Overview

overview

10

Static

static

3

encrypter-...86.exe

windows10-2004-x64

10

Resubmissions

21-10-2024 13:41

241021-qy3vhawbld 10

21-10-2024 13:39

241021-qx9lnawarg 10

Analysis

  • max time kernel
    76s
  • max time network
    78s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2024 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    encrypter-windows-gui-x86.exe

  • Size

    104KB

  • MD5

    bae8e04226ff74f7c40f9bd2e6e3b4ae

  • SHA1

    87ca31acfcb12b6eac57e1fd47926be330a11e03

  • SHA256

    cc0680de960f3e1b727b61a42e59f9c282bd8e41fe20146ed191c7f4bf9283a7

  • SHA512

    56fa390dd466b36797986bd4ae5ec01fb4717f191e2a0098885a603786c42bceee0f2917b3c961c0b0478d040ef7b0ecfda8504ab254afa2d7688f9a19ebb08f

  • SSDEEP

    3072:vufqM7tExy3nGt1yc0bwEIrn/eufCNzxaR6:mfG/yc0bM/eufCNzxaR6

Score
10/10
burandiscoveryransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\README.TXT

Family

buran

Ransom Note
YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets,sql. etc.) Do you really want to restore your files? Write to email: [email protected] Your personal ID is indicated in the names of the files, before writing a message by email - indicate the name of the ID indicated in the files IN THE SUBJECT OF THE EMAIL Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Renames multiple (8928) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe
    "C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3748
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1096
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\README.TXT
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:2344
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:7132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\README.TXT
    Filesize

    1KB

    MD5

    7d6ff8f56a6b251bbf524957ea185150

    SHA1

    a20a884c722851b056b25bbdd51991c371acd9f5

    SHA256

    ca9d73bacf174d6ddaf7bb91d86e3ebe6864d31ebb7e8138ce5d6b80999e6fb8

    SHA512

    55ab05205c9746a088188e09ac489bcd7d7de11303591c1359a3c2b2974757db70202672849b5be3d3568564063420f5f70976ed50222281ab427b14cf069d09

    Download Submit