Overview

overview

10

Static

static

05a6fca525...23.dll

windows7_x64

10

05a6fca525...23.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    4294210s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    05-03-2022 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623.dll

  • Size

    212KB

  • MD5

    25a0c625ef34156e73a69a477e80a6e8

  • SHA1

    2bb975338e4ed4f24aaaa231b161bcb228a2bc3f

  • SHA256

    05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623

  • SHA512

    b5822c9f05240cb41ef69ec0fe3ba38f12389b6507e256b39905749ecd951617904d94b9ea0006c6cfd52e7aec64e93fa85a5a16ff26c06791a0d37e2aad805e

Score
10/10
balaclavaransomware

Malware Config

Extracted

Path

C:\RECOVERY DATA INFORMATION.TXT

Family

balaclava

Ransom Note
Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address decrypthelp@aol.com In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Before payment you can send us 1-2 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 3 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Please be sure that we will find common languge. We will restore all the data. Email to contact us - decrypthelp@aol.com Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. Your personal ID: 82A-AA9-7B6
Emails

decrypthelp@aol.com

Signatures

  • Balaclava Malware

    Balaclava malware is a ransomware program.

    ransomwarebalaclava
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Discovers systems in the same network 1 TTPs 2 IoCs
    discovery
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C chcp 1250 && net view
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Windows\SysWOW64\chcp.com
          chcp 1250
          4⤵
            PID:1120
          • C:\Windows\SysWOW64\net.exe
            net view
            4⤵
            • Discovers systems in the same network
            PID:1804
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /C chcp 1250 && net view "\\GZAATBZA"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:584
          • C:\Windows\SysWOW64\chcp.com
            chcp 1250
            4⤵
              PID:1460
            • C:\Windows\SysWOW64\net.exe
              net view "\\GZAATBZA"
              4⤵
              • Discovers systems in the same network
              PID:1976
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:728
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic shadowcopy delete
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:536
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
            3⤵
              PID:1832
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
              3⤵
                PID:432
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
                3⤵
                  PID:1928
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2000
                  • C:\Windows\SysWOW64\vssadmin.exe
                    vssadmin delete shadows /all /quiet
                    4⤵
                    • Interacts with shadow copies
                    PID:988
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2028
                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                    wmic shadowcopy delete
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1780
                  • C:\Windows\SysWOW64\vssadmin.exe
                    vssadmin delete shadows /all /quiet
                    4⤵
                    • Interacts with shadow copies
                    PID:1992
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1572

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            File Deletion

            2
            T1107

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            Peripheral Device Discovery

            1
            T1120

            System Information Discovery

            1
            T1082

            Remote System Discovery

            1
            T1018

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Inhibit System Recovery

            2
            T1490

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              MD5

              78215698f8f9dc7941c9c287642bd02c

              SHA1

              633cd0a6c76f080cdb6e0c98034b0b5dd7283a47

              SHA256

              dc94e21e80522b2cee097064c31a7720d70a02d0c55f290d59030fd0c995cac5

              SHA512

              c0a05f8cc400855c40b8e8eb3e7f027b06553cc592eb2ab6ad0a8c33ed2d196c7eda358977edc3f34ce1fdbff30efe288725eb10ea463e622ee9eb8085e48f7d

              Download Submit
            • memory/1952-54-0x00000000757F1000-0x00000000757F3000-memory.dmp
              Filesize

              8KB

              Download