balaclava | 5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8

General

Target

5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
Size

66KB
MD5

2046d5509a677e9af42a5b6533302d60
SHA1

a37f2520658ab6b9030a6aced46b4fa4ba260e95
SHA256

5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8
SHA512

2f168939c72906922b46b0dd82b060dcce5d24827ecac697b0e6f6a74b145a2cc081afb65c9bdceae8487ddfaa5dcbe1f14e09ecc29d32eb3a28899d90ba297b

Score

10^/10

balaclava ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt

Family

balaclava

Ransom Note

Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address [email protected] In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Before payment you can send us 1 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Email to contact us - [email protected] YOUR PERSONAL ID : 7331B9ABC4842D5E6EB430354DC4315A4260F1F740F4FB3A01EF7BF326F499FC D505AE0BA34820FA854FFB2D81F65E513505E006DC229739CA786DB9CCC8463F 7660302973A86830B723657805E261998F18810F6BED45F139D3035548607E53 A0273813A499296F95D5B177BD9CFEBA874021087C98034D4125F30840D678AA 3612EBD7CFA1DE7647D51E57C89EC0537C73C0615A0C2777403D791175B94F56 4278454710E0F2D87962344CFE5A37DA1DE90B857EF2ACE727AF87EE03C2CCF8 4ED8DE7E5470D00FDDF31486888C447221558E69A0B684E9BDA16CD0D7A23EB4 3595A14287A11E9B5C2D8E2CA4F5C6684D53334963088E88BC26444423488424 BCE0D9589E8E580FB6A648CC702577DF2EF37B3BD886B3153001ECC0BD6AABBC 58F7DB812FD2E745A15C6928228E9BD8623FB8A2A9FAE857A20060F2B1BA8369 D76C6DF2B9D6B20DAA372C900F5D14DACD6D14B5DF026CFDC5D9C6AB3F644E37 BB4A044355D8F4C438A31C101228540EFDE0234F4535B17447D47560A490B946 639E6AAD3B535C5952E1A7578F2752DC89288B882CB7C8F3F70B7CCA703C7AB3 19EF4C060DC8D0C839D1DFD07BE94CB2D5384DD49009F24E19561766D7527E99 EBC6BCE4E08595D0EA1B2CF3692B4AE92095EB83C3AAB38D231B3F6CEAC6E607 64B9F53FFEFD1F8CE2AAC25DA06B7E1CE270F0EAD10EE869EEDC314C74810561 82459F98E052E4AC891F6D6F162D0686933D79E0C46E0F388F463A23110F6F4A 1A2AE4C9E00A71909C7827FB3BFD7D24E435726EF842AFCD134EE1520D7ECDE6 4B4B2086560C1B4259DD0B46557EC8C54B8BABE47A7F86EA4A210B219403D7EA D9BFD70A34DF9688DA5E07C7E52B08CE9C201EA0E2BAD1CB9D90864EAAA71FF9 E61B3E2A4D324AFA1655C8F78E36A9A7CB85AE1559D19F30D7F7B277D9AC32A8 A7F129422264A2E58A3E24B1583DEF50E2AF8CEA394E332AFDDDB4F39B61261C 72743DFB3F6D1F3903B861486CCFDB20731F5C0FF49ECD93B381015E58478B32 3FA37E158395F3A6D31C32B6D9AE5FD0BB2E81C4911F642A22D42E0352A324F2 546E664B8BAA31DF172725B58EE21E66BD0122CB0C87C760AAFB41AE7449BD33 0872F34CB34CC2010F

Emails

[email protected]

Signatures

Balaclava Malware
Balaclava malware is a ransomware program.
ransomware balaclava

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ConvertToResume.raw => C:\Users\Admin\Pictures\ConvertToResume.raw.ponce_New	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File renamed	C:\Users\Admin\Pictures\RequestTest.raw => C:\Users\Admin\Pictures\RequestTest.raw.ponce_New	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File renamed	C:\Users\Admin\Pictures\RevokeRepair.crw => C:\Users\Admin\Pictures\RevokeRepair.crw.ponce_New	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Pictures\UndoOptimize.tiff	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File renamed	C:\Users\Admin\Pictures\UndoOptimize.tiff => C:\Users\Admin\Pictures\UndoOptimize.tiff.ponce_New	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File renamed	C:\Users\Admin\Pictures\EnterWatch.crw => C:\Users\Admin\Pictures\EnterWatch.crw.ponce_New	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Pictures\OptimizeMerge.tiff	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File renamed	C:\Users\Admin\Pictures\OptimizeMerge.tiff => C:\Users\Admin\Pictures\OptimizeMerge.tiff.ponce_New	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File renamed	C:\Users\Admin\Pictures\StartJoin.png => C:\Users\Admin\Pictures\StartJoin.png.ponce_New	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe

Drops desktop.ini file(s) 30 IoCs

Processes:

5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe

description	ioc	process
File opened for modification	C:\Users\Public\Videos\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe

description ioc process

File opened (read-only) \??\A: 5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe

description	ioc	process
File opened (read-only)	\??\A:	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe

Drops file in Program Files directory 64 IoCs

Processes:

5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libvorbis_plugin.dll	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01849_.WMF	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21304_.GIF	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_justify.gif	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105912.WMF	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImagesMask.bmp	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\HOW_TO_RECOVERY_FILES.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00413_.WMF	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ModifiedTelespace.ico	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\PYCC.pf	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\HOW_TO_RECOVERY_FILES.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21313_.GIF	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185800.WMF	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18254_.WMF	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Nassau	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086478.WMF	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_03.MID	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right_over.gif	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SWBELL.NET.XML	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\DVD Maker\WMM2CLIP.dll	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\HOW_TO_RECOVERY_FILES.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\HOW_TO_RECOVERY_FILES.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185798.WMF	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ContemporaryPhotoAlbum.potx	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Resolute	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\HOW_TO_RECOVERY_FILES.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql90.xsl	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099179.WMF	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00532_.WMF	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_K_COL.HXK	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Tasks.accdt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00168_.WMF	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\TWORIENT.DLL	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296288.WMF	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Macau	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\HOW_TO_RECOVERY_FILES.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\HOW_TO_RECOVERY_FILES.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\HOW_TO_RECOVERY_FILES.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Msgbox.accdt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Training.potx	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\UTILITY.ACCDA	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN109.XML	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\ROGERS.COM.XML	5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1220 NOTEPAD.EXE

pid	process
1220	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
"C:\Users\Admin\AppData\Local\Temp\5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:1968

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HOW_TO_RECOVERY_FILES.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini

MD5
10f1fbee338aa96a43d1adb7142d4515

SHA1
137d31f4ef74bbf5f2989254ac35da5ccd8dd6c4

SHA256
78a9c23f447d6e785248da431c095ad98a42e8dd3f1e086b2e01b0a884d87d50

SHA512
3ceef30880cb0258501962c921dfd18862ec410699049f573ac709d99b324b0dff49de055233a261ee6218a6d75c167670dd1cf8144cc76396563b6e612b8f7c

Download Submit
C:\Users\Public\Desktop\HOW_TO_RECOVERY_FILES.txt

MD5
19bb9ffdcdf54c8507eb741694094df2

SHA1
adfe87ff8eff71423f3392f921ff865dd41716d7

SHA256
8287335a3dc6d3e2822dca7e49cd4e4a99ebe2a761ea921a8f77120ed237ff92

SHA512
4dc8e500425dfa55cd09fadae29f246504f74200bb1cf7e9b9dcdb287e6df079691047431a109e4bc8b7fd42d3d9b69a1ffea4422b7a4a0dc8e2c77e33314671

Download Submit
memory/1220-4-0x000007FEFB831000-0x000007FEFB833000-memory.dmp

Filesize
8KB

Download
memory/1856-6-0x000007FEF5E90000-0x000007FEF610A000-memory.dmp

Filesize
2.5MB

Download
memory/1968-2-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads