balaclava | 05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623

Analysis

max time kernel
4294210s
max time network
123s
platform
windows7_x64
resource
win7-20220223-en
submitted
05/03/2022, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623.dll
Size

212KB
MD5

25a0c625ef34156e73a69a477e80a6e8
SHA1

2bb975338e4ed4f24aaaa231b161bcb228a2bc3f
SHA256

05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623
SHA512

b5822c9f05240cb41ef69ec0fe3ba38f12389b6507e256b39905749ecd951617904d94b9ea0006c6cfd52e7aec64e93fa85a5a16ff26c06791a0d37e2aad805e

Score

10^/10

balaclava ransomware

Malware Config

Extracted

Path

C:\RECOVERY DATA INFORMATION.TXT

Family

balaclava

Ransom Note

Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address [email protected] In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Before payment you can send us 1-2 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 3 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Please be sure that we will find common languge. We will restore all the data. Email to contact us - [email protected] Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. Your personal ID: 82A-AA9-7B6

Emails

[email protected]

Signatures

Balaclava Malware
Balaclava malware is a ransomware program.
ransomware balaclava
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RemoveRestore.wav.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	rundll32.exe
File opened for modification	C:\Program Files\CompareSend.pptm	rundll32.exe
File opened for modification	C:\Program Files\ResumeUnlock.M2V.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	rundll32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\SetRevoke.vst	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	rundll32.exe
File opened for modification	C:\Program Files\DenySync.tiff.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\SearchEdit.ram.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\SplitOpen.easmx	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\DVD Maker\soniccolorconverter.ax	rundll32.exe
File opened for modification	C:\Program Files\ConvertToSelect.bmp.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\ReadBlock.xls.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\RepairUnpublish.aifc	rundll32.exe
File opened for modification	C:\Program Files\ResumeSwitch.tmp	rundll32.exe
File opened for modification	C:\Program Files\CloseEnable.ocx.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\DVD Maker\offset.ax	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	rundll32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png	rundll32.exe
File opened for modification	C:\Program Files\LimitConvert.wax.82A-AA9-7B6	rundll32.exe
File created	C:\Program Files\7-Zip\Lang\RECOVERY DATA INFORMATION.TXT	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\CloseEnable.ocx	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui	rundll32.exe
File opened for modification	C:\Program Files\BackupRepair.pot.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt.82A-AA9-7B6	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	rundll32.exe
File opened for modification	C:\Program Files\ExportRename.scf	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	rundll32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png	rundll32.exe

