buran | cc0680de960f3e1b727b61a42e59f9c282bd8e41fe20146ed191c7f4bf9283a7

Analysis

max time kernel
357s
max time network
358s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-10-2024 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

encrypter-windows-gui-x86.exe
Size

104KB
MD5

bae8e04226ff74f7c40f9bd2e6e3b4ae
SHA1

87ca31acfcb12b6eac57e1fd47926be330a11e03
SHA256

cc0680de960f3e1b727b61a42e59f9c282bd8e41fe20146ed191c7f4bf9283a7
SHA512

56fa390dd466b36797986bd4ae5ec01fb4717f191e2a0098885a603786c42bceee0f2917b3c961c0b0478d040ef7b0ecfda8504ab254afa2d7688f9a19ebb08f
SSDEEP

3072:vufqM7tExy3nGt1yc0bwEIrn/eufCNzxaR6:mfG/yc0bM/eufCNzxaR6

Score

10^/10

buran discovery ransomware

Malware Config

Extracted

Path

C:\Recovery\README.TXT

Family

buran

Ransom Note

YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets,sql. etc.) Do you really want to restore your files? Write to email: [email protected] Your personal ID is indicated in the names of the files, before writing a message by email - indicate the name of the ID indicated in the files IN THE SUBJECT OF THE EMAIL Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Renames multiple (8194) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

encrypter-windows-gui-x86.exe

description	ioc	Process
File opened (read-only)	\??\F:	encrypter-windows-gui-x86.exe
File opened (read-only)	\??\Z:	encrypter-windows-gui-x86.exe

Drops file in Program Files directory 64 IoCs

Processes:

encrypter-windows-gui-x86.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CUPINST.WMF	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18185_.WMF	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690Nmerical.XSL	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.HTM	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299611.WMF	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0158477.WMF	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0279644.WMF	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png	encrypter-windows-gui-x86.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\README.TXT	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\SOCIALCONNECTORRES.DLL	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_mosaic_bridge_plugin.dll	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielMergeLetter.Dotx	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCVDT.DLL	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_COL.HXT	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\El_Salvador	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl.css	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Interface.zip	encrypter-windows-gui-x86.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\README.TXT	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.SharePoint.BusinessData.Administration.Client.xml	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02009_.WMF	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp	encrypter-windows-gui-x86.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\README.TXT	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Country.gif	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Choibalsan	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guadalcanal	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMARQ.XML	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMEE.CFG	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\PingNew.xls	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.DPV	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\DELIMR.FAE	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285462.WMF	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00726_.WMF	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02082_.GIF	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL095.XML	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195788.WMF	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\CALENDAR.GIF	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\Java\jre7\README.TXT	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107734.WMF	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\liblogger_plugin.dll	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar	encrypter-windows-gui-x86.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\README.TXT	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\UnblockInvoke.ex_	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293236.WMF	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0300862.WMF	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143745.GIF	encrypter-windows-gui-x86.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPT.CFG	encrypter-windows-gui-x86.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

encrypter-windows-gui-x86.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	encrypter-windows-gui-x86.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

encrypter-windows-gui-x86.exe

pid	Process
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe
2232	encrypter-windows-gui-x86.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

encrypter-windows-gui-x86.exevssvc.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	2232	encrypter-windows-gui-x86.exe
Token: SeBackupPrivilege	3016	vssvc.exe
Token: SeRestorePrivilege	3016	vssvc.exe
Token: SeAuditPrivilege	3016	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe
"C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\README.TXT

Filesize
1KB

MD5
7d6ff8f56a6b251bbf524957ea185150

SHA1
a20a884c722851b056b25bbdd51991c371acd9f5

SHA256
ca9d73bacf174d6ddaf7bb91d86e3ebe6864d31ebb7e8138ce5d6b80999e6fb8

SHA512
55ab05205c9746a088188e09ac489bcd7d7de11303591c1359a3c2b2974757db70202672849b5be3d3568564063420f5f70976ed50222281ab427b14cf069d09

Download Submit