Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21-10-2024 13:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
encrypter-windows-gui-x86.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
encrypter-windows-gui-x86.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
encrypter-windows-gui-x86.exe
-
Size
104KB
-
MD5
bae8e04226ff74f7c40f9bd2e6e3b4ae
-
SHA1
87ca31acfcb12b6eac57e1fd47926be330a11e03
-
SHA256
cc0680de960f3e1b727b61a42e59f9c282bd8e41fe20146ed191c7f4bf9283a7
-
SHA512
56fa390dd466b36797986bd4ae5ec01fb4717f191e2a0098885a603786c42bceee0f2917b3c961c0b0478d040ef7b0ecfda8504ab254afa2d7688f9a19ebb08f
-
SSDEEP
3072:vufqM7tExy3nGt1yc0bwEIrn/eufCNzxaR6:mfG/yc0bM/eufCNzxaR6
Score
10/10
Malware Config
Extracted
Path
C:\Program Files (x86)\README.TXT
Family
buran
Ransom Note
YOUR FILES ARE ENCRYPTED
Your files, documents, photos, databases and other important files are encrypted.
You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.
To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free.
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets,sql. etc.)
Do you really want to restore your files?
Write to email: [email protected]
Your personal ID is indicated in the names of the files, before writing a message by email - indicate the name of the ID indicated in the files IN THE SUBJECT OF THE EMAIL
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Renames multiple (8140) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
encrypter-windows-gui-x86.exedescription ioc Process File opened (read-only) \??\F: encrypter-windows-gui-x86.exe File opened (read-only) \??\Z: encrypter-windows-gui-x86.exe -
Drops file in Program Files directory 64 IoCs
Processes:
encrypter-windows-gui-x86.exedescription ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_underline.gif encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_F_COL.HXK encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Thunder_Bay encrypter-windows-gui-x86.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\README.TXT encrypter-windows-gui-x86.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\README.TXT encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01164_.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_on.gif encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.dub encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_dummy_plugin.dll encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105328.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153518.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01193_.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00126_.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15273_.GIF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Cape_Verde encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR33F.GIF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_ja.jar encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45B.GIF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife encrypter-windows-gui-x86.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\README.TXT encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jre7\bin\WindowsAccessBridge-64.dll encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00012_.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00152_.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02390_.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN002.XML encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00527_.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OUTLVBA.DLL encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libhttps_plugin.dll encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18208_.WMF encrypter-windows-gui-x86.exe File created C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\README.TXT encrypter-windows-gui-x86.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\README.TXT encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Aspect.thmx encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\UpdateAdd.vbe encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jre7\bin\fontmanager.dll encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_COL.HXT encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01291_.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00211_.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Concourse.eftx encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\profile.jfc encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jre7\bin\decora-sse.dll encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01145_.WMF encrypter-windows-gui-x86.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
encrypter-windows-gui-x86.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language encrypter-windows-gui-x86.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
encrypter-windows-gui-x86.exepid Process 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe 3068 encrypter-windows-gui-x86.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
encrypter-windows-gui-x86.exevssvc.exedescription pid Process Token: SeTakeOwnershipPrivilege 3068 encrypter-windows-gui-x86.exe Token: SeBackupPrivilege 2728 vssvc.exe Token: SeRestorePrivilege 2728 vssvc.exe Token: SeAuditPrivilege 2728 vssvc.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe"C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57d6ff8f56a6b251bbf524957ea185150
SHA1a20a884c722851b056b25bbdd51991c371acd9f5
SHA256ca9d73bacf174d6ddaf7bb91d86e3ebe6864d31ebb7e8138ce5d6b80999e6fb8
SHA51255ab05205c9746a088188e09ac489bcd7d7de11303591c1359a3c2b2974757db70202672849b5be3d3568564063420f5f70976ed50222281ab427b14cf069d09