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
1804	net.exe
1976	net.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
988	vssadmin.exe
1992	vssadmin.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	536	WMIC.exe
Token: SeSecurityPrivilege	536	WMIC.exe
Token: SeTakeOwnershipPrivilege	536	WMIC.exe
Token: SeLoadDriverPrivilege	536	WMIC.exe
Token: SeSystemProfilePrivilege	536	WMIC.exe
Token: SeSystemtimePrivilege	536	WMIC.exe
Token: SeProfSingleProcessPrivilege	536	WMIC.exe
Token: SeIncBasePriorityPrivilege	536	WMIC.exe
Token: SeCreatePagefilePrivilege	536	WMIC.exe
Token: SeBackupPrivilege	536	WMIC.exe
Token: SeRestorePrivilege	536	WMIC.exe
Token: SeShutdownPrivilege	536	WMIC.exe
Token: SeDebugPrivilege	536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	536	WMIC.exe
Token: SeRemoteShutdownPrivilege	536	WMIC.exe
Token: SeUndockPrivilege	536	WMIC.exe
Token: SeManageVolumePrivilege	536	WMIC.exe
Token: 33	536	WMIC.exe
Token: 34	536	WMIC.exe
Token: 35	536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1780	WMIC.exe
Token: SeSecurityPrivilege	1780	WMIC.exe
Token: SeTakeOwnershipPrivilege	1780	WMIC.exe
Token: SeLoadDriverPrivilege	1780	WMIC.exe
Token: SeSystemProfilePrivilege	1780	WMIC.exe
Token: SeSystemtimePrivilege	1780	WMIC.exe
Token: SeProfSingleProcessPrivilege	1780	WMIC.exe
Token: SeIncBasePriorityPrivilege	1780	WMIC.exe
Token: SeCreatePagefilePrivilege	1780	WMIC.exe
Token: SeBackupPrivilege	1780	WMIC.exe
Token: SeRestorePrivilege	1780	WMIC.exe
Token: SeShutdownPrivilege	1780	WMIC.exe
Token: SeDebugPrivilege	1780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1780	WMIC.exe
Token: SeRemoteShutdownPrivilege	1780	WMIC.exe
Token: SeUndockPrivilege	1780	WMIC.exe
Token: SeManageVolumePrivilege	1780	WMIC.exe
Token: 33	1780	WMIC.exe
Token: 34	1780	WMIC.exe
Token: 35	1780	WMIC.exe
Token: SeBackupPrivilege	1572	vssvc.exe
Token: SeRestorePrivilege	1572	vssvc.exe
Token: SeAuditPrivilege	1572	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1780	WMIC.exe
Token: SeSecurityPrivilege	1780	WMIC.exe
Token: SeTakeOwnershipPrivilege	1780	WMIC.exe
Token: SeLoadDriverPrivilege	1780	WMIC.exe
Token: SeSystemProfilePrivilege	1780	WMIC.exe
Token: SeSystemtimePrivilege	1780	WMIC.exe
Token: SeProfSingleProcessPrivilege	1780	WMIC.exe
Token: SeIncBasePriorityPrivilege	1780	WMIC.exe
Token: SeCreatePagefilePrivilege	1780	WMIC.exe
Token: SeBackupPrivilege	1780	WMIC.exe
Token: SeRestorePrivilege	1780	WMIC.exe
Token: SeShutdownPrivilege	1780	WMIC.exe
Token: SeDebugPrivilege	1780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1780	WMIC.exe
Token: SeRemoteShutdownPrivilege	1780	WMIC.exe
Token: SeUndockPrivilege	1780	WMIC.exe
Token: SeManageVolumePrivilege	1780	WMIC.exe
Token: 33	1780	WMIC.exe
Token: 34	1780	WMIC.exe
Token: 35	1780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	536	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1952	1712	rundll32.exe	27
PID 1712 wrote to memory of 1952	1712	rundll32.exe	27
PID 1712 wrote to memory of 1952	1712	rundll32.exe	27
PID 1712 wrote to memory of 1952	1712	rundll32.exe	27
PID 1712 wrote to memory of 1952	1712	rundll32.exe	27
PID 1712 wrote to memory of 1952	1712	rundll32.exe	27
PID 1712 wrote to memory of 1952	1712	rundll32.exe	27
PID 1952 wrote to memory of 1956	1952	rundll32.exe	28
PID 1952 wrote to memory of 1956	1952	rundll32.exe	28
PID 1952 wrote to memory of 1956	1952	rundll32.exe	28
PID 1952 wrote to memory of 1956	1952	rundll32.exe	28
PID 1956 wrote to memory of 1120	1956	cmd.exe	30
PID 1956 wrote to memory of 1120	1956	cmd.exe	30
PID 1956 wrote to memory of 1120	1956	cmd.exe	30
PID 1956 wrote to memory of 1120	1956	cmd.exe	30
PID 1956 wrote to memory of 1804	1956	cmd.exe	31
PID 1956 wrote to memory of 1804	1956	cmd.exe	31
PID 1956 wrote to memory of 1804	1956	cmd.exe	31
PID 1956 wrote to memory of 1804	1956	cmd.exe	31
PID 1952 wrote to memory of 584	1952	rundll32.exe	32
PID 1952 wrote to memory of 584	1952	rundll32.exe	32
PID 1952 wrote to memory of 584	1952	rundll32.exe	32
PID 1952 wrote to memory of 584	1952	rundll32.exe	32
PID 584 wrote to memory of 1460	584	cmd.exe	34
PID 584 wrote to memory of 1460	584	cmd.exe	34
PID 584 wrote to memory of 1460	584	cmd.exe	34
PID 584 wrote to memory of 1460	584	cmd.exe	34
PID 584 wrote to memory of 1976	584	cmd.exe	35
PID 584 wrote to memory of 1976	584	cmd.exe	35
PID 584 wrote to memory of 1976	584	cmd.exe	35
PID 584 wrote to memory of 1976	584	cmd.exe	35
PID 1952 wrote to memory of 728	1952	rundll32.exe	36
PID 1952 wrote to memory of 728	1952	rundll32.exe	36
PID 1952 wrote to memory of 728	1952	rundll32.exe	36
PID 1952 wrote to memory of 728	1952	rundll32.exe	36
PID 1952 wrote to memory of 1832	1952	rundll32.exe	37
PID 1952 wrote to memory of 1832	1952	rundll32.exe	37
PID 1952 wrote to memory of 1832	1952	rundll32.exe	37
PID 1952 wrote to memory of 1832	1952	rundll32.exe	37
PID 1952 wrote to memory of 432	1952	rundll32.exe	39
PID 1952 wrote to memory of 432	1952	rundll32.exe	39
PID 1952 wrote to memory of 432	1952	rundll32.exe	39
PID 1952 wrote to memory of 432	1952	rundll32.exe	39
PID 1952 wrote to memory of 1928	1952	rundll32.exe	41
PID 1952 wrote to memory of 1928	1952	rundll32.exe	41
PID 1952 wrote to memory of 1928	1952	rundll32.exe	41
PID 1952 wrote to memory of 1928	1952	rundll32.exe	41
PID 1952 wrote to memory of 2000	1952	rundll32.exe	42
PID 1952 wrote to memory of 2000	1952	rundll32.exe	42
PID 1952 wrote to memory of 2000	1952	rundll32.exe	42
PID 1952 wrote to memory of 2000	1952	rundll32.exe	42
PID 1952 wrote to memory of 2028	1952	rundll32.exe	48
PID 1952 wrote to memory of 2028	1952	rundll32.exe	48
PID 1952 wrote to memory of 2028	1952	rundll32.exe	48
PID 1952 wrote to memory of 2028	1952	rundll32.exe	48
PID 728 wrote to memory of 536	728	cmd.exe	45
PID 728 wrote to memory of 536	728	cmd.exe	45
PID 728 wrote to memory of 536	728	cmd.exe	45
PID 728 wrote to memory of 536	728	cmd.exe	45
PID 2000 wrote to memory of 988	2000	cmd.exe	49
PID 2000 wrote to memory of 988	2000	cmd.exe	49
PID 2000 wrote to memory of 988	2000	cmd.exe	49
PID 2000 wrote to memory of 988	2000	cmd.exe	49
PID 2028 wrote to memory of 1780	2028	cmd.exe	50

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623.dll,#1
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C chcp 1250 && net view
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1250
      4⤵
      PID:1120
  - - C:\Windows\SysWOW64\net.exe
      net view
      4⤵
      Discovers systems in the same network
      PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C chcp 1250 && net view "\\GZAATBZA"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1250
      4⤵
      PID:1460
  - - C:\Windows\SysWOW64\net.exe
      net view "\\GZAATBZA"
      4⤵
      Discovers systems in the same network
      PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:728
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:432
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1780
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery