balaclava | 5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319

General

Target

5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
Size

65KB
MD5

7ed4882c2a0d24c401cbce7536ddf792
SHA1

0f75ecdf6fbf37a186b3e9c79e0f8372c0c12ea0
SHA256

5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319
SHA512

8661260130a82ea2a11db641c28cfb7d4d69c9867bdc00c1980ce1733da37ee90253959401022e5dd603410a3957cb236b9d9f2babab62b18421addb2abd8903

Score

10^/10

balaclava ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt

Family

balaclava

Ransom Note

Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address daves.smith@aol.com In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Before payment you can send us 1 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Email to contact us - daves.smith@aol.com YOUR PERSONAL ID : 82F6914D48BD2EE62545A89A7C188E56D036AE0F46C2383FD1127C85BE2ECEB8 CC8124FFCEAAA6CB0E71425C2E95DF1AAC4132ECD8F64C3AEE1A3855F47C1653 AB928ED975D092A79DBFC95838DD73161E598F103EDFA44F2E19A47815DDE711 734E4868ED999DA5A286DFFA26F6DA6437087D2AD5CDA81744B7675233A7D992 35992845375A58C53E8264B8A7AD50AC226564848668E30BDC28EA43746A6E83 0BDAAE79B19C5BEF3400939ECF2340B778F3FD4B163C783FFF7F278DAD021730 15E6DD89BD1EF529B5F2E5173D56F783EEE3F70304DD98DB6E66CC8B9D7E8418 BD32446EE8E47757D10258835997DA61CF1818B093EC39BC482873DDF92D852D 482DE7C6FE71CA845630966BBB492514A54987A375AA2ECBB4196539F2BAEB37 33E404207E253C3F4A59FF6FC599DAAB4EC4F6C1076452FB01CBC330BBFBF2BE 154F27C9C8E05E53648297573C669063D2A418F5B5B5E5626725796035DF2F06 8C4898AC587FF0817BCE0FC73AE2E6C504522EDCB3EC09DD71D5FC49782F697A 0A0ECFFAE92BAB360399CD76D9CBF0AEC7121C592697217DAE918AD96F543F93 801368D0DF02BE74081CE8C131208924000C3F9789B4EAA306104017A65B28F9 5C675D28E5AA7307CF679161A11CCDFB3203B063C29111B0FF74B62ED1DDF92A CDAFE852B66ABD27C0D08B70EC4A584A5F0599317C59DFB966CA84BA5F891AF4 DDB4696E947866636C4648BAD507F955ABFCD2936038CC4BBF37CD64D7CF1E8E F56BC96FFE10D9BF857026FFB6298EB4CD24C57A690235DF929F18EAD8FE6BDB 7DF2AAB0AD9EC9D0C4BD80C4AA6B759C91E27C977814E88D6C535DEFF2C7617F B23FB54B227C89107E530B751338C4AC74B1ACB0501297D9D42CE82924DA3495 CA7E5F3D23A526AF4E25AB39A54FB06A4010A21E996069925AC0885B71C5ADBD F30FD42D87CA8D9CC0554060D97F3BA3C2774A02FBD54002EA80D1191113AC82 8C26FE1BC8EB7F0D323679AB5CF99DE7F594C98458A1A7C02D249A0F6A4B6A0C 2C5A95429002F46DFA720A32811542F2F6F70A58DC19BB561EB399F2DA07C151 C21131933B6D9B61FBCA1FACA40ED9C1258BBBF71EBF83264A8A651ACCA19FBC BCEE36E50237FA00D7

Emails

daves.smith@aol.com

Signatures

Balaclava Malware
Balaclava malware is a ransomware program.
ransomware balaclava

