Overview

overview

10

Static

static

60e2ff67f5...e1.exe

windows7_x64

10

60e2ff67f5...e1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    06-03-2022 05:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe

  • Size

    214KB

  • MD5

    7f5669e4d89b5a1636f05b52b7c0f9b7

  • SHA1

    12d7b1fb828cea1b1abb568bcc9d0e29e78ecdb6

  • SHA256

    60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1

  • SHA512

    2010a75f1c8634480a42a2c995874459f4ab983fa90ae7fe7d12f0a6d53a34eb68622241f2a43c9218cb8290edb9ca6484991a7811d7e54ead7da5cb8ee3d220

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 5FF-455-18A Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe
    "C:\Users\Admin\AppData\Local\Temp\60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3380
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:388
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2688
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
          PID:3040
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
          3⤵
            PID:2864
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
              PID:420
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
              3⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              PID:1428
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3468
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic shadowcopy delete
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2516
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
              3⤵
                PID:3372
            • C:\Windows\SysWOW64\notepad.exe
              notepad.exe
              2⤵
                PID:2188
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
                PID:1228

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              File Deletion

              1
              T1107

              Modify Registry

              2
              T1112

              Install Root Certificate

              1
              T1130

              Credential Access

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              3
              T1082

              Peripheral Device Discovery

              1
              T1120

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Web Service

              1
              T1102

              Impact

              Inhibit System Recovery

              1
              T1490

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
                MD5

                0af9873e7d694b6af100acc5d66d625f

                SHA1

                4e382572f28043136ff10d6e80f09ea2153a8ec1

                SHA256

                983ea452db6d000be67b0e2d5ddf8beb2d42454e9108adcdfec5fdb04afcdc60

                SHA512

                b8ece43a58a5004a74fc888ab9f2140f10ffbefed2bdc3e78a586aa05e396486be67f6035e1c21eff48717651647fcf107937c2365b023280faeaff719d905e7

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
                MD5

                5bfa51f3a417b98e7443eca90fc94703

                SHA1

                8c015d80b8a23f780bdd215dc842b0f5551f63bd

                SHA256

                bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

                SHA512

                4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B1230D967FD647CD5194F3FFA6C7E7E4
                MD5

                0f96cf32580efc867ff48db74bc92e4b

                SHA1

                2d16ce1151807b1cc5445db9bd511d0a2c90cf01

                SHA256

                7176b87dd59195a7e0fb8624010b143d1ca991161748e2cd38a88a4eec91a8da

                SHA512

                9d9e74180ef53053ebcfe25dd50659b002a4422c9253b82c78804b97329b57ea1ee19edf9eadec09d45f1b034270a15a7da5e5943406415dc259ca58fa459dbe

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                MD5

                aa4b7669eef55fc7705d31672b88980d

                SHA1

                131a6930acf0f1e90ffe67faa4e68055cc525118

                SHA256

                f964c248ccfb020296430658f3cdf78b18f7904611c5a4f67ce9b3bb3c7464f8

                SHA512

                414a578a7141ac0c0b28d894ea942baee758c362aceb81724baeb59abf4d0bfc1486c7ef9206a08ffad243cb543abfe2a70947223f7a58831070734056c36cac

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
                MD5

                d183f3b450dd13f37dac1f584503f117

                SHA1

                6bd37799b1734c6f5903da34ff7336f78c15b58c

                SHA256

                2a7c9e63db503ffb6f2885fa65e4a91d83d87013602dc0dbc9cab5e97c687198

                SHA512

                40831383ff02265d7591cda58a7d2b0529adebd5b48c148189ad0bedb18ea699d7bd04e68b7cf3f4eaaa8c5e79ce1efdd124be5b71e6a8cfd706498165555d42

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
                MD5

                7020f9485feafdcded3bdc2ce87bbb26

                SHA1

                7b9a37691f219dcc12d4a7afc92be26646639c38

                SHA256

                85486a6872426a643b837ae7c3f05a095df6b071a05c721b6bc552df50762deb

                SHA512

                b6c6ebe5908f1835410eac429d392758691922f0a970da3df41f82847e1f3c068b2d561719b7cd91effb0ffa13013dbbb594502acb7bc9b027fd0423809d3488

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B1230D967FD647CD5194F3FFA6C7E7E4
                MD5

                b8739560f95a20818661cd24e0429727

                SHA1

                9a187b63eb64fb512bf3734a9c7a2a2609c185c0

                SHA256

                d352a406365f5a70eb3a78fff053488c93b600fb233e595dfea2e7dc7ed908ad

                SHA512

                7b3d05c3c2bff212c81982adf61073d4e7ad4ce2e2cecf22b1fbbf77279e780c7b987b48fe82db2887001faba66b0f610fada27c7e721bcb95afd629b5f08fa9

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                MD5

                fd5475ddc37212dea9f87550b54eca15

                SHA1

                a048fa1d83d05f3d52c741d7a7bac551bd15b1eb

                SHA256

                29734d1ba3c5df47d9ddb7a0808ff047ceb085cab437dd10b1dcdcbd9a8f8fb6

                SHA512

                d48397aeb32bea9521c2d8fa28e6ff7d0511f32d9127f0023d06bcff699ca7b5535edee7e38b6d774f6f658872d09c9d11af5c00be0dfe4f10e22d9622867652

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GS28O9WE\1KSVIXYN.htm
                MD5

                8615e70875c2cc0b9db16027b9adf11d

                SHA1

                4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

                SHA256

                da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

                SHA512

                cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VMAZW8LB\1W02D93S.htm
                MD5

                b1cd7c031debba3a5c77b39b6791c1a7

                SHA1

                e5d91e14e9c685b06f00e550d9e189deb2075f76

                SHA256

                57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

                SHA512

                d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
                MD5

                ef572e2c7b1bbd57654b36e8dcfdc37a

                SHA1

                b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

                SHA256

                e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

                SHA512

                b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
                MD5

                7f5669e4d89b5a1636f05b52b7c0f9b7

                SHA1

                12d7b1fb828cea1b1abb568bcc9d0e29e78ecdb6

                SHA256

                60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1

                SHA512

                2010a75f1c8634480a42a2c995874459f4ab983fa90ae7fe7d12f0a6d53a34eb68622241f2a43c9218cb8290edb9ca6484991a7811d7e54ead7da5cb8ee3d220

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
                MD5

                7f5669e4d89b5a1636f05b52b7c0f9b7

                SHA1

                12d7b1fb828cea1b1abb568bcc9d0e29e78ecdb6

                SHA256

                60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1

                SHA512

                2010a75f1c8634480a42a2c995874459f4ab983fa90ae7fe7d12f0a6d53a34eb68622241f2a43c9218cb8290edb9ca6484991a7811d7e54ead7da5cb8ee3d220

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
                MD5

                7f5669e4d89b5a1636f05b52b7c0f9b7

                SHA1

                12d7b1fb828cea1b1abb568bcc9d0e29e78ecdb6

                SHA256

                60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1

                SHA512

                2010a75f1c8634480a42a2c995874459f4ab983fa90ae7fe7d12f0a6d53a34eb68622241f2a43c9218cb8290edb9ca6484991a7811d7e54ead7da5cb8ee3d220

                Download Submit
              • memory/2188-134-0x0000000003270000-0x0000000003271000-memory.dmp
                Filesize

                4KB

                Download