Overview

overview

10

Static

static

7b560460b1...16.exe

windows7_x64

10

7b560460b1...16.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    06-03-2022 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b560460b14741999a04a72415bb7b4872739410833b4f6970abaa928ddcab16.exe

  • Size

    211KB

  • MD5

    6e789d89c3817997e791a62a91a392dd

  • SHA1

    b88feefd90de401dabf9f1574fb2b47de608b010

  • SHA256

    7b560460b14741999a04a72415bb7b4872739410833b4f6970abaa928ddcab16

  • SHA512

    ab76d49de89d4e8c734bcb4ccd61dd71466a8cbb594eb152e35fea3806324ca9b05b60662f32e57b1d4461c38b8ff2cf631a267b7a3e5000b9977625dbaa8e3c

Score
10/10
buranpersistenceransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 1B0-3EA-C30 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b560460b14741999a04a72415bb7b4872739410833b4f6970abaa928ddcab16.exe
    "C:\Users\Admin\AppData\Local\Temp\7b560460b14741999a04a72415bb7b4872739410833b4f6970abaa928ddcab16.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:596
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Drops file in Program Files directory
        PID:620
      • C:\Windows\SysWOW64\notepad.exe
        notepad.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:892
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 196
          4⤵
          • Program crash
          PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    MD5

    6e789d89c3817997e791a62a91a392dd

    SHA1

    b88feefd90de401dabf9f1574fb2b47de608b010

    SHA256

    7b560460b14741999a04a72415bb7b4872739410833b4f6970abaa928ddcab16

    SHA512

    ab76d49de89d4e8c734bcb4ccd61dd71466a8cbb594eb152e35fea3806324ca9b05b60662f32e57b1d4461c38b8ff2cf631a267b7a3e5000b9977625dbaa8e3c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    MD5

    6e789d89c3817997e791a62a91a392dd

    SHA1

    b88feefd90de401dabf9f1574fb2b47de608b010

    SHA256

    7b560460b14741999a04a72415bb7b4872739410833b4f6970abaa928ddcab16

    SHA512

    ab76d49de89d4e8c734bcb4ccd61dd71466a8cbb594eb152e35fea3806324ca9b05b60662f32e57b1d4461c38b8ff2cf631a267b7a3e5000b9977625dbaa8e3c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    MD5

    6e789d89c3817997e791a62a91a392dd

    SHA1

    b88feefd90de401dabf9f1574fb2b47de608b010

    SHA256

    7b560460b14741999a04a72415bb7b4872739410833b4f6970abaa928ddcab16

    SHA512

    ab76d49de89d4e8c734bcb4ccd61dd71466a8cbb594eb152e35fea3806324ca9b05b60662f32e57b1d4461c38b8ff2cf631a267b7a3e5000b9977625dbaa8e3c

    Download Submit
  • C:\Users\Admin\Desktop\ApproveConvertFrom.midi.1B0-3EA-C30
    MD5

    c23e71dcc40867472e4b32dab803b339

    SHA1

    909194f21d0aacd77fe19bb0ff8743b821e57565

    SHA256

    60ad5f959c8c3a640e605190b0c38bb09dce0b2aa53c03fd36e0bb03957c77ec

    SHA512

    f4b1c494c18cfe80aaf468e234734d5c6f48d2da9eb3dccf26ccdb28d5a7c0efff8a6b2ab773192386defe6ee89fd993c004179adfc485c04a4500935744735d

    Download Submit
  • C:\Users\Admin\Desktop\AssertAdd.cab.1B0-3EA-C30
    MD5

    2e40394a0789291c05b04394f2ec97f0

    SHA1

    c5493e88c43b2df823d90fc884950a41adf4f5f8

    SHA256

    fe7b885b66bed1c07b61bbd46506cacf5fa1d4ca85fc3011be5724db5446bf48

    SHA512

    3161ea434f31dd252682451a7979bf6f7584f12e18946c0a1961f9873c0ff575cb83d592bf7a84be20eee3ac65da0d005b8bb5374d71e9c89ad6cd4fa1087fdc

    Download Submit
  • C:\Users\Admin\Desktop\BlockExport.3g2.1B0-3EA-C30
    MD5

    ec8db76fad727ac554c0bb824c04b949

    SHA1

    d66f9e7dd8e39a4e57b4d3868dc5e5bace237dd4

    SHA256

    681145fc385b100915717f54fddc84f72c0fd321388416f7ef50e34f48de99b7

    SHA512

    75e648eeaad03df56bb0de60ca2785b43aea3e3f3f31d6afd99c808c09c39c9248b0119171d1140ba24a99937566fe07ee9f2c166cc7ae7dee620138f3ebc8a2

    Download Submit
  • C:\Users\Admin\Desktop\BlockWatch.emf.1B0-3EA-C30
    MD5

    0370c73c106344ee1996e8359e237791

    SHA1

    2a93aa55a606b0c4e1f53414f63a16e81d6efa8e

    SHA256

    0585c3053e5e3ef6fbe87ce709c6ad89897cd7e4f314c0991fc207e9dafe9284

    SHA512

    42db96c23816e3e46e6b71169e7d4a05612396f5e55b707b9b12e63a0b9b56c9dac105d903f369b36087f0c686c96fe99c01beb8a758995dcd7083674d27793b

    Download Submit
  • C:\Users\Admin\Desktop\CheckpointConvertTo.wmf.1B0-3EA-C30
    MD5

    0c186028cf4be3b5726855ea90e6f6dd

    SHA1

    ba807af20a5e5ac75f90620b713ba6c71f4fb29c

    SHA256

    f766ea5912382ac4a9e8be257381af490ba2d96236f0d5b2f1f7eee6174c7ef9

    SHA512

    e71b759fe0ee87befeb75d9a4d85694894f9161f7700196c3f2153955759f55483037a9bdb33fb8fd0fc5d417176f2282f16c41c1c1ab159943475ff85ec0c36

    Download Submit
  • C:\Users\Admin\Desktop\ConfirmShow.vstm.1B0-3EA-C30
    MD5

    72efda3525c2de1135196ff66eb6c7bb

    SHA1

    4980a3c027ca10a4edf2a6535da0a3182b7e3926

    SHA256

    bae86e2e285a170b6daa5ba21de0251bff7d97488d4b17df23e1602a4c88260c

    SHA512

    52fdef22ed93746038f675c5823e6601873efa7f57e650680a722e6fe1dc5d874153cc1967700667cce58458498b318682b51e3907fa42cecd4ec6385573a3c2

    Download Submit
  • C:\Users\Admin\Desktop\DisableSet.vsd.1B0-3EA-C30
    MD5

    87d7f34de70570ebfe619142bc9be894

    SHA1

    ca665c5d1f3ddaa7069ff180fdb753b5e76bbcfb

    SHA256

    d250927ae3d36a13682ac206012a11a2de8e649c45ab59d228502321f553d35b

    SHA512

    b909d158bd18c2fe0b850fde5f3c2dd60f3e871ce8c5a737d4c1cf3589e83835b5d7751eecf87f5b6f9f8cb0d1535ffc766231efe32d37d7a1238df6e3a210f4

    Download Submit
  • C:\Users\Admin\Desktop\DismountUnprotect.3gpp.1B0-3EA-C30
    MD5

    41aafeec70f9147540a3380c1967b895

    SHA1

    c67bcecd82fa7f51b7486a29bea3b9938a494437

    SHA256

    673a67d0a56dfa5ed746d8e8ac4357c0daf5500ca57ed4b7b96db18034a607ea

    SHA512

    abf459122a5dacce19c6c9aebc486e11447a541a2ec8de2c038266405683a1ff23fab9d5f59da1afd46a5a370e051be2a44b4bc7838c0d5518813e58f2234bfc

    Download Submit
  • C:\Users\Admin\Desktop\EnterWatch.odt.1B0-3EA-C30
    MD5

    82ddc806f6a9a9b28ae41417d3a7d4e0

    SHA1

    c6620a01f664bb798b8c3f7e5ce537d2e79adb4a

    SHA256

    656c9a9e22b411e262ae6cdfc8ef39030ff2b05fd796d64fec6ca64b50c143bc

    SHA512

    dcb0ac78d83142403f381e63f4dde7cf4c464920e2b9dadb07287f4bc7d86ad82036007bd7f31176327106f3844e0a1f593161639fdcc546d0de93f6f870894e

    Download Submit
  • C:\Users\Admin\Desktop\ExportOut.reg.1B0-3EA-C30
    MD5

    b3c2b65d41e39dcbe74d994301d0e3bf

    SHA1

    a80e78a70eb4af239f5c53c51c155c58510cb856

    SHA256

    c7a2becea6bf1fb32620d8b458377410188fc885fa00de83b6320694fdf6bb12

    SHA512

    5902bcbc34f9f0dbe77089f8c527d08db96854c559ce87164258335ef6c97363b82d4707484fee31b1c7cb0174b249faf8f51bb8394f6f1a48fb7729e1de2d39

    Download Submit
  • C:\Users\Admin\Desktop\GetLimit.png.1B0-3EA-C30
    MD5

    7c8a326c7017a88d0c7e138f7817881e

    SHA1

    3286ecbca3053c92d7ee4083136db70813c00503

    SHA256

    ced9a958be5e7e8d4dd06448fb863687ae3aa51a97fa5088a56c7d09e187dde2

    SHA512

    722ee93fe45c9165f4746445de8982fed5c71f5a2c7516607a752b8043f8376314560e808943fe4bc036315aab2ab793337e6b750c5d809d6353355cc276502c

    Download Submit
  • C:\Users\Admin\Desktop\GetSwitch.nfo.1B0-3EA-C30
    MD5

    098e5c8e049e22152faa5a555eb070d7

    SHA1

    02a7484ca7e5e21ae813134778f31410f4fca577

    SHA256

    556b6584c8e7ce89b35b7d89db7f26f04553351cb13bfde0ff313180e79cd12e

    SHA512

    93a169c236f8b6e4c04ad891299d4243e256787bf5f599c26b3e175f2984b9c025426574c38eedae49e0a607b4fd6cd0cc80ce3e3418c08e1b19bd9ed7d01405

    Download Submit
  • C:\Users\Admin\Desktop\JoinWait.html.1B0-3EA-C30
    MD5

    c809863af23a05d2120b2162ff0cbb43

    SHA1

    891e7ba9014e057eec4b379dbb65f690c3515791

    SHA256

    c7a3db39a01c6a1dee08d4f466c57071829cbd53153631a33f36423284b5ca0f

    SHA512

    28c53b35d5034684e81d8c39af51eb5760ea71d73a1cf40145241c510fc55545e2a905b2c6cb06d4e3b796020a1401eb92fbd6fa0270808003cb1bb41694f369

    Download Submit
  • C:\Users\Admin\Desktop\PushReset.pps.1B0-3EA-C30
    MD5

    1749add2b8c802eea786fefff7d5818c

    SHA1

    e76448de2295430fafe11952b948f8b4e6c7f9fc

    SHA256

    56946b08ab442ad2aa2545c8b52ab34f714884b6add7d08ad68a5c4f95861f1c

    SHA512

    4f1760ded6af829dabaa38658d9e506e693f71d4c9d5c4c0ff2cea447ddd975e200b7fbda56bc9b1c42b07bf93062a153864cc9fde7053f3806749e8e1718c5a

    Download Submit
  • C:\Users\Admin\Desktop\RegisterExport.html.1B0-3EA-C30
    MD5

    b8036fc984bb1d7f5e4c18fb3ed7684d

    SHA1

    f24fbda3b139c44be23d04ea291b8963be295368

    SHA256

    67752357a5333c695c6523709032cd25cdbb2dc0aaa2eeaeac50d2b93a8eed2e

    SHA512

    08c4641f102c775e849b1eac2607d41d737b28bbacf2403b6aefc64b22a4692d118ad2f4fbe313415a991d4889fa8ec9961457e1d0bb6a9c50be8449a7b23e1f

    Download Submit
  • C:\Users\Admin\Desktop\RequestRevoke.mp3.1B0-3EA-C30
    MD5

    e6e9d6fd70b9fec6cbbe127cf67e24de

    SHA1

    f7a25596e7fe985ef7e0a226e2884afe69591241

    SHA256

    002042a2f9099d08fdb2a592806b676d2f10ae4e456b2e0123a1077323d05747

    SHA512

    4e99427701960ca76d3fb4cc4ec77cbf1640e8558948b61d7f4301dca6c0176ba52da9dcf4bc7e9f7125f065bc0cd3143ef09725a577b27dab06e43e5ab9381d

    Download Submit
  • C:\Users\Admin\Desktop\RevokeUninstall.otf.1B0-3EA-C30
    MD5

    066916979aecf0d32b2d26b96cf7a4d0

    SHA1

    b89d5d7546742e733eeb3aa1ce71cbf7def770d9

    SHA256

    987d64bc8d86c501c3aebeb49e63178e373945a608f656a2e8c292aaa482733e

    SHA512

    2ef45d887c6c4c1a5013ab0ef059950e4bb140af902609ae077fc5e111259bea95ed26a3e8b43906738ae716521f7eba88c5b836ed80576a5807dfbb75d62281

    Download Submit
  • C:\Users\Admin\Desktop\SearchPing.vbs.1B0-3EA-C30
    MD5

    5dc7ff0086a59d7634247ac2a94fd3dd

    SHA1

    cd006615b582cb9a4d3342a2b54336d3962a2401

    SHA256

    c34fb77f5f3556dd0d4c74e6fd424f0dbde1eaf7054486250a03d373449e5481

    SHA512

    c818cdc741fa3780dcabd9b30fd7c102c229591feb89701b2b34310b1012343cb117cab69269c2cdc49f59708d4981a908f04af099c1b64a9fd76d88eb022516

    Download Submit
  • C:\Users\Admin\Desktop\SelectClose.docx.1B0-3EA-C30
    MD5

    36f8ebd04cc5b89152dc5d0802e0bea3

    SHA1

    6379d6f2a934f5fba254184c21869cd67fee0774

    SHA256

    81bf113bf95c79cb824bd6aa256a502f561d60454aa3d42ac17162f5c75e341c

    SHA512

    b9c44ce43e8ba36901433739486f21834054cc26582a6418c5702931122d61c1ac8754684afe0465951d3f26e1d98ae2439ba10b5ed4c7b7e4ef90765c27f411

    Download Submit
  • C:\Users\Admin\Desktop\SetUndo.wvx.1B0-3EA-C30
    MD5

    1a169bc31640f35a920a42a2197a0706

    SHA1

    1aecd844cff0c550e2df53cf8a3007ea49efbd13

    SHA256

    3919e0136ac0ac81538bad9956d15ef61795dd6d8ecf572800d916c5814fbcfe

    SHA512

    25228a80998e849ce64ed7de82e3a7d66dfbb599c2b454e762b9af0547b8b2eb8e75b7253648649e5b554b74baf73eaae4cde4ba7c69157c00b32b0f5fe23b37

    Download Submit
  • C:\Users\Admin\Desktop\StepDeny.dwfx.1B0-3EA-C30
    MD5

    eb10a93622327c0ca9113fa0f2f51e4e

    SHA1

    65933b5b42321bffd443bf16a58b2eac110613bc

    SHA256

    e57c172af49acc180a32c14326d7ac6b92d6df8d6e2ff7ca5189fbf4c42ea10d

    SHA512

    c8d0463b34f51866e976f483c26a23685b9f9189cd8bbbe63b7b51a1f8ea18210355bb0e6044aac40376b47104674c873f4d0c86f1e21d705dc8fe0cb9710ad8

    Download Submit
  • C:\Users\Admin\Desktop\StepRestore.reg.1B0-3EA-C30
    MD5

    e7fffa559e39151188b6f89ab3249e7c

    SHA1

    1872c91a88b3b749f0112eddd951c7069e6df963

    SHA256

    92d72eab6130c4d19c80938bf51cae69a9342db22ff1b3960920de1dcde1480c

    SHA512

    32c056dd76359938014036e7860023a413f5072d476d4a70beef9d207f9f9df3bdfbdc38064971697042a86319fa6da1eef59d7e92767efda333833fa0e63dee

    Download Submit
  • C:\Users\Admin\Desktop\SwitchMerge.nfo.1B0-3EA-C30
    MD5

    ae3500e47769b9e5188c9e0ca2586c34

    SHA1

    39b03168218b79ad5fb1821e5762f42e85d2459d

    SHA256

    cb681176c8b97931ec0d10a2d107e66eb7293667ca30261cf8d8db0f68fbede0

    SHA512

    01990121c1064dbf8f6702410f4ccc2fecd7324fc6c6164e256411ba7a80821b44b0c10363e0849d717eba26fcabc03c4495fe00bfd9e3b4e70d8d0fc7d76f6a

    Download Submit
  • C:\Users\Admin\Desktop\UnprotectShow.mpg.1B0-3EA-C30
    MD5

    c10619bdc6d43e2063b70db86f3a7348

    SHA1

    b2c6b6f6a3596104a6e82274586b949a00678e6f

    SHA256

    855368140370559a221dbfd691a888f31b76f7ee58a1da96d73690234cc44bc7

    SHA512

    47985b107532ef02c9cc7585bc54cbce27bd08882c8c4a5c198b0a272e949ee20cee187dda299dcfd3e9e59ff8bfc3c7859dc23252bbb3642e771eee7da05fcc

    Download Submit
  • C:\Users\Admin\Desktop\UseComplete.docx.1B0-3EA-C30
    MD5

    705dc800063d292d8decb97a413b9835

    SHA1

    102fbd7e6138b0d08c2e0203d792c18580f5107b

    SHA256

    ad3c650f2913499dc7284a4b919b75a2d0666ab7631b08ec345ae38f87de04c1

    SHA512

    57a47ac7f4e517136927f32659f2da8ddf8c0e85f5d4343027915c13660dd0154578e927bdee9e27a5b43257d8859198429c5a9b0c8bb2483603df3dda0b7bf9

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    MD5

    6e789d89c3817997e791a62a91a392dd

    SHA1

    b88feefd90de401dabf9f1574fb2b47de608b010

    SHA256

    7b560460b14741999a04a72415bb7b4872739410833b4f6970abaa928ddcab16

    SHA512

    ab76d49de89d4e8c734bcb4ccd61dd71466a8cbb594eb152e35fea3806324ca9b05b60662f32e57b1d4461c38b8ff2cf631a267b7a3e5000b9977625dbaa8e3c

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    MD5

    6e789d89c3817997e791a62a91a392dd

    SHA1

    b88feefd90de401dabf9f1574fb2b47de608b010

    SHA256

    7b560460b14741999a04a72415bb7b4872739410833b4f6970abaa928ddcab16

    SHA512

    ab76d49de89d4e8c734bcb4ccd61dd71466a8cbb594eb152e35fea3806324ca9b05b60662f32e57b1d4461c38b8ff2cf631a267b7a3e5000b9977625dbaa8e3c

    Download Submit
  • memory/760-55-0x0000000076071000-0x0000000076073000-memory.dmp
    Filesize

    8KB

    Download
  • memory/892-88-0x0000000000080000-0x0000000000081000-memory.dmp
    Filesize

    4KB

    Download