buran

General

Target

1.exe
Size

211KB
Sample

220924-ly3ghscchl
MD5

102f05cffa7d4ac4b7f02f38e6df632c
SHA1

9f4077164fe67ce25d0e64e4bd5e1ab6c95695de
SHA256

feeca43d32c8d2ad551298812ba8439dee19f0dcd1f0f568dfe1690bef5eba62
SHA512

b9f60951c2dd051a4be77cc7efa2355e4978543389fb50b433500928161d6c9cca6781532bb9a622d4ac107dcd5a24c35ebff722419ea0bf14350ff4fa53130e
SSDEEP

6144:Cia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+6S+:CIMH06cID84DQFu/U3buRKlemZ9DnGAI

Score

10^/10

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 6D7-EAC-F1B Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: E9F-649-AA3 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  1.exe
- Size
  
  211KB
- MD5
  
  102f05cffa7d4ac4b7f02f38e6df632c
- SHA1
  
  9f4077164fe67ce25d0e64e4bd5e1ab6c95695de
- SHA256
  
  feeca43d32c8d2ad551298812ba8439dee19f0dcd1f0f568dfe1690bef5eba62
- SHA512
  
  b9f60951c2dd051a4be77cc7efa2355e4978543389fb50b433500928161d6c9cca6781532bb9a622d4ac107dcd5a24c35ebff722419ea0bf14350ff4fa53130e
- SSDEEP
  
  6144:Cia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+6S+:CIMH06cID84DQFu/U3buRKlemZ9DnGAI
Score

10^/10

buran zeppelin persistence ransomware
- Buran
  Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
  ransomware buran
- Detects Zeppelin payload
- Zeppelin Ransomware
  Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
  ransomware zeppelin
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2