5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8

General
Target

5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8

Size

66KB

Sample

210218-e4d3r2qyba

Score
10 /10
MD5

2046d5509a677e9af42a5b6533302d60

SHA1

a37f2520658ab6b9030a6aced46b4fa4ba260e95

SHA256

5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8

SHA512

2f168939c72906922b46b0dd82b060dcce5d24827ecac697b0e6f6a74b145a2cc081afb65c9bdceae8487ddfaa5dcbe1f14e09ecc29d32eb3a28899d90ba297b

Malware Config

Extracted

Path C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt
Family balaclava
Ransom Note
Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address ponce.lorena@aol.com In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Before payment you can send us 1 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Email to contact us - ponce.lorena@aol.com YOUR PERSONAL ID : 7331B9ABC4842D5E6EB430354DC4315A4260F1F740F4FB3A01EF7BF326F499FC D505AE0BA34820FA854FFB2D81F65E513505E006DC229739CA786DB9CCC8463F 7660302973A86830B723657805E261998F18810F6BED45F139D3035548607E53 A0273813A499296F95D5B177BD9CFEBA874021087C98034D4125F30840D678AA 3612EBD7CFA1DE7647D51E57C89EC0537C73C0615A0C2777403D791175B94F56 4278454710E0F2D87962344CFE5A37DA1DE90B857EF2ACE727AF87EE03C2CCF8 4ED8DE7E5470D00FDDF31486888C447221558E69A0B684E9BDA16CD0D7A23EB4 3595A14287A11E9B5C2D8E2CA4F5C6684D53334963088E88BC26444423488424 BCE0D9589E8E580FB6A648CC702577DF2EF37B3BD886B3153001ECC0BD6AABBC 58F7DB812FD2E745A15C6928228E9BD8623FB8A2A9FAE857A20060F2B1BA8369 D76C6DF2B9D6B20DAA372C900F5D14DACD6D14B5DF026CFDC5D9C6AB3F644E37 BB4A044355D8F4C438A31C101228540EFDE0234F4535B17447D47560A490B946 639E6AAD3B535C5952E1A7578F2752DC89288B882CB7C8F3F70B7CCA703C7AB3 19EF4C060DC8D0C839D1DFD07BE94CB2D5384DD49009F24E19561766D7527E99 EBC6BCE4E08595D0EA1B2CF3692B4AE92095EB83C3AAB38D231B3F6CEAC6E607 64B9F53FFEFD1F8CE2AAC25DA06B7E1CE270F0EAD10EE869EEDC314C74810561 82459F98E052E4AC891F6D6F162D0686933D79E0C46E0F388F463A23110F6F4A 1A2AE4C9E00A71909C7827FB3BFD7D24E435726EF842AFCD134EE1520D7ECDE6 4B4B2086560C1B4259DD0B46557EC8C54B8BABE47A7F86EA4A210B219403D7EA D9BFD70A34DF9688DA5E07C7E52B08CE9C201EA0E2BAD1CB9D90864EAAA71FF9 E61B3E2A4D324AFA1655C8F78E36A9A7CB85AE1559D19F30D7F7B277D9AC32A8 A7F129422264A2E58A3E24B1583DEF50E2AF8CEA394E332AFDDDB4F39B61261C 72743DFB3F6D1F3903B861486CCFDB20731F5C0FF49ECD93B381015E58478B32 3FA37E158395F3A6D31C32B6D9AE5FD0BB2E81C4911F642A22D42E0352A324F2 546E664B8BAA31DF172725B58EE21E66BD0122CB0C87C760AAFB41AE7449BD33 0872F34CB34CC2010F
Emails

ponce.lorena@aol.com

Extracted

Path C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt
Family balaclava
Ransom Note
Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address ponce.lorena@aol.com In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Before payment you can send us 1 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Email to contact us - ponce.lorena@aol.com YOUR PERSONAL ID : 374D35FEEDD762101BB05932CD5D89F4CF82C9E8B5042AD8D602080E447627FB 04BE371C57DC9FB89E2CE1140C43545763DF0A14C5B6BF4E7D9C9D64661CB4A3 117FAD628BA7A3D9235EC69082FFF436E2CCE8159F6E16C3B396A91ED78EEE47 098CDB1E3D286E206616B2686A7FCCABB01917F41A3D747CEB838A2866B6BAAF C50CE7077F6140F5229949C368D5084E69DB038D208C0ABDC8E72CEA0A6FECCA 9A966278335D87F40270083C0F4401B8129AF3BA263D979597A3735561F870EC 2A66EA3E86B125E889E5C43FE9E5E3372A3F3271AEF5E83CE8503811DE1290EE E761B0B8A8B692582F6DF7A9C038F816040ED3F261E009EFF7F9703661D96DF9 04E1A6FB3C130D769A47FD954647DBA610B5926A2BEA4D69C0DB90E57EDD4F67 55041A50891D752A080ECD9A658CA2CF1372FA6BAEAEC01622CE39BC792A5E3B A12EA1EA866EF86C8C56172A7AA9858F46ADE5ED2EC0FCDDB7F36D6625B0BBCF 36D42447061DA7ACE96F975979144BE7CA9707FAE5FB418992CB2D2218ECFD02 A0B2F365C5A5E192F28854110269E1E04FAEB6D6C422173975D684044333CE05 4D62AE652521C22370EFCD15240CD7C446F4A87AF26BDE58C15D548C5CFC0C04 893AC3ED1812B1D261D15FFC99DB8E93CC911331943E3A5219A24CE960412A96 5A934CCAF873122270D9E2166A399705540FBDD27502D30E2509E865B9C9C72E 73933EC413DC9E63720EF04CBEA40D6879F1B7D78304D8597AAE570245172B40 5F5C1780A2A5F8077CC5EA7D8DCE69665ACB8B2E618BA3D34655162BD365D680 C3DEEE3FEF0AA3FA191CBBB2A8377430D12BC98855357CBCC486B9829D2B7F3A 1387C062EC6F4BEB86292DF84DBBD2E6741D8CEB533333DC3A928CEE2273FE63 08D362B0DC4314A396D1E97A51BFB10860DAA0FD9795046C8B6505AD0BEBB81C 637D015CB3CD535BE5183D747E1502B9F0722304B843FBFA5131F865DC2E63F9 7916E9236C4FB955CC03DADD57D8390308E81B346737BA5905ADD2690EB0F711 6CB6C3E5BADA15A691D9D12F4AFAF3B5953D29C33132E57746074750A74D72A0 6F89FB3B0B450A7CA4D47405B6A66AA89927377C7450C4DEEA3999F36B35E023 6915549698DD9D01E1
Emails

ponce.lorena@aol.com

Targets
Target

5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8

MD5

2046d5509a677e9af42a5b6533302d60

Filesize

66KB

Score
10 /10
SHA1

a37f2520658ab6b9030a6aced46b4fa4ba260e95

SHA256

5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8

SHA512

2f168939c72906922b46b0dd82b060dcce5d24827ecac697b0e6f6a74b145a2cc081afb65c9bdceae8487ddfaa5dcbe1f14e09ecc29d32eb3a28899d90ba297b

Tags

Signatures

  • Balaclava Malware

    Description

    Balaclava malware is a ransomware program.

    Tags

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        behavioral1

                        10/10

                        behavioral2

                        10/10