Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    29-10-2020 14:04

General

  • Target

    0AACF2C41BA9B872A52055FFCAEAEF15.dll

  • Size

    77KB

  • MD5

    0aacf2c41ba9b872a52055ffcaeaef15

  • SHA1

    c09b509699aeef71f3e205d53c5f4ff71cb48570

  • SHA256

    31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585

  • SHA512

    d259de51d22d72d27d5947530317661b97ba8fcc36e7a2ad4835e98bc311ef1aa5964f939660733171934f6aefa82d8b76a6f9f04137e1aeca63d592f0fb26ec

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RecoveryManual.html

Family

mountlocker

Ransom Note
Your ClientId: /!\ YOUR COMPANY' NETWORK HAS BEEN HACKED /!\ All your important documents have been encrypted and transferred to our premises! ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. However there is a solution for your problem! We can support you with your data decryption for a monetary reward. Also we will destroy your private data from our premises. And we can prove our decryption capabilities by decrypting couple of your files free of charge. Here are the next steps to get your valuable data back and get it wiped out from our premises: http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b64321c29f68dfb06303abe00375993d6d49 * Note that you need installed Tor Browser to open this kind of links. Follow the instructions to install/run Tor Browser: 1. Go to TOR Project website https://www.torproject.org using your usual browser (Chrome, Firefox, Internet Explorer or Edge) 2. Click "Download Tor Browser" and pick right version for your Operation System (this is Windows in 99.9% of cases) 3. Download and Install Tor Browser 4. After installation finished, click on "Tor Browser" link from your Desktop 5. By using Tor Browser visit http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b64321c29f68dfb06303abe00375993d6d49 6. Copy your client id from the top of this document and paste it into Authorization window if requested 7. This will start a chat with our security experts. Please note, sometimes our team is away from keyboard, but make sure they will reply you back as soon as possible. Also, we kindly request you to contact with us as soon as possible. We will start publishing your private data to the Internet if you don't get in touch with us within next few days.
URLs

http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b64321c29f68dfb06303abe00375993d6d49

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 20 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Modifies service 2 TTPs 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Control Panel 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 192 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0AACF2C41BA9B872A52055FFCAEAEF15.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\0AACF2C41BA9B872A52055FFCAEAEF15.dll
      2⤵
      • Modifies extensions of user files
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\SysWOW64\vssadmin.exe
        C:\Windows\system32\vssadmin.exe delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2160
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0F749FDF.bat" "C:\Users\Admin\AppData\Local\Temp\0AACF2C41BA9B872A52055FFCAEAEF15.dll""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\0AACF2C41BA9B872A52055FFCAEAEF15.dll"
          4⤵
          • Views/modifies file attributes
          PID:2520
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:2100
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3972
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:2672
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:556
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2784
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4136

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Hidden Files and Directories

1
T1158

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Hidden Files and Directories

1
T1158

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\0F749FDF.bat
    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

  • C:\Users\Admin\Desktop\RecoveryManual.html
    MD5

    a62d6fe2fe3c278db84d3f0425f30f10

    SHA1

    f0af0926006a2b889cdd6a681d7223e4f755cc36

    SHA256

    8b1827890f9440c4d61523423c8a5f46431a1b512d29047a74c568c80f739397

    SHA512

    7a738589070af491c1d228aefb9f755fbc555330e47d7a4bd0a44c090d79a09fe6be1442a59b788f17a20ba59207f0db87446ce9199a1be33df1f26a86704907

  • memory/1376-2-0x0000000000000000-mapping.dmp
  • memory/2056-0-0x0000000000000000-mapping.dmp
  • memory/2160-1-0x0000000000000000-mapping.dmp
  • memory/2520-4-0x0000000000000000-mapping.dmp