Overview

overview

10

Static

static

10

6a4c8a0b76...08.exe

windows7-x64

10

6a4c8a0b76...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2022 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe

  • Size

    215KB

  • MD5

    e71825acc5c0dbf948ec73b12c397a23

  • SHA1

    efe7521f2f6f06840418ca99b57989ec7dd797c5

  • SHA256

    6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408

  • SHA512

    c9369d2a89f54250149b3a92d1d12b2f1a38fcf76e961d08f5ea4c3aec29bc338d8d5113df0bdd35aed5ff2d4c2d71ac3195e27d72489d9275553833314d7fe5

  • SSDEEP

    6144:cyJE1yd7WEJmcyf70PWna4DQFu/U3buRKlemZ9DnGAevIGn+:cU/d7WRvIPWa4DQFu/U3buRKlemZ9DnG

Score
10/10
buranransomware

Malware Config

Extracted

Path

C:\ALL YOUR FILES ARE ENCRYPTED.txt

Family

buran

Ransom Note
ALL YOUR FILES ARE ENCRYPTED ***All your data has been compromised. Documents, photos, databases and other important files are encrypted. ***You cannot decipher them yourself! The only method for recovering files is by purchasing a unique private key. Only we can provide you with this key and only we can restore your files. ***The decryption key fee is charged only in bitcoins, we CAN assist in buying bitcoins by giving instructions on how and where to buy. ***In case of non-payment, all data will be put up for auction on the darknet. Beware of data leaks. ***To make sure we have a decryptor and it works, you can send an email to [email protected] or [email protected] and decrypt one not important file for free, DO NOT send files containing databases, any XLS / XML documents for the test. ***Beware of dishonest middlemen. as well as buying a decryption key through intermediaries increases the final cost of the key. ***Do you really want to restore your files? Write to email: [email protected] Your personal ID: 13B-682-4D8 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
    "C:\Users\Admin\AppData\Local\Temp\6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:3960
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:788
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3284
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:2024
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        2⤵
          PID:3244
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
          2⤵
            PID:4592
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
            2⤵
              PID:2164
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2892
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic shadowcopy delete
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3984
            • C:\Users\Admin\AppData\Local\Temp\6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
              "C:\Users\Admin\AppData\Local\Temp\6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe" -agent 0
              2⤵
              • Drops file in Program Files directory
              PID:1460
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
              PID:3220

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              Filesize

              406B

              MD5

              ef572e2c7b1bbd57654b36e8dcfdc37a

              SHA1

              b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

              SHA256

              e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

              SHA512

              b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

              Download Submit