5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319

General
Target

5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319

Size

65KB

Sample

210218-yp8hg8yw1j

Score
10 /10
MD5

7ed4882c2a0d24c401cbce7536ddf792

SHA1

0f75ecdf6fbf37a186b3e9c79e0f8372c0c12ea0

SHA256

5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319

SHA512

8661260130a82ea2a11db641c28cfb7d4d69c9867bdc00c1980ce1733da37ee90253959401022e5dd603410a3957cb236b9d9f2babab62b18421addb2abd8903

Malware Config

Extracted

Path C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt
Family balaclava
Ransom Note
Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address daves.smith@aol.com In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Before payment you can send us 1 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Email to contact us - daves.smith@aol.com YOUR PERSONAL ID : 82F6914D48BD2EE62545A89A7C188E56D036AE0F46C2383FD1127C85BE2ECEB8 CC8124FFCEAAA6CB0E71425C2E95DF1AAC4132ECD8F64C3AEE1A3855F47C1653 AB928ED975D092A79DBFC95838DD73161E598F103EDFA44F2E19A47815DDE711 734E4868ED999DA5A286DFFA26F6DA6437087D2AD5CDA81744B7675233A7D992 35992845375A58C53E8264B8A7AD50AC226564848668E30BDC28EA43746A6E83 0BDAAE79B19C5BEF3400939ECF2340B778F3FD4B163C783FFF7F278DAD021730 15E6DD89BD1EF529B5F2E5173D56F783EEE3F70304DD98DB6E66CC8B9D7E8418 BD32446EE8E47757D10258835997DA61CF1818B093EC39BC482873DDF92D852D 482DE7C6FE71CA845630966BBB492514A54987A375AA2ECBB4196539F2BAEB37 33E404207E253C3F4A59FF6FC599DAAB4EC4F6C1076452FB01CBC330BBFBF2BE 154F27C9C8E05E53648297573C669063D2A418F5B5B5E5626725796035DF2F06 8C4898AC587FF0817BCE0FC73AE2E6C504522EDCB3EC09DD71D5FC49782F697A 0A0ECFFAE92BAB360399CD76D9CBF0AEC7121C592697217DAE918AD96F543F93 801368D0DF02BE74081CE8C131208924000C3F9789B4EAA306104017A65B28F9 5C675D28E5AA7307CF679161A11CCDFB3203B063C29111B0FF74B62ED1DDF92A CDAFE852B66ABD27C0D08B70EC4A584A5F0599317C59DFB966CA84BA5F891AF4 DDB4696E947866636C4648BAD507F955ABFCD2936038CC4BBF37CD64D7CF1E8E F56BC96FFE10D9BF857026FFB6298EB4CD24C57A690235DF929F18EAD8FE6BDB 7DF2AAB0AD9EC9D0C4BD80C4AA6B759C91E27C977814E88D6C535DEFF2C7617F B23FB54B227C89107E530B751338C4AC74B1ACB0501297D9D42CE82924DA3495 CA7E5F3D23A526AF4E25AB39A54FB06A4010A21E996069925AC0885B71C5ADBD F30FD42D87CA8D9CC0554060D97F3BA3C2774A02FBD54002EA80D1191113AC82 8C26FE1BC8EB7F0D323679AB5CF99DE7F594C98458A1A7C02D249A0F6A4B6A0C 2C5A95429002F46DFA720A32811542F2F6F70A58DC19BB561EB399F2DA07C151 C21131933B6D9B61FBCA1FACA40ED9C1258BBBF71EBF83264A8A651ACCA19FBC BCEE36E50237FA00D7
Emails

daves.smith@aol.com

Extracted

Path C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt
Family balaclava
Ransom Note
Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address daves.smith@aol.com In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Before payment you can send us 1 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Email to contact us - daves.smith@aol.com YOUR PERSONAL ID : 466094BF5AF35199E6CE787A0899D394BA9FC92C22EC55C19966ECA74F056625 3A91A5A068E690903F26741E8469F9FC666591BB9A09D46614108C8F68E990CC 357EB056844A1269A2E46733216415C2BDF3BB762CA0720D1309F42943FF6B9C 87DF5492C2A901A668A7561B0D73A47B1B8E48EE494B2A869D1140C4CCB291F5 AA915E1084E0CEB1F256E90C7FD2D6F1400B1A5767B895B8236017513A72FC3C 8E3D5C2DC2DF2FDDC30B9153B595F8525375F3D3A286A48DF5A6A762A66E55D2 1838ED11E1BDB54A315C36CD28D27DCF9C8A2F62B6885E832A2BAB29CF7C59D8 D0941747536D5644D29EA335CB5362633DB4968BA91B276822646A977F5971B1 92CB76DE4B7472B57DC79A5B3F4586F56C58798C91CD80393FAFC575A73BEF2E 3D79A07048A97063ECC45556028DFBDE0FA5F513D4D236282AA0BE2D8B011760 9C6EAF64AC61F85CB294233BA64B85B08BC3C3DBBC9700B007809ACFC4A08C7D 41E2007357A46D4E03686052D3E4C95E626B00FE0CB96523F61E71CBA713C6DA C726B130C3C557A6845B79DEFE6F77861697AB768387028ED9C90B3B8A42FE99 3A7C3E7AA55357F46FC8C07F493E1DA0BFE4CCAE41F4801BA921B0A3D518072C 83D7DA19B7B9786B67542AEF75A18CE5D3FA37E7976997D0E9B179E5B3B130AF F98BE28C1CCC458408A9478394286A0FD37C66481265E1A81584C047D3CB8D3C 89EB54B8D8ABDDE979BD91EA3083588A9532864A59547467400B8C6AF5703D7E 9C3409377C3440BA1B1E323D37C6CA411F814E142D9CD3F4E976F745EA68A605 9F4EAFF6CD35DDF557DD3070C681014C4B9E6ACD0C852BEF0BB7960131BEC4F9 005D317BE5702DE89BA78B5990142D20700188D200292A87A788392EDC03E55D 3D654E44BC516256E2CFD60F08C63C7EBCC13C8B00BABE69034A567F0F381F59 B55032F550EA328A66AB8450DBA583D08ABD4726DE8894A50436949455F2AD52 3F83AAA609112067841EB9A38A3AD71FD6EE3E9F389A52675E3E424444381BDE 9B5D3F3D3CC25CDE4FD6955514C8EBBECD5F17629D6E9E6113397D618B65E4DA A21F79DA61EEB4025E5D17049E3DB05C6429C161AE63132EDBAAFF2582552F5A 0503411A79DE6C01CB
Emails

daves.smith@aol.com

Targets
Target

5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319

MD5

7ed4882c2a0d24c401cbce7536ddf792

Filesize

65KB

Score
10 /10
SHA1

0f75ecdf6fbf37a186b3e9c79e0f8372c0c12ea0

SHA256

5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319

SHA512

8661260130a82ea2a11db641c28cfb7d4d69c9867bdc00c1980ce1733da37ee90253959401022e5dd603410a3957cb236b9d9f2babab62b18421addb2abd8903

Tags

Signatures

  • Balaclava Malware

    Description

    Balaclava malware is a ransomware program.

    Tags

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        behavioral1

                        10/10

                        behavioral2

                        10/10