Analysis
-
max time kernel
34s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-10-2024 13:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
encrypter-windows-gui-x86.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
300 seconds
Behavioral task
behavioral2
Sample
encrypter-windows-gui-x86.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
11 signatures
300 seconds
General
-
Target
encrypter-windows-gui-x86.exe
-
Size
104KB
-
MD5
bae8e04226ff74f7c40f9bd2e6e3b4ae
-
SHA1
87ca31acfcb12b6eac57e1fd47926be330a11e03
-
SHA256
cc0680de960f3e1b727b61a42e59f9c282bd8e41fe20146ed191c7f4bf9283a7
-
SHA512
56fa390dd466b36797986bd4ae5ec01fb4717f191e2a0098885a603786c42bceee0f2917b3c961c0b0478d040ef7b0ecfda8504ab254afa2d7688f9a19ebb08f
-
SSDEEP
3072:vufqM7tExy3nGt1yc0bwEIrn/eufCNzxaR6:mfG/yc0bM/eufCNzxaR6
Score
10/10
Malware Config
Extracted
Path
C:\Program Files (x86)\Adobe\README.TXT
Family
buran
Ransom Note
YOUR FILES ARE ENCRYPTED
Your files, documents, photos, databases and other important files are encrypted.
You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.
To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free.
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets,sql. etc.)
Do you really want to restore your files?
Write to email: [email protected]
Your personal ID is indicated in the names of the files, before writing a message by email - indicate the name of the ID indicated in the files IN THE SUBJECT OF THE EMAIL
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Renames multiple (8132) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: encrypter-windows-gui-x86.exe File opened (read-only) \??\Z: encrypter-windows-gui-x86.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.DLL.IDX_DLL encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TITLE.XSL encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL.DPV encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis.css encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSAutogen.dll encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OWSSUPP.DLL encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00165_.GIF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00439_.WMF encrypter-windows-gui-x86.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\README.TXT encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLCALL32.DLL encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanResume.Dotx encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152626.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CSS7DATA000A.DLL encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19563_.GIF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00466_.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_COL.HXC encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_COL.HXC encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CG1606.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00197_.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kcms.dll encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14868_.GIF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baghdad encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\WidescreenPresentation.potx encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01797_.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA encrypter-windows-gui-x86.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\README.TXT encrypter-windows-gui-x86.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\README.TXT encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYBB.POC encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml encrypter-windows-gui-x86.exe File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\README.TXT encrypter-windows-gui-x86.exe File created C:\Program Files\Java\jre7\lib\zi\Etc\README.TXT encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Top.accdt encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09662_.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01123_.WMF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif encrypter-windows-gui-x86.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\README.TXT encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Amman encrypter-windows-gui-x86.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\README.TXT encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51F.GIF encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscale_plugin.dll encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties encrypter-windows-gui-x86.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\README.TXT encrypter-windows-gui-x86.exe File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\README.TXT encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar encrypter-windows-gui-x86.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\README.TXT encrypter-windows-gui-x86.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Equity.eftx encrypter-windows-gui-x86.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language encrypter-windows-gui-x86.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe 2828 encrypter-windows-gui-x86.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2828 encrypter-windows-gui-x86.exe Token: SeBackupPrivilege 2360 vssvc.exe Token: SeRestorePrivilege 2360 vssvc.exe Token: SeAuditPrivilege 2360 vssvc.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe"C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57d6ff8f56a6b251bbf524957ea185150
SHA1a20a884c722851b056b25bbdd51991c371acd9f5
SHA256ca9d73bacf174d6ddaf7bb91d86e3ebe6864d31ebb7e8138ce5d6b80999e6fb8
SHA51255ab05205c9746a088188e09ac489bcd7d7de11303591c1359a3c2b2974757db70202672849b5be3d3568564063420f5f70976ed50222281ab427b14cf069d09