Overview

overview

10

Static

static

5de4af86a4...19.exe

windows7_x64

10

5de4af86a4...19.exe

windows10_x64

10

Analysis

  • max time kernel
    115s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    18-02-2021 15:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe

  • Size

    65KB

  • MD5

    7ed4882c2a0d24c401cbce7536ddf792

  • SHA1

    0f75ecdf6fbf37a186b3e9c79e0f8372c0c12ea0

  • SHA256

    5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319

  • SHA512

    8661260130a82ea2a11db641c28cfb7d4d69c9867bdc00c1980ce1733da37ee90253959401022e5dd603410a3957cb236b9d9f2babab62b18421addb2abd8903

Score
10/10
balaclavaransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt

Family

balaclava

Ransom Note
Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address [email protected] In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Before payment you can send us 1 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Email to contact us - [email protected] YOUR PERSONAL ID : 82F6914D48BD2EE62545A89A7C188E56D036AE0F46C2383FD1127C85BE2ECEB8 CC8124FFCEAAA6CB0E71425C2E95DF1AAC4132ECD8F64C3AEE1A3855F47C1653 AB928ED975D092A79DBFC95838DD73161E598F103EDFA44F2E19A47815DDE711 734E4868ED999DA5A286DFFA26F6DA6437087D2AD5CDA81744B7675233A7D992 35992845375A58C53E8264B8A7AD50AC226564848668E30BDC28EA43746A6E83 0BDAAE79B19C5BEF3400939ECF2340B778F3FD4B163C783FFF7F278DAD021730 15E6DD89BD1EF529B5F2E5173D56F783EEE3F70304DD98DB6E66CC8B9D7E8418 BD32446EE8E47757D10258835997DA61CF1818B093EC39BC482873DDF92D852D 482DE7C6FE71CA845630966BBB492514A54987A375AA2ECBB4196539F2BAEB37 33E404207E253C3F4A59FF6FC599DAAB4EC4F6C1076452FB01CBC330BBFBF2BE 154F27C9C8E05E53648297573C669063D2A418F5B5B5E5626725796035DF2F06 8C4898AC587FF0817BCE0FC73AE2E6C504522EDCB3EC09DD71D5FC49782F697A 0A0ECFFAE92BAB360399CD76D9CBF0AEC7121C592697217DAE918AD96F543F93 801368D0DF02BE74081CE8C131208924000C3F9789B4EAA306104017A65B28F9 5C675D28E5AA7307CF679161A11CCDFB3203B063C29111B0FF74B62ED1DDF92A CDAFE852B66ABD27C0D08B70EC4A584A5F0599317C59DFB966CA84BA5F891AF4 DDB4696E947866636C4648BAD507F955ABFCD2936038CC4BBF37CD64D7CF1E8E F56BC96FFE10D9BF857026FFB6298EB4CD24C57A690235DF929F18EAD8FE6BDB 7DF2AAB0AD9EC9D0C4BD80C4AA6B759C91E27C977814E88D6C535DEFF2C7617F B23FB54B227C89107E530B751338C4AC74B1ACB0501297D9D42CE82924DA3495 CA7E5F3D23A526AF4E25AB39A54FB06A4010A21E996069925AC0885B71C5ADBD F30FD42D87CA8D9CC0554060D97F3BA3C2774A02FBD54002EA80D1191113AC82 8C26FE1BC8EB7F0D323679AB5CF99DE7F594C98458A1A7C02D249A0F6A4B6A0C 2C5A95429002F46DFA720A32811542F2F6F70A58DC19BB561EB399F2DA07C151 C21131933B6D9B61FBCA1FACA40ED9C1258BBBF71EBF83264A8A651ACCA19FBC BCEE36E50237FA00D7

Signatures

  • Balaclava Malware

    Balaclava malware is a ransomware program.

    ransomwarebalaclava
  • Modifies extensions of user files 13 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 30 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
    "C:\Users\Admin\AppData\Local\Temp\5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    PID:1152
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HOW_TO_RECOVERY_FILES.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:572

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/572-4-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

    Filesize

    8KB

    Download

  • memory/976-6-0x000007FEF6010000-0x000007FEF628A000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1152-2-0x00000000760C1000-0x00000000760C3000-memory.dmp

    Filesize

    8KB

    Download