balaclava | 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a

Analysis

max time kernel
104s
max time network
35s
platform
windows7_x64
resource
win7v20201028
submitted
18/02/2021, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
Size

66KB
MD5

c9a3f59644226858255588cd5d3c6d56
SHA1

be1e18396b118b13cc2128ab7efbe11833dc4d53
SHA256

190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a
SHA512

ba450f886ee9f24eed23298b8749dfa64ee4a48d70c89dcbaa3d10b6d3a9cd7bfdff377aae5f1a13ff9383e137be61eae6814c856df4325d108a2339a4683699

Score

10^/10

balaclava ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt

Family

balaclava

Ransom Note

Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address [email protected] In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Before payment you can send us 1 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Email to contact us - [email protected] YOUR PERSONAL ID : C31DF307F8AE151EB715CCCA4D9FEEC27BF436D9C53DA6FF62501865FD3D9885 5E65D8BFE887F98525DEC66EA11A12B3CACB4C7A217E3C2ABEB539423FE5629F EDAF0F857DB4E7C53CA1CEE4EBB071A175E925F9572002419E98F5A52316407E 7AACDD1C81BED8961F48021C3FC0C807AA2859C9DE7AD605943FE9157BFD215F 1CE768EF7990A964DA9FBC4A39C04D27576BA2E58129137596AE82C767A05E2D 33EE66EEF35C1D672E6E012A27854F05FBDC3BFDA83EF2E7DA6D2F636266446C 76D0EAD57B177391CFAD8E0A5AA40B74A9F9CEAB05C7415C9443871D45ACAA61 7E5E0C2649F889C7F510F0063655B1FA9BA72B224DA855CFD6C782198A0DB498 8CC1EFC56D64F9D7F5F585C56AC1E999B592F9CEA4680C44F18B6842DFBEF993 561D2A56C41353B83F06C46CE16CC299BB1393264FB99D6856F46231A4F727C0 434C382831FC94588083633645C0BE419631BF30609BA98A56A14C71B69593E3 2F8482B7F66E21A90DE8917CBE60F38E7FA5A80C3F06BDAECE14A46895E8E937 7B7466EEEF392FA53EB3EAEC35E92258D920A6440BE0B0A1A81F0D696B450E9B F4F8384FFD1D9EDC7CE76E5842BCD89506B09B8FC169C2614E51127B40D6BD62 1578500957F522BA25E0BFE2106A1AD43D8301D34F0B60982784D14504190615 2E84DDBF5BE123445557128EF9993CE19E6A8CC752DA42508FA9AE21C7A785C2 C16478A0175BCB7E2481ACB767CF6FB8529ED52579E5AF5EB58372239620C57D BC19482021B1F6E33568245C41CF6DE6E5DA2F58BDBEBA134E3431E2F221AB5C 51F68E0487E6441B144336AB3FD58CA8E443E2D1B451F248C59A78CB8689C57F 01F19A177A2D566C094E25871B8C7CD49A6F6674AD1B9CFFDDC116C9D0CC75E1 2F7FF0A8ADAEE847B7204D0E1516FA2FF771982653BBF469C812D7392E75AEC8 EF0C5C44B3CDA95B67AA33F5CE93A775138766816388A6625027DC9718D63C24 4DCF2F0737969B3AD68856A82EF006BADC4B0D22943F62846E2A9F24310B313C E6E7609EAD5B09129763B4CAD6BCA416B26B6D65DF178069F616122CFEB300A8 30D5118EAB6681724D366AB5F601C08546C123D11409868E06F652C26E592942 9230C3D0E2E2A00109

Emails

[email protected]

Signatures

Balaclava Malware
Balaclava malware is a ransomware program.
ransomware balaclava

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\RemoveStart.tiff	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

Drops desktop.ini file(s) 30 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_it.properties	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Algiers	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\HOW_TO_RECOVERY_FILES.txt	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107712.WMF	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULLQUOTEBB.DPV	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\GRAY.pf	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\softedges.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLVBS.DLL	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Technic.thmx	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\HOW_TO_RECOVERY_FILES.txt	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212661.WMF	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kabul	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107138.WMF	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107528.WMF	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDCNCL.CFG	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\HOW_TO_RECOVERY_FILES.txt	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\HOW_TO_RECOVERY_FILES.txt	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02361_.WMF	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImages.jpg	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Office Word 2003 Look.dotx	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00223_.WMF	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00612_.WMF	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCARD.XML	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDCNCLS.ICO	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD98.POC	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsink.ax	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\HOW_TO_RECOVERY_FILES.txt	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\HOW_TO_RECOVERY_FILES.txt	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\HOW_TO_RECOVERY_FILES.txt	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jre7\bin\libxslt.dll	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EST5EDT	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\HOW_TO_RECOVERY_FILES.txt	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00419_.WMF	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Origin.eftx	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OMSINTL.DLL	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\awt.dll	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Angles.thmx	190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
940	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
"C:\Users\Admin\AppData\Local\Temp\190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:1888

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HOW_TO_RECOVERY_FILES.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/940-4-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmp

Filesize
8KB

Download
memory/1148-6-0x000007FEF7430000-0x000007FEF76AA000-memory.dmp

Filesize
2.5MB

Download
memory/1888-2-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download