0315

  • SHA256

    54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371

  • SHA512

    ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Path

C:\!!! HOW TO BACK YOUR FILES !!!.TXT

Family

buran

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US: [email protected] ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER: Your personal ID: 11E-ED2-55F Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exe
    "C:\Users\Admin\AppData\Local\Temp\54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:576
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1472
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        3⤵
          PID:608
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
            PID:988
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1656
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:1596
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
            3⤵
            • Executes dropped EXE
            • Modifies extensions of user files
            • Drops file in Program Files directory
            • Drops file in Windows directory
            PID:840
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1092
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic shadowcopy delete
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1688
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:552
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
              PID:1832
            • C:\Windows\SysWOW64\notepad.exe
              notepad.exe
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:936
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 196
                4⤵
                • Program crash
                PID:1684
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1160

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/840-68-0x0000000000400000-0x0000000000598000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/840-67-0x0000000001E40000-0x0000000001FD2000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/936-92-0x0000000000080000-0x0000000000081000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1264-55-0x0000000075421000-0x0000000075423000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1264-57-0x0000000000400000-0x0000000000598000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1264-56-0x0000000001F30000-0x00000000020C2000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1648-61-0x0000000002080000-0x0000000002212000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1648-62-0x0000000000400000-0x0000000000598000-memory.dmp

          Filesize

          1.6MB

          Download