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\PublishWrite.tif => C:\Users\Admin\Pictures\PublishWrite.tif.daves_New	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File renamed	C:\Users\Admin\Pictures\RepairStep.crw => C:\Users\Admin\Pictures\RepairStep.crw.daves_New	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Pictures\SendRedo.tiff	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File renamed	C:\Users\Admin\Pictures\SetSearch.tif => C:\Users\Admin\Pictures\SetSearch.tif.daves_New	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File renamed	C:\Users\Admin\Pictures\DismountDebug.raw => C:\Users\Admin\Pictures\DismountDebug.raw.daves_New	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File renamed	C:\Users\Admin\Pictures\SearchInitialize.crw => C:\Users\Admin\Pictures\SearchInitialize.crw.daves_New	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File renamed	C:\Users\Admin\Pictures\SendRedo.tiff => C:\Users\Admin\Pictures\SendRedo.tiff.daves_New	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Pictures\StepPush.tiff	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File renamed	C:\Users\Admin\Pictures\StepPush.tiff => C:\Users\Admin\Pictures\StepPush.tiff.daves_New	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Pictures\UnpublishUnregister.tiff	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File renamed	C:\Users\Admin\Pictures\UnblockWrite.crw => C:\Users\Admin\Pictures\UnblockWrite.crw.daves_New	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File renamed	C:\Users\Admin\Pictures\UnpublishUnregister.tiff => C:\Users\Admin\Pictures\UnpublishUnregister.tiff.daves_New	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File renamed	C:\Users\Admin\Pictures\HideEdit.tif => C:\Users\Admin\Pictures\HideEdit.tif.daves_New	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe

Drops desktop.ini file(s) 30 IoCs

Processes:

5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe

description ioc process

File opened (read-only) \??\A: 5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe

description	ioc	process
File opened (read-only)	\??\A:	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe

Drops file in Program Files directory 64 IoCs

Processes:

5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00010_.WMF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00419_.WMF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107480.WMF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_COL.HXT	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HOW_TO_RECOVERY_FILES.txt	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099175.WMF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02407_.WMF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00938_.WMF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21481_.GIF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_COL.HXT	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_fr.dub	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MX.XML	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239063.WMF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02369_.WMF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Traditional.dotx	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Maceio	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Chagos	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\HOW_TO_RECOVERY_FILES.txt	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\HOW_TO_RECOVERY_FILES.txt	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02754U.BMP	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_INIT.XSN	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXSEC32.DLL	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR28F.GIF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\validation.js	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00538_.WMF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTINTERNET.NET.XML	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03331_.WMF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00092_.WMF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_SlateBlue.gif	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00726_.WMF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\HOW_TO_RECOVERY_FILES.txt	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02262_.WMF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files\Java\jre7\bin\eula.dll	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152568.WMF	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_justify.gif	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\utilityfunctions.js	5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

572 NOTEPAD.EXE

pid	process
572	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
"C:\Users\Admin\AppData\Local\Temp\5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:1152

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HOW_TO_RECOVERY_FILES.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:572

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini
MD5
babff3f95c44fd82d37d398c85f0cbc3

SHA1
dded91d3112bd78c5353725123e16806d1026e74

SHA256
2ab8a076962464fad476dae28acb3a1ed003add4e6b95a3c1ec3d73aaf8d5f84

SHA512
25adf8a6f22de842f41ecbb95c6abf1c982be0a3b921a489b47a49cc4e0bf5f0b7bafff8c2d6244bcd0b8f2867a4ee0ebfb1f783b1f2e0a10f49a942bc02ec22

Download Submit
C:\Users\Public\Desktop\HOW_TO_RECOVERY_FILES.txt
MD5
ba9129453f8cdbe74df1144441963487

SHA1
6519d6699d2776f09919276a142c4bd50353143a

SHA256
5075f9ba5b93dadf69faa59fef55520a72573ef0ea3d6f0a0aa1cbeeb811fa45

SHA512
7d7a4d417a094416a72d48fdab319ea52f8394f5dbcc22cc516b01f60af9f90e513b112a977313d64aa26f01afba43ab14b5dbee56415cdd5dbcf61b07aa1c64

Download Submit
memory/572-4-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/976-6-0x000007FEF6010000-0x000007FEF628A000-memory.dmp

Filesize
2.5MB

Download
memory/1152-2-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads