General
-
Target
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433
-
Size
624KB
-
Sample
220724-sdr9dagbgm
-
MD5
e2c9e21bc2d59273ad13144b10e082f8
-
SHA1
0fd4b5d955122d84552626d2634c62c78e800b7c
-
SHA256
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433
-
SHA512
393ca8e5bf98120a4e0a8b6bab6f4f9582f3283ded401d7942ac8089a9b65d87b63ee66ac43f85de6b08ab914035e08c9b348dbd594688d2a8fee7df08dd7349
Static task
static1
Behavioral task
behavioral1
Sample
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Targets
-
-
Target
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433
-
Size
624KB
-
MD5
e2c9e21bc2d59273ad13144b10e082f8
-
SHA1
0fd4b5d955122d84552626d2634c62c78e800b7c
-
SHA256
97f9cd7c0791ecc4a5bd2ed4e79b8966e46cdcdf55287e43abf317ced4792433
-
SHA512
393ca8e5bf98120a4e0a8b6bab6f4f9582f3283ded401d7942ac8089a9b65d87b63ee66ac43f85de6b08ab914035e08c9b348dbd594688d2a8fee7df08dd7349
Score10/10-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
suricata: ET MALWARE Buran Ransomware Activity M1
suricata: ET MALWARE Buran Ransomware Activity M1
-
suricata: ET MALWARE Observed Buran Ransomware UA (BURAN)
suricata: ET MALWARE Observed Buran Ransomware UA (BURAN)
-
Clears Windows event logs
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v6
Defense Evasion
File Deletion
2Hidden Files and Directories
1Indicator Removal on Host
1Install Root Certificate
1Modify Registry
2Web Service
1