Analysis
-
max time kernel
39s -
max time network
43s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
-
submitted
07-03-2024 19:45
General
-
Target
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc.exe
-
Size
416KB
-
MD5
dcef208fcdac3345c6899a478d16980f
-
SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0
-
SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
-
SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba
-
SSDEEP
6144:iYdiLQNWloaXoLJYksETr0vpvejH6ols25A0LJjI4WHB/N7:BiLQqosgZs+8vejap0LJ6h
Malware Config
Extracted
C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Detects Zeppelin payload 10 IoCs
-
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (1696) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc.exe"C:\Users\Admin\AppData\Local\Temp\824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXTFilesize
975B
MD5ef3e169d037451c70f1d876e20eb7070
SHA156b5d8ee83753405e9b9d6e7b4c8f6672ec3bbaf
SHA256960f379295c0d9cf2f4281c34817cf7e45c30a742b7cd7490ebef9a92f53bb7a
SHA5124e18ed04bd78170f76ab5703b8f9f62dab67e5456a2105e0c5b4011dc52d0f14e98aa61f9cf3038c75ba886f68c4e9a626066ef41628076ea91de47c71e34823
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBFilesize
2KB
MD5ec3cab0d012a32ecb5441def3ff750cd
SHA1018cce88f601d4a4fc739ce346b1d844635dcff4
SHA25643e73f161a6fda56fc2b948653bb3a99aa2462d0ac804aaa4bcf04b34343efa9
SHA512ee4a6e429ee0d204bc8c8388181eaf93a09e782591f3d2df52a9a0ee4d2260a31a4b602ec904fab7d545dc34957795665ede4d26900d004b8a2a89a20178ce40
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4Filesize
472B
MD52a941866b71b87f1b517c9e6d84dfbed
SHA1a5c2ea62ddb855d0f48f87f67b354f646c73cf3c
SHA2562cc2cf579f63c3f4c242acf9d15b3454740806577713bc7d40e1ee3e804ba0d9
SHA512d138ea83a1b5cdecd70e944c4244125afaf2e2d6dd21ab58d2bd9a9d03603191db10d6bdd9cedbfb552baa88e205105e4c5d8190b4fa8226ae96a333939c5322
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
1KB
MD5a5caead01378ea5e8b3b48bb4bf465d0
SHA1ce6015bd0e6d004add7413334ed0ba90c7b857ab
SHA256272105992830f2dd4e9a8e228fd8d223f899263ed8dbb1bc66a4c0a3ecb65d53
SHA5129a85c23e184d0efb3c74dde0954a49a780e364d3eabff32ee80ae3452867812487a44a7580632e233c0abcacc1d8248c0df1582bdaff0725b49e167538cfd3af
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBFilesize
484B
MD54367896a5741ea638d9bd9a815c33c9e
SHA19929f47737bd11f5997e512585d9bfde5f21cb31
SHA25657d2ef8fcfc120c5ef07d107834cc1040eb2064df3b9d1ba6307ec5c26b87d4f
SHA51258d63f8c80c76d0d9af63ae25ecced61d589027173dfcedbe70c7b32ecdc812848d14aead980783b64c688f18f906087abbc7413602ea7cbdce38c25a799be2a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4Filesize
488B
MD5f84279f4c47e01651d6331981d67364b
SHA1541b5d7c3aa48224578bb823a3ab88426fee7a79
SHA25689c1a36aba4afcc974a228a81c981377475acaa4ab19fc6ecc989bf285da020e
SHA5129921fa2ab6a7c586bf5567fcc17e75493dac384ef1155268e7183879483ee838d680284d8d8a3d54acb5e8845455d91cb2c63322da5269d93887223ba11e138a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
482B
MD541895770e3be9243372919c353ba9d4e
SHA1df1be400482deeb7de2ffac9654d06c4384d6d09
SHA256efb05f6398ac6dd8b0fc117300a7f120257b9d6f119d8c67b69163939724dd08
SHA512f2d3c6d047003b21d91a97c08056e7a39c37a028a7505a6013c3daa8c02b60e86852fa67ab02250319bcc8423e96e40cf11291ff97a34cb3f19e57d4c7a2a3e4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\53V85Y29\CIICRD53.htmFilesize
