190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a

General
Target

190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a

Size

66KB

Sample

210218-ndr6prtyxe

Score
10 /10
MD5

c9a3f59644226858255588cd5d3c6d56

SHA1

be1e18396b118b13cc2128ab7efbe11833dc4d53

SHA256

190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a

SHA512

ba450f886ee9f24eed23298b8749dfa64ee4a48d70c89dcbaa3d10b6d3a9cd7bfdff377aae5f1a13ff9383e137be61eae6814c856df4325d108a2339a4683699

Malware Config

Extracted

Path C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt
Family balaclava
Ransom Note
Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address daves.smith@aol.com In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Before payment you can send us 1 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Email to contact us - daves.smith@aol.com YOUR PERSONAL ID : C31DF307F8AE151EB715CCCA4D9FEEC27BF436D9C53DA6FF62501865FD3D9885 5E65D8BFE887F98525DEC66EA11A12B3CACB4C7A217E3C2ABEB539423FE5629F EDAF0F857DB4E7C53CA1CEE4EBB071A175E925F9572002419E98F5A52316407E 7AACDD1C81BED8961F48021C3FC0C807AA2859C9DE7AD605943FE9157BFD215F 1CE768EF7990A964DA9FBC4A39C04D27576BA2E58129137596AE82C767A05E2D 33EE66EEF35C1D672E6E012A27854F05FBDC3BFDA83EF2E7DA6D2F636266446C 76D0EAD57B177391CFAD8E0A5AA40B74A9F9CEAB05C7415C9443871D45ACAA61 7E5E0C2649F889C7F510F0063655B1FA9BA72B224DA855CFD6C782198A0DB498 8CC1EFC56D64F9D7F5F585C56AC1E999B592F9CEA4680C44F18B6842DFBEF993 561D2A56C41353B83F06C46CE16CC299BB1393264FB99D6856F46231A4F727C0 434C382831FC94588083633645C0BE419631BF30609BA98A56A14C71B69593E3 2F8482B7F66E21A90DE8917CBE60F38E7FA5A80C3F06BDAECE14A46895E8E937 7B7466EEEF392FA53EB3EAEC35E92258D920A6440BE0B0A1A81F0D696B450E9B F4F8384FFD1D9EDC7CE76E5842BCD89506B09B8FC169C2614E51127B40D6BD62 1578500957F522BA25E0BFE2106A1AD43D8301D34F0B60982784D14504190615 2E84DDBF5BE123445557128EF9993CE19E6A8CC752DA42508FA9AE21C7A785C2 C16478A0175BCB7E2481ACB767CF6FB8529ED52579E5AF5EB58372239620C57D BC19482021B1F6E33568245C41CF6DE6E5DA2F58BDBEBA134E3431E2F221AB5C 51F68E0487E6441B144336AB3FD58CA8E443E2D1B451F248C59A78CB8689C57F 01F19A177A2D566C094E25871B8C7CD49A6F6674AD1B9CFFDDC116C9D0CC75E1 2F7FF0A8ADAEE847B7204D0E1516FA2FF771982653BBF469C812D7392E75AEC8 EF0C5C44B3CDA95B67AA33F5CE93A775138766816388A6625027DC9718D63C24 4DCF2F0737969B3AD68856A82EF006BADC4B0D22943F62846E2A9F24310B313C E6E7609EAD5B09129763B4CAD6BCA416B26B6D65DF178069F616122CFEB300A8 30D5118EAB6681724D366AB5F601C08546C123D11409868E06F652C26E592942 9230C3D0E2E2A00109
Emails

daves.smith@aol.com

Extracted

Path C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt
Family balaclava
Ransom Note
Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address daves.smith@aol.com In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Before payment you can send us 1 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Email to contact us - daves.smith@aol.com YOUR PERSONAL ID : 2B97C0EC94560515F4286634C03FC6FDBA454A8804B615D46C85EDFA4708E124 8F2779E021590BEB23E17290C1F7F6AFEFBE625C33D6F74222A8A8C3C37FED16 B6FA0E0F1642C2EC471CE1410C03808B33E5494D8AB504E737826F2F7A47B18D 8E6B81FD5294302500DE5FEE21B6F4CDD65354B6979047F81254A47DE50194A3 D7997CBD5D932C29EA2BC1FEB46FC4C804F3FC5A77021319967B7D137BE996A1 110A9A43562EF7BFDFD2407E4100E68D01372A59ED9ECF9FF94E6009D817894C F6C09A0E40C6878664C7BC4801DD6DE76EB89FA90CD91CCEE7B7525F8E092FB4 47873D10545DC91D20FDB961AF9A109738CF69A7686A37852A28427F641543ED DE83AA7A0C0B9CBA5E4AE54F2212926EFD93E688146B2B11B6BD5E11F70BB144 93A6895D57C10590B0BF1D6A3B1DEDB797CB7F49CCB63E8F0C3C9C77CD643723 A5F21F0CD3E8685E0A26B89741686DB813B278B08D82391035C6A0BBB77613FC D641200EF5E39CF0EF5CA9EAA563D563B219A03DA6FF4579AEA3DEDB073329DE DE446C6C4D213E5BA0F74906E151D743639B764E1F49E3D0A7A20EE722FC27C2 EE5E7DC8F3A5171469395272F7A1735DEB5ED9C772E30F282ACD7F1B8BD1D34F D5C065E0D9C6B470217F43D988946738F3087D4910A74C2AC03A7295620A00EA 19946CC743EB5DCE5CC0009B00B486F862F0687BBC19AB145E933F7C3E8D826A CEB81FF1F9AB10AFEFA7393376B6618E9D46E2B7D6A54E7DBDDB788F8D4448DE A80522BC10324364DC9730D322C551E2A94516AB225E2AF626938CFD8400914D CAB0166C8A75A95B185233F26E9F15E3A7B456EEEB9BF263B057D4BD255CEEE2 C841D5EDB472A160988ED333234B33F08E763553851F5CF0DDDA25F1EBC6DF54 C617FC5D97ED2710EC038C32DA0E8CC06F4626955254790F00C3ED75D5AE22C4 026A439955467F4DD83B610AF0845FA6989C47340FEF53CA39055C8E6D588460 9FBB6A0C59BBA30562324CEBE1103A553F470C97961C02DA202057DD49B25E1E CF176701C9488828D156F0170A7DE6DE6031ED1E0C5E4759B9A83396AD579EB1 E2962EC09C0A267B7EF6C9F86A6A0B5B0542B9F1B67B3C7891BA1C177DF77F73 0FFF2A52EAB5C101BD
Emails

daves.smith@aol.com

Targets
Target

190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a

MD5

c9a3f59644226858255588cd5d3c6d56

Filesize

66KB

Score
10 /10
SHA1

be1e18396b118b13cc2128ab7efbe11833dc4d53

SHA256

190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a

SHA512

ba450f886ee9f24eed23298b8749dfa64ee4a48d70c89dcbaa3d10b6d3a9cd7bfdff377aae5f1a13ff9383e137be61eae6814c856df4325d108a2339a4683699

Tags

Signatures

  • Balaclava Malware

    Description

    Balaclava malware is a ransomware program.

    Tags

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        behavioral1

                        10/10

                        behavioral2

                        10/10