Overview

overview

10

Static

static

3

dcef208fcd...0f.exe

windows7-x64

10

dcef208fcd...0f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-03-2024 01:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dcef208fcdac3345c6899a478d16980f.exe

  • Size

    416KB

  • MD5

    dcef208fcdac3345c6899a478d16980f

  • SHA1

    fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

  • SHA256

    824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

  • SHA512

    28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

  • SSDEEP

    6144:iYdiLQNWloaXoLJYksETr0vpvejH6ols25A0LJjI4WHB/N7:BiLQqosgZs+8vejap0LJ6h

Score
10/10
buranzeppelinpersistenceransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: D4E-0BB-31D Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Detects Zeppelin payload 22 IoCs
  • Zeppelin Ransomware

    Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    ransomwarezeppelin
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (3146) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\dcef208fcdac3345c6899a478d16980f.exe
    "C:\Users\Admin\AppData\Local\Temp\dcef208fcdac3345c6899a478d16980f.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4004
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        3⤵
          PID:4488
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
            PID:4264
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
              PID:1596
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
              3⤵
                PID:1712
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3588
                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                  wmic shadowcopy delete
                  4⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1080
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
                3⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                PID:3052
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 1
                3⤵
                • Executes dropped EXE
                PID:3272
            • C:\Windows\SysWOW64\notepad.exe
              notepad.exe
              2⤵
              • Deletes itself
              PID:1336
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3988 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:1860
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
                PID:4528

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
                Filesize

                975B

                MD5

                03091bcd2d9c58559355f57e140eb815

                SHA1

                ed88c2371e126f182364a8a800fe42ece164137f

                SHA256

                bc6ca416e9e3ce3129eef762551b26538a1025c12d12fcf0c91f393f666ec24e

                SHA512

                fb8150a5cbf1f18de3b345333382dd2a9f889dc66d212c41655f6ed01883f5448c2cba5c8f57491af72ac6660a3e3e4874ee23e06655cc09e3a8c7becd884c93

                Download Submit

              • C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX
                Filesize

                292KB

                MD5

                e3acab4805ccd56cb45f5313693c57a5

                SHA1

                2fd9631981a4e9d364fcbf203f86c5ca07ffeff0

                SHA256

                4436a46de735e153b9ad3bc80aa26e6a0fbbed8341713f077bdc96348df4d9ec

                SHA512

                ce50f13867d9e7d4a0cd900828bfba0774ed3cdba3a24b00d957564d2c0b2e7d0723546366e3afcec5aec9e051ceeff65df350203ff79c296c5ed6cb58445924

                Download Submit

              • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi
                Filesize

                44KB

                MD5

                cd028acc33e7fbe52af5732b307390c2

                SHA1

                26b80c775861e175bbc004cadd41d08955fcfd32

                SHA256

                76470013bb8706f13f9973d903051529f0e61801fa5790d59cf6c35cc1020e8f

                SHA512

                9772b1a4d88b921a1b9c91be399a4ace446468d3450c7f99ad386e3f15fe1f888bea60572690dfb77d8866e540643bfd4450a1dcdcdf7669965cf8048835dc3b

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
                Filesize

                2KB

                MD5

                11d71c970ccf0e5af1a11cb5e15d9fc9

                SHA1

                5cfbda5675975a7d691101a9096cd9d42c964b4c

                SHA256

                3f37c40cc9fbf51ffff7a4147d81398cde110a815e5fa7894d04dcb883d6fc1d

                SHA512

                03b6de82dbec27d4b7ca2226f30ed949091969533460f9e2d6f4162d44e4cd6c5d1d8be567b268c0935c71fe06b509001a6c9404595eef8cb2f8c5808d47e632

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
                Filesize

                472B

                MD5

                38cfeb9a4a7c8007273ead650b17d7b0

                SHA1

                f1bdff77349e0a1b0554b39e1480191a6593668d

                SHA256

                d71077717606050c4571f0933f95ac9b4cc40e8fd3a724e2728132a94750b587

                SHA512

                8734e86451ad7c657b54dc1ccce25bfcf49d1459634d2b2f4e65f5bdf1ab243042304fbbd3e9d7560bfc6397a33d5d09681694e6a363497b77f0b9b4e6ff5ad5

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                Filesize

                1KB

                MD5

                4bbdeccef77d0216c7c85aa8ce6fd456

                SHA1

                a8e6ece2829f7a721d5e02c7e37d30c0ee584105

                SHA256

                d4c20a525b2cb0035944212b76b0573779ec672ea64b72679dafebdf7c44a6dc

                SHA512

                7a5cbcde4e7d2a952f9bc846e29326b53166592224af39d3b67dd6f602a9cc77c2e4d97929823e4329ce1b6557a6df5f437dffe18f4ed93b85f97dd81105d6e9

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
                Filesize

                484B

                MD5

                001a0cd5a14a48eb4515a7574b4cb890

                SHA1

                f6e5f65be73025b0b4c166812dffcfe262879da2

                SHA256

                84b35f2544ad01a8ada68c1d8c930a1f08bdb87680b62814b26af28d72277543

                SHA512

                d912a27bf8727bba1429a24ba98687c0f94ce5d2a84bedcae286d8991175859ec1ab9c9ce07c261390ccc4048a8dd98a6ab7ab9a4acfb062931fdc90c06c6aeb

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
                Filesize

                488B

                MD5

                e7f0e3cc68b87e0328f4e62c3ec58ff5

                SHA1

                a2ac148082b99e197ca21cb271c565f279a8646b

                SHA256

                122c070dbdbb3736506d53998b5812168bf9166ba810083f5adc5da1677d6d3b

                SHA512

                2b18b0a3bd9a6fb6606ebcfdd7af37e3d41d98eb9e4be8b5ae662f2c703413a1140fc5b7a8ac75feae47fdde4398dbacdd5a0d324588dccce5400e2aef5d1278

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                Filesize

                482B

                MD5

                65fe9011d043b0ba00b4d612f627fd37

                SHA1

                6bd56625d3e7e57b34a58328b63562a7e949c01b

                SHA256

                c9329bd4273a53d65d04f20e02d4e1ca23031b1f89e538ff86e22f7169b92211

                SHA512

                61e886497f6ab409c68ca36798a37a835bc0bfe2db8bacf6cfe00ec2f87f0cb28f329c049f6a5ba30c9e2805f5dd2703d23470f64e8803db6eab790770d8cbd2

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\QWH2WY6W.htm
                Filesize

                190B

                MD5

                6ebbeb8c70d5f8ffc3fb501950468594

                SHA1

                c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

                SHA256

                a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

                SHA512

                75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\UC9P92HG.htm
                Filesize

                18KB

                MD5

                d86c179bcfbd66e883f47019ea1ca200

                SHA1

                c63ad8a4b2a4c3e5408225a1231e25ec44d65eb8

                SHA256

                b465036b723ca3a35874e6eb4a2560140a2a9364ecc53b2dc7c0f1b59d216bea

                SHA512

                d9136ce45ba1210a717199f6f9292a656ef0fa86674c168a9be09c7ae2aab25c247bc417d1bf24c11fc403becc0da50805a61f0731c358c596a0780ffe986d8f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
                Filesize

                406B

                MD5

                ef572e2c7b1bbd57654b36e8dcfdc37a

                SHA1

                b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

                SHA256

                e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

                SHA512

                b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
                Filesize

                416KB

                MD5

                dcef208fcdac3345c6899a478d16980f

                SHA1

                fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

                SHA256

                824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

                SHA512

                28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

                Download Submit

              • C:\odt\.zeppelin
                Filesize

                513B

                MD5

                8bff8f7ec2dee0630915c750011b1bad

                SHA1

                3f37e6bc23aba846bffa9d510bfd03024af53c73

                SHA256

                aca5c1161a85a45d36eaf2bceeff54a0d668bc04957b91f49665fe2a52857ef3

                SHA512

                e9f1100ee8ebb3614351f8300615fa9400198848502e7d67e8dce918d95a0ce7a245db2a9951fcb7baaeff9c8d0fe36b38d368c263e5daf34ddf0947470d9abe

                Download Submit

              • C:\vcredist2010_x86.log.html
                Filesize

                82KB

                MD5

                79f0589d1c70aa9ed392682103db4622

                SHA1

                268581f9a6c5fcd2a45b1833e9c01a694f99db78

                SHA256

                7c08f579d10dfc9ec9d12b5a93957cbdf90df9225b4e220116b8bc87acdacc5e

                SHA512

                fb2cb6e6073ebbd481ce2aba580f8d66a3f961947f380ced66c5518bb1962a0d96a8aa2fad0175dbb94c27ffa13d8cf2b11d4c0bb38767b30b0fe74e9c9951c9

                Download Submit

              • memory/1176-28-0x0000000000A90000-0x0000000000BD5000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1176-25-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1176-24-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1176-3-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1176-2-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1176-0-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1176-1-0x0000000000A90000-0x0000000000BD5000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1336-27-0x0000000000140000-0x0000000000141000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3044-57-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3044-54-0x0000000000AE0000-0x0000000000C25000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3044-53-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3044-46-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3044-30-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3044-29-0x0000000000AE0000-0x0000000000C25000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3052-2400-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3052-2835-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3052-12137-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3052-68-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3052-11072-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3052-1470-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3052-2120-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3052-61-0x0000000000A80000-0x0000000000BC5000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3052-2530-0x0000000000A80000-0x0000000000BC5000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3052-9912-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3052-3328-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3052-5923-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3052-8072-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3052-8527-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3272-60-0x0000000000AB0000-0x0000000000BF5000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3272-73-0x0000000000AB0000-0x0000000000BF5000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3272-64-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3272-59-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3272-69-0x0000000000400000-0x0000000000557000-memory.dmp

                Filesize

                1.3MB

                Download