Overview

overview

10

Static

static

5de4af86a4...19.exe

windows7_x64

10

5de4af86a4...19.exe

windows10_x64

10

Analysis

  • max time kernel
    89s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-02-2021 15:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe

  • Size

    65KB

  • MD5

    7ed4882c2a0d24c401cbce7536ddf792

  • SHA1

    0f75ecdf6fbf37a186b3e9c79e0f8372c0c12ea0

  • SHA256

    5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319

  • SHA512

    8661260130a82ea2a11db641c28cfb7d4d69c9867bdc00c1980ce1733da37ee90253959401022e5dd603410a3957cb236b9d9f2babab62b18421addb2abd8903

Score
10/10
balaclavaransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt

Family

balaclava

Ransom Note
Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address daves.smith@aol.com In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Before payment you can send us 1 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 2 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Email to contact us - daves.smith@aol.com YOUR PERSONAL ID : 466094BF5AF35199E6CE787A0899D394BA9FC92C22EC55C19966ECA74F056625 3A91A5A068E690903F26741E8469F9FC666591BB9A09D46614108C8F68E990CC 357EB056844A1269A2E46733216415C2BDF3BB762CA0720D1309F42943FF6B9C 87DF5492C2A901A668A7561B0D73A47B1B8E48EE494B2A869D1140C4CCB291F5 AA915E1084E0CEB1F256E90C7FD2D6F1400B1A5767B895B8236017513A72FC3C 8E3D5C2DC2DF2FDDC30B9153B595F8525375F3D3A286A48DF5A6A762A66E55D2 1838ED11E1BDB54A315C36CD28D27DCF9C8A2F62B6885E832A2BAB29CF7C59D8 D0941747536D5644D29EA335CB5362633DB4968BA91B276822646A977F5971B1 92CB76DE4B7472B57DC79A5B3F4586F56C58798C91CD80393FAFC575A73BEF2E 3D79A07048A97063ECC45556028DFBDE0FA5F513D4D236282AA0BE2D8B011760 9C6EAF64AC61F85CB294233BA64B85B08BC3C3DBBC9700B007809ACFC4A08C7D 41E2007357A46D4E03686052D3E4C95E626B00FE0CB96523F61E71CBA713C6DA C726B130C3C557A6845B79DEFE6F77861697AB768387028ED9C90B3B8A42FE99 3A7C3E7AA55357F46FC8C07F493E1DA0BFE4CCAE41F4801BA921B0A3D518072C 83D7DA19B7B9786B67542AEF75A18CE5D3FA37E7976997D0E9B179E5B3B130AF F98BE28C1CCC458408A9478394286A0FD37C66481265E1A81584C047D3CB8D3C 89EB54B8D8ABDDE979BD91EA3083588A9532864A59547467400B8C6AF5703D7E 9C3409377C3440BA1B1E323D37C6CA411F814E142D9CD3F4E976F745EA68A605 9F4EAFF6CD35DDF557DD3070C681014C4B9E6ACD0C852BEF0BB7960131BEC4F9 005D317BE5702DE89BA78B5990142D20700188D200292A87A788392EDC03E55D 3D654E44BC516256E2CFD60F08C63C7EBCC13C8B00BABE69034A567F0F381F59 B55032F550EA328A66AB8450DBA583D08ABD4726DE8894A50436949455F2AD52 3F83AAA609112067841EB9A38A3AD71FD6EE3E9F389A52675E3E424444381BDE 9B5D3F3D3CC25CDE4FD6955514C8EBBECD5F17629D6E9E6113397D618B65E4DA A21F79DA61EEB4025E5D17049E3DB05C6429C161AE63132EDBAAFF2582552F5A 0503411A79DE6C01CB
Emails

daves.smith@aol.com

Signatures

  • Balaclava Malware

    Balaclava malware is a ransomware program.

    ransomwarebalaclava
  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 28 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe
    "C:\Users\Admin\AppData\Local\Temp\5de4af86a4410fb6a4c7d54ba4586d35b6abbf2da183fed30ec71547a0a9f319.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    PID:496
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 932
      2⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Program crash
      PID:1920
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 916
      2⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini
    MD5

    74d5db770df4cf8061e71ef01471f284

    SHA1

    ad5fcc8e3ddf350e5b1fa95742ba31080d415235

    SHA256

    6bccd96eab69a9b230d5f52cb233e57a1fe7fe3fae8899388e560b4e44bf9d07

    SHA512

    fdc480bfc26d69e516d1ea45e3959ad9921f690b0fd60e9c78dac787dbcf16ecf799cdab71130eb7bf7e260302f9c2180557f9874e0ee65d95133c379936fcb7

    Download Submit
  • memory/1920-4-0x0000000003FC0000-0x0000000003FC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1936-3-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
    Filesize

    4KB

    Download