Overview

overview

10

Static

static

5d38ebafe0...8e.exe

windows7_x64

10

5d38ebafe0...8e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05-02-2022 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe

  • Size

    70KB

  • MD5

    fa7bc80be251a4ab8f68be18149b50f1

  • SHA1

    eeed35174700516ad6d500b7976d3ff86582579c

  • SHA256

    5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e

  • SHA512

    e1828e9e20cbb9fd06d2addf446b957ccce96739adb286bc57c68f0b23269ec1ac27b7e0e14d96718b405834d117e56db9cd1c8bcc739b8d650f58e5b74e4ee9

Score
10/10
balaclavaransomware

Malware Config

Signatures

  • Balaclava Malware

    Balaclava malware is a ransomware program.

    ransomwarebalaclava
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 37 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe
    "C:\Users\Admin\AppData\Local\Temp\5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5d38ebafe05f6b9a2a94dd107bdda796b33563865ca6a1b9e562bcea63526a8e.exe > nul
      2⤵
      • Deletes itself
      PID:1940

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini
    MD5

    e27af202f3b4a93ba6efc5769bd38b2d

    SHA1

    ff360bc9f409761a9bad0c52151948c96880d379

    SHA256

    7d46493a27c27b20440e03d680f96f8b6cbe00a718f5e6c3c8014a291360e85f

    SHA512

    028861aced81efab5e1f02c2fd7a14166bc7fb827b4e39c1cc9873c5c821f120838bf8f840244a2707168aae5bbebd0299b02c3e67faa54dbd20bf14d9e68258

    Download Submit

  • memory/1272-53-0x00000000766D1000-0x00000000766D3000-memory.dmp

    Filesize

    8KB

    Download