Overview

overview

10

Static

static

10

6a4c8a0b76...08.exe

windows7-x64

10

6a4c8a0b76...08.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    177s
  • max time network
    184s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2022 12:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe

  • Size

    215KB

  • MD5

    e71825acc5c0dbf948ec73b12c397a23

  • SHA1

    efe7521f2f6f06840418ca99b57989ec7dd797c5

  • SHA256

    6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408

  • SHA512

    c9369d2a89f54250149b3a92d1d12b2f1a38fcf76e961d08f5ea4c3aec29bc338d8d5113df0bdd35aed5ff2d4c2d71ac3195e27d72489d9275553833314d7fe5

  • SSDEEP

    6144:cyJE1yd7WEJmcyf70PWna4DQFu/U3buRKlemZ9DnGAevIGn+:cU/d7WRvIPWa4DQFu/U3buRKlemZ9DnG

Score
10/10
buranransomware

Malware Config

Extracted

Path

C:\ALL YOUR FILES ARE ENCRYPTED.txt

Family

buran

Ransom Note
ALL YOUR FILES ARE ENCRYPTED ***All your data has been compromised. Documents, photos, databases and other important files are encrypted. ***You cannot decipher them yourself! The only method for recovering files is by purchasing a unique private key. Only we can provide you with this key and only we can restore your files. ***The decryption key fee is charged only in bitcoins, we CAN assist in buying bitcoins by giving instructions on how and where to buy. ***In case of non-payment, all data will be put up for auction on the darknet. Beware of data leaks. ***To make sure we have a decryptor and it works, you can send an email to [email protected] or [email protected] and decrypt one not important file for free, DO NOT send files containing databases, any XLS / XML documents for the test. ***Beware of dishonest middlemen. as well as buying a decryption key through intermediaries increases the final cost of the key. ***Do you really want to restore your files? Write to email: [email protected] Your personal ID: 6B2-BA1-09F Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
    "C:\Users\Admin\AppData\Local\Temp\6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:268
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1604
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
      2⤵
        PID:436
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        2⤵
          PID:1616
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
          2⤵
            PID:1064
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:316
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin delete shadows /all /quiet
              3⤵
              • Interacts with shadow copies
              PID:1772
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1612
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic shadowcopy delete
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:960
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin delete shadows /all /quiet
              3⤵
              • Interacts with shadow copies
              PID:340
          • C:\Users\Admin\AppData\Local\Temp\6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
            "C:\Users\Admin\AppData\Local\Temp\6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe" -agent 0
            2⤵
            • Drops file in Program Files directory
            PID:1760
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1784

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
          Filesize

          406B

          MD5

          ef572e2c7b1bbd57654b36e8dcfdc37a

          SHA1

          b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

          SHA256

          e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

          SHA512

          b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

          Download Submit

        • memory/268-54-0x0000000075831000-0x0000000075833000-memory.dmp

          Filesize

          8KB

          Download

        • memory/316-59-0x0000000000000000-mapping.dmp

          Download

        • memory/340-67-0x0000000000000000-mapping.dmp

          Download

        • memory/436-56-0x0000000000000000-mapping.dmp

          Download

        • memory/960-66-0x0000000000000000-mapping.dmp

          Download

        • memory/1064-58-0x0000000000000000-mapping.dmp

          Download

        • memory/1604-62-0x0000000000000000-mapping.dmp

          Download

        • memory/1612-60-0x0000000000000000-mapping.dmp

          Download

        • memory/1616-57-0x0000000000000000-mapping.dmp

          Download

        • memory/1716-55-0x0000000000000000-mapping.dmp

          Download

        • memory/1760-61-0x0000000000000000-mapping.dmp

          Download

        • memory/1772-64-0x0000000000000000-mapping.dmp

          Download