mountlocker | 31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585

Analysis

max time kernel
89s
max time network
90s
platform
windows7_x64
resource
win7v20201028
submitted
29-10-2020 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0AACF2C41BA9B872A52055FFCAEAEF15.dll
Size

77KB
MD5

0aacf2c41ba9b872a52055ffcaeaef15
SHA1

c09b509699aeef71f3e205d53c5f4ff71cb48570
SHA256

31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585
SHA512

d259de51d22d72d27d5947530317661b97ba8fcc36e7a2ad4835e98bc311ef1aa5964f939660733171934f6aefa82d8b76a6f9f04137e1aeca63d592f0fb26ec

Score

10^/10

mountlocker persistence ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RecoveryManual.html

Family

mountlocker

Ransom Note

Your ClientId: /!\ YOUR COMPANY' NETWORK HAS BEEN HACKED /!\ All your important documents have been encrypted and transferred to our premises! ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. However there is a solution for your problem! We can support you with your data decryption for a monetary reward. Also we will destroy your private data from our premises. And we can prove our decryption capabilities by decrypting couple of your files free of charge. Here are the next steps to get your valuable data back and get it wiped out from our premises: http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b64321dc827ac5a37515abe00375993d6d3b * Note that you need installed Tor Browser to open this kind of links. Follow the instructions to install/run Tor Browser: 1. Go to TOR Project website https://www.torproject.org using your usual browser (Chrome, Firefox, Internet Explorer or Edge) 2. Click "Download Tor Browser" and pick right version for your Operation System (this is Windows in 99.9% of cases) 3. Download and Install Tor Browser 4. After installation finished, click on "Tor Browser" link from your Desktop 5. By using Tor Browser visit http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b64321dc827ac5a37515abe00375993d6d3b 6. Copy your client id from the top of this document and paste it into Authorization window if requested 7. This will start a chat with our security experts. Please note, sometimes our team is away from keyboard, but make sure they will reply you back as soon as possible. Also, we kindly request you to contact with us as soon as possible. We will start publishing your private data to the Internet if you don't get in touch with us within next few days.

URLs

http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b64321dc827ac5a37515abe00375993d6d3b

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Pictures\UnprotectPush.crw.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\GrantSave.png.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\JoinEdit.png.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\GrantSave.png => \??\c:\Users\Admin\Pictures\GrantSave.png.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\JoinEdit.png => \??\c:\Users\Admin\Pictures\JoinEdit.png.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\TestUnprotect.png => \??\c:\Users\Admin\Pictures\TestUnprotect.png.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\TestUnprotect.png.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\UnprotectPush.crw => \??\c:\Users\Admin\Pictures\UnprotectPush.crw.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ClearRename.tif => \??\c:\Users\Admin\Pictures\ClearRename.tif.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ClearRename.tif.ReadManual.64BD3273	regsvr32.exe

Deletes itself 1 IoCs

pid	Process
1388	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1356	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4E8A6631-19EF-11EB-9B42-F2DC1BF59C8B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000001ccc05c96274b942a1ebf9a2c4378b9663e2f8bb6338a7393b92d4ed555d713a000000000e80000000020000200000007aac6247c56b6195a2c14b7c56ca4c26c98dc7fd803638275b23a831990f511d90000000f8948a9acb055c6dd124d9ba8a2d8589acb9797dc2d558c5594b13a6d9369b39f2d83780a302dda9350d6faf09feb4963a11125fb99e8a28818dd9f3dbed814fe63cfbd4aadc0a0ba9e6deb17e4db3634f7686468d95542f16c7bea82b746c5c0b78b577060bac6e7c346275ec1fdd9fe33802a186287fa1499bdcad958cf8391e37a06204c868c2b20b8e0eda811a7940000000f651794f74e4ee712744fd1f08ca55dcdf0ac43af516d333735bcdbe24d2d6d15a04cbf33d2cc787b4d7207534fd9bb6ed921b3e8b6dcfe53def55765bc1c98b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "310745095"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000001ac62e0a51453159c0b044c8ad555ebac984785dcebd6807bfe3429d0cdeb9ce000000000e80000000020000200000008e8ee3f4b9d4f3b2633841bb88d67ebc9bd262c6ac50885d483d5b798c987ed52000000061071c147b10e2c07300f844b8e190a372c0de2cc7ec1f62b6fc4c4987487a9c400000007d91664cfe2479d268463f636286c91200c2d51b49f10da34c09b6fe475efcae33dfa124bea9aed04f17b3b1e522285b58d4dbc520df3ef0d967f3a15a04cd7d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 900a0a24fcadd601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.64BD3273\shell\Open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.64BD3273	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.64BD3273\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.64BD3273\shell\Open	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.64BD3273\shell\Open\command\ = "explorer.exe RecoveryManual.html"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1984	regsvr32.exe
1984	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	regsvr32.exe
Token: SeBackupPrivilege	572	vssvc.exe
Token: SeRestorePrivilege	572	vssvc.exe
Token: SeAuditPrivilege	572	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1056	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1056	iexplore.exe
1056	iexplore.exe
1320	IEXPLORE.EXE
1320	IEXPLORE.EXE
1320	IEXPLORE.EXE
1320	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 1984	1588	regsvr32.exe	26
PID 1588 wrote to memory of 1984	1588	regsvr32.exe	26
PID 1588 wrote to memory of 1984	1588	regsvr32.exe	26
PID 1588 wrote to memory of 1984	1588	regsvr32.exe	26
PID 1588 wrote to memory of 1984	1588	regsvr32.exe	26
PID 1588 wrote to memory of 1984	1588	regsvr32.exe	26
PID 1588 wrote to memory of 1984	1588	regsvr32.exe	26
PID 1984 wrote to memory of 1356	1984	regsvr32.exe	31
PID 1984 wrote to memory of 1356	1984	regsvr32.exe	31
PID 1984 wrote to memory of 1356	1984	regsvr32.exe	31
PID 1984 wrote to memory of 1356	1984	regsvr32.exe	31
PID 1984 wrote to memory of 1388	1984	regsvr32.exe	33
PID 1984 wrote to memory of 1388	1984	regsvr32.exe	33
PID 1984 wrote to memory of 1388	1984	regsvr32.exe	33
PID 1984 wrote to memory of 1388	1984	regsvr32.exe	33
PID 1388 wrote to memory of 1596	1388	cmd.exe	35
PID 1388 wrote to memory of 1596	1388	cmd.exe	35
PID 1388 wrote to memory of 1596	1388	cmd.exe	35
PID 1388 wrote to memory of 1596	1388	cmd.exe	35
PID 1056 wrote to memory of 1320	1056	iexplore.exe	39
PID 1056 wrote to memory of 1320	1056	iexplore.exe	39
PID 1056 wrote to memory of 1320	1056	iexplore.exe	39
PID 1056 wrote to memory of 1320	1056	iexplore.exe	39

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1596	attrib.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0AACF2C41BA9B872A52055FFCAEAEF15.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\0AACF2C41BA9B872A52055FFCAEAEF15.dll
  2⤵
  - Modifies extensions of user files
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\system32\vssadmin.exe delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F742378.bat" "C:\Users\Admin\AppData\Local\Temp\0AACF2C41BA9B872A52055FFCAEAEF15.dll""
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\0AACF2C41BA9B872A52055FFCAEAEF15.dll"
      4⤵
      Views/modifies file attributes
      PID:1596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RecoveryManual.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1320