General
-
Target
9303d30aa5e5468492f198074da31f39485f03d09c0e958199c2eb78ec4d9a47
-
Size
293KB
-
Sample
240319-xge6facd91
-
MD5
e05acea94e72eacc59d3180543957e5c
-
SHA1
633393001e83b72785fce0aebbe1f3290b26c27a
-
SHA256
9303d30aa5e5468492f198074da31f39485f03d09c0e958199c2eb78ec4d9a47
-
SHA512
e870dc844740e660da6329ee2b598003621fe7bec9227f49c88b697536a0e1ff4b35de125190672fcdbe9f7fdc3afa48b325149376283e2a45887841ff66f118
-
SSDEEP
6144:Ll0eMClIYaiZk9H3/r7q4egW1iKR4sR1mvNcJ92NgmDz5br1vIHzG:h/DlIYYrpSnR4sbmvNxgm5brVIHzG
Static task
static1
Behavioral task
behavioral1
Sample
9303d30aa5e5468492f198074da31f39485f03d09c0e958199c2eb78ec4d9a47.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
9303d30aa5e5468492f198074da31f39485f03d09c0e958199c2eb78ec4d9a47.exe
Resource
win11-20240221-en
Malware Config
Extracted
C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Extracted
C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Targets
-
-
Target
9303d30aa5e5468492f198074da31f39485f03d09c0e958199c2eb78ec4d9a47
-
Size
293KB
-
MD5
e05acea94e72eacc59d3180543957e5c
-
SHA1
633393001e83b72785fce0aebbe1f3290b26c27a
-
SHA256
9303d30aa5e5468492f198074da31f39485f03d09c0e958199c2eb78ec4d9a47
-
SHA512
e870dc844740e660da6329ee2b598003621fe7bec9227f49c88b697536a0e1ff4b35de125190672fcdbe9f7fdc3afa48b325149376283e2a45887841ff66f118
-
SSDEEP
6144:Ll0eMClIYaiZk9H3/r7q4egW1iKR4sR1mvNcJ92NgmDz5br1vIHzG:h/DlIYYrpSnR4sbmvNxgm5brVIHzG
Score10/10-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Detects Zeppelin payload
-
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Renames multiple (6097) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-