balaclava | 5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e

General

Target

5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
Size

70KB
MD5

fa7bc80be251a4ab8f68be18149b50f1
SHA1

eeed35174700516ad6d500b7976d3ff86582579c
SHA256

5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e
SHA512

e1828e9e20cbb9fd06d2addf446b957ccce96739adb286bc57c68f0b23269ec1ac27b7e0e14d96718b405834d117e56db9cd1c8bcc739b8d650f58e5b74e4ee9

Score

10^/10

balaclava ransomware

Malware Config

Signatures

Balaclava Malware
Balaclava malware is a ransomware program.
ransomware balaclava

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SearchResume.tiff	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File renamed	C:\Users\Admin\Pictures\SuspendAdd.png => C:\Users\Admin\Pictures\SuspendAdd.png.KEY0004	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File renamed	C:\Users\Admin\Pictures\UseExport.tif => C:\Users\Admin\Pictures\UseExport.tif.KEY0004	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File renamed	C:\Users\Admin\Pictures\SuspendTrace.tiff => C:\Users\Admin\Pictures\SuspendTrace.tiff.KEY0004	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File renamed	C:\Users\Admin\Pictures\CompareApprove.crw => C:\Users\Admin\Pictures\CompareApprove.crw.KEY0004	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File renamed	C:\Users\Admin\Pictures\ImportDismount.crw => C:\Users\Admin\Pictures\ImportDismount.crw.KEY0004	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File renamed	C:\Users\Admin\Pictures\SearchResume.tiff => C:\Users\Admin\Pictures\SearchResume.tiff.KEY0004	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File renamed	C:\Users\Admin\Pictures\StopSync.png => C:\Users\Admin\Pictures\StopSync.png.KEY0004	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Admin\Pictures\SuspendTrace.tiff	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File renamed	C:\Users\Admin\Pictures\UnregisterWait.raw => C:\Users\Admin\Pictures\UnregisterWait.raw.KEY0004	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1940 cmd.exe

pid	process
1940	cmd.exe

Drops desktop.ini file(s) 37 IoCs

Processes:

5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe

description	ioc	process
File opened for modification	C:\Users\Public\Downloads\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Public\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe

description ioc process

File opened (read-only) \??\A: 5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe

description	ioc	process
File opened (read-only)	\??\A:	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe

Drops file in Program Files directory 64 IoCs

Processes:

5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Journal\JNTFiltr.dll	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01770_.GIF	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18253_.WMF	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21448_.GIF	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\HOW_TO_RECOVERY_FILES.txt	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtobe	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\ChkrRes.dll.mui	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00057_.WMF	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\HOW_TO_RECOVERY_FILES.txt	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Thatch.eftx	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\HOW_TO_RECOVERY_FILES.txt	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00257_.WMF	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\RPLBRF35.CHM	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\COIN.WAV	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\de-DE\MoreGames.dll.mui	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21308_.GIF	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10219_.GIF	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMES.CFG	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.dll	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightItalic.ttf	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESPL.ICO	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7jp.kic	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3ES.LEX	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.XML	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jayapura	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\boot.jar	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Chita	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143748.GIF	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00703L.GIF	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Default.dotx	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONTAB32.DLL	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24Images.jpg	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\HOW_TO_RECOVERY_FILES.txt	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\HOW_TO_RECOVERY_FILES.txt	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File created	C:\Program Files\Java\jre7\lib\fonts\HOW_TO_RECOVERY_FILES.txt	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15274_.GIF	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLCTL.DLL	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-14	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297551.WMF	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21480_.GIF	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\WHOOSH.WAV	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WCOMP98.POC	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\HOW_TO_RECOVERY_FILES.txt	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Java\jre7\bin\deploy.dll	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UTC	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\HOW_TO_RECOVERY_FILES.txt	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200151.WMF	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153514.WMF	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Installed_resources14.xss	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe

description pid process

Token: SeIncBasePriorityPrivilege 1272 5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1272	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe

description	pid	process	target process
PID 1272 wrote to memory of 1940	1272	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe	cmd.exe
PID 1272 wrote to memory of 1940	1272	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe	cmd.exe
PID 1272 wrote to memory of 1940	1272	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe	cmd.exe
PID 1272 wrote to memory of 1940	1272	5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
"C:\Users\Admin\AppData\Local\Temp\5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe > nul
2⤵
- Deletes itself
PID:1940

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini
MD5
e27af202f3b4a93ba6efc5769bd38b2d

SHA1
ff360bc9f409761a9bad0c52151948c96880d379

SHA256
7d46493a27c27b20440e03d680f96f8b6cbe00a718f5e6c3c8014a291360e85f

SHA512
028861aced81efab5e1f02c2fd7a14166bc7fb827b4e39c1cc9873c5c821f120838bf8f840244a2707168aae5bbebd0299b02c3e67faa54dbd20bf14d9e68258

Download Submit
memory/1272-53-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads