Analysis

  • max time kernel
    119s
  • max time network
    128s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-02-2021 15:18

General

  • Target

    5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe

  • Size

    66KB

  • MD5

    2046d5509a677e9af42a5b6533302d60

  • SHA1

    a37f2520658ab6b9030a6aced46b4fa4ba260e95

  • SHA256

    5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8

  • SHA512

    2f168939c72906922b46b0dd82b060dcce5d24827ecac697b0e6f6a74b145a2cc081afb65c9bdceae8487ddfaa5dcbe1f14e09ecc29d32eb3a28899d90ba297b

Score
10/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt

Family

balaclava

Ransom Note
Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address ponce.lorena@aol.com In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Before payment you can send us 1 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Email to contact us - ponce.lorena@aol.com YOUR PERSONAL ID : 374D35FEEDD762101BB05932CD5D89F4CF82C9E8B5042AD8D602080E447627FB 04BE371C57DC9FB89E2CE1140C43545763DF0A14C5B6BF4E7D9C9D64661CB4A3 117FAD628BA7A3D9235EC69082FFF436E2CCE8159F6E16C3B396A91ED78EEE47 098CDB1E3D286E206616B2686A7FCCABB01917F41A3D747CEB838A2866B6BAAF C50CE7077F6140F5229949C368D5084E69DB038D208C0ABDC8E72CEA0A6FECCA 9A966278335D87F40270083C0F4401B8129AF3BA263D979597A3735561F870EC 2A66EA3E86B125E889E5C43FE9E5E3372A3F3271AEF5E83CE8503811DE1290EE E761B0B8A8B692582F6DF7A9C038F816040ED3F261E009EFF7F9703661D96DF9 04E1A6FB3C130D769A47FD954647DBA610B5926A2BEA4D69C0DB90E57EDD4F67 55041A50891D752A080ECD9A658CA2CF1372FA6BAEAEC01622CE39BC792A5E3B A12EA1EA866EF86C8C56172A7AA9858F46ADE5ED2EC0FCDDB7F36D6625B0BBCF 36D42447061DA7ACE96F975979144BE7CA9707FAE5FB418992CB2D2218ECFD02 A0B2F365C5A5E192F28854110269E1E04FAEB6D6C422173975D684044333CE05 4D62AE652521C22370EFCD15240CD7C446F4A87AF26BDE58C15D548C5CFC0C04 893AC3ED1812B1D261D15FFC99DB8E93CC911331943E3A5219A24CE960412A96 5A934CCAF873122270D9E2166A399705540FBDD27502D30E2509E865B9C9C72E 73933EC413DC9E63720EF04CBEA40D6879F1B7D78304D8597AAE570245172B40 5F5C1780A2A5F8077CC5EA7D8DCE69665ACB8B2E618BA3D34655162BD365D680 C3DEEE3FEF0AA3FA191CBBB2A8377430D12BC98855357CBCC486B9829D2B7F3A 1387C062EC6F4BEB86292DF84DBBD2E6741D8CEB533333DC3A928CEE2273FE63 08D362B0DC4314A396D1E97A51BFB10860DAA0FD9795046C8B6505AD0BEBB81C 637D015CB3CD535BE5183D747E1502B9F0722304B843FBFA5131F865DC2E63F9 7916E9236C4FB955CC03DADD57D8390308E81B346737BA5905ADD2690EB0F711 6CB6C3E5BADA15A691D9D12F4AFAF3B5953D29C33132E57746074750A74D72A0 6F89FB3B0B450A7CA4D47405B6A66AA89927377C7450C4DEEA3999F36B35E023 6915549698DD9D01E1
Emails

ponce.lorena@aol.com

Signatures

  • Balaclava Malware

    Balaclava malware is a ransomware program.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops desktop.ini file(s) 28 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe
    "C:\Users\Admin\AppData\Local\Temp\5df78a95af2cc44d7f94a642e24ee8788cee037c6723f5aad203df730e89a2d8.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    PID:728
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 656
      2⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1404

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini
    MD5

    0283e3a689b325f6833969e4a5976a35

    SHA1

    1558308f4ccfa3c5d4964b062dac55a019c24b10

    SHA256

    22285b3775c50ef2693d52f1ef6b2f1fae597abaec314f295324217178909bc0

    SHA512

    0abd955586bfc41fa0a21d359b7b74aca0ce6f2b1d44605e9afb14e6c80cb6d509a704393adc0d6a1cd46b49867c4ffab2fbf81ed9fdb3cef2e9ce8eeec98f5a

  • memory/1404-3-0x00000000051C0000-0x00000000051C1000-memory.dmp
    Filesize

    4KB