18KB
MD5d86c179bcfbd66e883f47019ea1ca200
SHA1c63ad8a4b2a4c3e5408225a1231e25ec44d65eb8
SHA256b465036b723ca3a35874e6eb4a2560140a2a9364ecc53b2dc7c0f1b59d216bea
SHA512d9136ce45ba1210a717199f6f9292a656ef0fa86674c168a9be09c7ae2aab25c247bc417d1bf24c11fc403becc0da50805a61f0731c358c596a0780ffe986d8f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U2DI4E2V\W0L1R2AZ.htmFilesize
190B
MD56ebbeb8c70d5f8ffc3fb501950468594
SHA1c06e60a316e48f5c35d39bcf7ed7e6254957ac9e
SHA256a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1
SHA51275cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batFilesize
406B
MD5ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exeFilesize
416KB
MD5dcef208fcdac3345c6899a478d16980f
SHA1fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0
SHA256824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
SHA51228e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba
-
C:\odt\.zeppelinFilesize
513B
MD58bff8f7ec2dee0630915c750011b1bad
SHA13f37e6bc23aba846bffa9d510bfd03024af53c73
SHA256aca5c1161a85a45d36eaf2bceeff54a0d668bc04957b91f49665fe2a52857ef3
SHA512e9f1100ee8ebb3614351f8300615fa9400198848502e7d67e8dce918d95a0ce7a245db2a9951fcb7baaeff9c8d0fe36b38d368c263e5daf34ddf0947470d9abe
-
C:\vcredist2010_x86.log.htmlFilesize
83KB
MD583787ed946d32e91d3b943e4892846db
SHA1fa337178540c8616a808cdd0801f4e473ba482ee
SHA256b7636429f3e3b41582eb17ede1d04cf48c6bf82158aa144a34f59238f4d690bf
SHA512ba392dea34e2b592b9328ba0354f3e499139e323b5b31352a2c8a6dd14f98f98ec4a58cb9ebfa2ecb13a50377c2eb77bdce723cb142fc8aa8025c4423de9d047
-
memory/200-78-0x0000000000E00000-0x0000000000F45000-memory.dmpFilesize
1.3MB
-
memory/200-65-0x0000000000400000-0x0000000000557000-memory.dmpFilesize
1.3MB
-
memory/200-59-0x0000000000400000-0x0000000000557000-memory.dmpFilesize
1.3MB
-
memory/200-56-0x0000000000E00000-0x0000000000F45000-memory.dmpFilesize
1.3MB
-
memory/1088-2472-0x0000000000400000-0x0000000000557000-memory.dmpFilesize
1.3MB
-
memory/1088-5598-0x0000000000D00000-0x0000000000E45000-memory.dmpFilesize
1.3MB
-
memory/1088-55-0x0000000000D00000-0x0000000000E45000-memory.dmpFilesize
1.3MB
-
memory/1088-58-0x0000000000400000-0x0000000000557000-memory.dmpFilesize
1.3MB
-
memory/1088-5564-0x0000000000400000-0x0000000000557000-memory.dmpFilesize
1.3MB
-
memory/1272-24-0x0000000000E00000-0x0000000000F45000-memory.dmpFilesize
1.3MB
-
memory/1272-54-0x0000000000400000-0x0000000000557000-memory.dmpFilesize
1.3MB
-
memory/1272-50-0x0000000000400000-0x0000000000557000-memory.dmpFilesize
1.3MB
-
memory/1272-25-0x0000000000400000-0x0000000000557000-memory.dmpFilesize
1.3MB
-
memory/1272-57-0x0000000000E00000-0x0000000000F45000-memory.dmpFilesize
1.3MB
-
memory/4560-0-0x0000000000400000-0x0000000000557000-memory.dmpFilesize
1.3MB
-
memory/4560-1-0x0000000000AB0000-0x0000000000BF5000-memory.dmpFilesize
1.3MB
-
memory/4560-27-0x0000000000400000-0x0000000000557000-memory.dmpFilesize
1.3MB
-
memory/4560-28-0x0000000000AB0000-0x0000000000BF5000-memory.dmpFilesize
1.3MB
-
memory/4560-2-0x0000000000400000-0x0000000000557000-memory.dmpFilesize
1.3MB
-
memory/4776-22-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB