Overview

overview

10

Static

static

10

0ef3f83788...01.exe

windows7-x64

10

0ef3f83788...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-10-2022 07:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe

  • Size

    215KB

  • MD5

    a58d761d66e5045c1b5d10b823b90afe

  • SHA1

    1fd48eabec99f127231deab1c36abd640e93f226

  • SHA256

    0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501

  • SHA512

    4ff1a1229c6bbb1a54e52d79486cbb66b4d62ee56d5161b96805dd5f2e386100db3cc49245e32aab7a0b2e0542cc1d6c96e42fe9c7f982fa70aef7b1f7d2a94e

  • SSDEEP

    6144:PyJE1yd7WEJmcyf70PWna4DQFu/U3buRKlemZ9DnGAevIX+:PU/d7WRvIPWa4DQFu/U3buRKlemZ9DnI

Score
10/10
buranransomware

Malware Config

Extracted

Path

C:\ALL YOUR FILES ARE ENCRYPTED.txt

Family

buran

Ransom Note
ALL YOUR FILES ARE ENCRYPTED ***All your data has been compromised. Documents, photos, databases and other important files are encrypted. ***You cannot decipher them yourself! The only method for recovering files is by purchasing a unique private key. Only we can provide you with this key and only we can restore your files. ***The decryption key fee is charged only in bitcoins, we CAN assist in buying bitcoins by giving instructions on how and where to buy. ***In case of non-payment, all data will be put up for auction on the darknet. Beware of data leaks. ***To make sure we have a decryptor and it works, you can send an email to [email protected] or [email protected] and decrypt one not important file for free, DO NOT send files containing databases, any XLS / XML documents for the test. ***Beware of dishonest middlemen. as well as buying a decryption key through intermediaries increases the final cost of the key. ***Do you really want to restore your files? Write to email: [email protected] Your personal ID: 2D1-22D-A5B Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe
    "C:\Users\Admin\AppData\Local\Temp\0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3900
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2316
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
      2⤵
        PID:3728
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
        2⤵
          PID:1084
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1908
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic shadowcopy delete
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2868
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
          2⤵
            PID:1944
          • C:\Users\Admin\AppData\Local\Temp\0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe
            "C:\Users\Admin\AppData\Local\Temp\0ef3f837880e58131bb45566215d60ee1c023ce5d0299c05e3b80a2ed931e501.exe" -agent 0
            2⤵
            • Drops file in Program Files directory
            PID:2680
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
            2⤵
              PID:3776
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
              PID:2124

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              Filesize

              406B

              MD5

              ef572e2c7b1bbd57654b36e8dcfdc37a

              SHA1

              b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

              SHA256

              e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

              SHA512

              b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

              Download Submit