Analysis

  • max time kernel
    110s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    18-02-2021 15:18

General

  • Target

    5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe

  • Size

    66KB

  • MD5

    2046d5509a677e9af42a5b6533302d60

  • SHA1

    a37f2520658ab6b9030a6aced46b4fa4ba260e95

  • SHA256

    5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8

  • SHA512

    2f168939c72906922b46b0dd82b060dcce5d24827ecac697b0e6f6a74b145a2cc081afb65c9bdceae8487ddfaa5dcbe1f14e09ecc29d32eb3a28899d90ba297b

Score
10/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt

Family

balaclava

Ransom Note
Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address [email protected] In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Before payment you can send us 1 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Email to contact us - [email protected] YOUR PERSONAL ID : 7331B9ABC4842D5E6EB430354DC4315A4260F1F740F4FB3A01EF7BF326F499FC D505AE0BA34820FA854FFB2D81F65E513505E006DC229739CA786DB9CCC8463F 7660302973A86830B723657805E261998F18810F6BED45F139D3035548607E53 A0273813A499296F95D5B177BD9CFEBA874021087C98034D4125F30840D678AA 3612EBD7CFA1DE7647D51E57C89EC0537C73C0615A0C2777403D791175B94F56 4278454710E0F2D87962344CFE5A37DA1DE90B857EF2ACE727AF87EE03C2CCF8 4ED8DE7E5470D00FDDF31486888C447221558E69A0B684E9BDA16CD0D7A23EB4 3595A14287A11E9B5C2D8E2CA4F5C6684D53334963088E88BC26444423488424 BCE0D9589E8E580FB6A648CC702577DF2EF37B3BD886B3153001ECC0BD6AABBC 58F7DB812FD2E745A15C6928228E9BD8623FB8A2A9FAE857A20060F2B1BA8369 D76C6DF2B9D6B20DAA372C900F5D14DACD6D14B5DF026CFDC5D9C6AB3F644E37 BB4A044355D8F4C438A31C101228540EFDE0234F4535B17447D47560A490B946 639E6AAD3B535C5952E1A7578F2752DC89288B882CB7C8F3F70B7CCA703C7AB3 19EF4C060DC8D0C839D1DFD07BE94CB2D5384DD49009F24E19561766D7527E99 EBC6BCE4E08595D0EA1B2CF3692B4AE92095EB83C3AAB38D231B3F6CEAC6E607 64B9F53FFEFD1F8CE2AAC25DA06B7E1CE270F0EAD10EE869EEDC314C74810561 82459F98E052E4AC891F6D6F162D0686933D79E0C46E0F388F463A23110F6F4A 1A2AE4C9E00A71909C7827FB3BFD7D24E435726EF842AFCD134EE1520D7ECDE6 4B4B2086560C1B4259DD0B46557EC8C54B8BABE47A7F86EA4A210B219403D7EA D9BFD70A34DF9688DA5E07C7E52B08CE9C201EA0E2BAD1CB9D90864EAAA71FF9 E61B3E2A4D324AFA1655C8F78E36A9A7CB85AE1559D19F30D7F7B277D9AC32A8 A7F129422264A2E58A3E24B1583DEF50E2AF8CEA394E332AFDDDB4F39B61261C 72743DFB3F6D1F3903B861486CCFDB20731F5C0FF49ECD93B381015E58478B32 3FA37E158395F3A6D31C32B6D9AE5FD0BB2E81C4911F642A22D42E0352A324F2 546E664B8BAA31DF172725B58EE21E66BD0122CB0C87C760AAFB41AE7449BD33 0872F34CB34CC2010F

Signatures

  • Balaclava Malware

    Balaclava malware is a ransomware program.

  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops desktop.ini file(s) 30 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
    "C:\Users\Admin\AppData\Local\Temp\5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    PID:1968
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HOW_TO_RECOVERY_FILES.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1220

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1220-4-0x000007FEFB831000-0x000007FEFB833000-memory.dmp

    Filesize

    8KB

  • memory/1856-6-0x000007FEF5E90000-0x000007FEF610A000-memory.dmp

    Filesize

    2.5MB

  • memory/1968-2-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

    Filesize

    8KB