General

  • Target

    442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.7z

  • Size

    91KB

  • Sample

    240718-vwxypaydkm

  • MD5

    2db298f574c327c16173aad867275cdf

  • SHA1

    4527d63b5817e4a2a7c6eabbec4f799358c02d9e

  • SHA256

    9c49b8cd781dbb67a14859e7024f137537780a599beb1ce710e6880c8221aa0f

  • SHA512

    1d06fc96b5edb7de8862166b1a4bc417b5fcc39b641c4dda675bcd948163812b9e6c929b3ef8e9ae94c65d68ad1a8c93dc496112e2c738e67be1fd82ee472e4d

  • SSDEEP

    1536:3nfraqzhT2jqwB/BsMjgwXP3MFzR+u+zQUkTNn4BapvmFVdK1qixupLtGx:3jJzh7IbjJXfMFzR7+zQUkTNn5pvmFT2

Malware Config

Extracted

Path

C:\Program Files\Crashpad\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 147-752-85E Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024.exe

    • Size

      214KB

    • MD5

      2f1ecf99dd8a2648dd013c5fe6ecb6f5

    • SHA1

      121c377693b96eef8e84861f091ef47e6fb6cae5

    • SHA256

      442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024

    • SHA512

      793eb6a3f3d0323b0749a35e372c9fcde15a912f32d74fc5fa0fc104c32d8348f431347fefd1c34e3d51d9b20432f8e66b9ae3b9523b4b4b21e76b6fd2ae8219

    • SSDEEP

      6144:eyJE1brNNDw7AE9kgH16LGv2J4DQFu/U3buRKlemZ9DnGAeDMK3ITyw+c:eUqNNDwpRV6LqM4DQFu/U3buRKlemZ9W

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    • Detects Zeppelin payload

    • Zeppelin Ransomware

      Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (6050) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks