Resubmissions

21-11-2020 16:12

201121-3vsypzcqyx 10

21-11-2020 15:12

201121-c152v5zkxx 10

Analysis

  • max time kernel
    111s
  • max time network
    9s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    21-11-2020 15:12

General

  • Target

    e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe

  • Size

    532KB

  • MD5

    76f547c793b5478b970c64caf04d01d4

  • SHA1

    f9eb40f6d3d4c83852e3781886db762bef8564e0

  • SHA256

    e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037

  • SHA512

    91e91a8b693cb253f281411260611a221a113b342eaa642a9d6597aaf86c138ee2aa28ade10218a814ae34016e6d70824e36786497476ab704defddf60e33e17

Malware Config

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 29 IoCs
  • Modifies service 2 TTPs 4 IoCs
  • Drops file in Program Files directory 9143 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1168
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -windowstyle hidden -c $mypid='1664';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259281134.tmp')|iex
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Windows\SysWOW64\vssadmin.exe
          "C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet
          3⤵
          • Interacts with shadow copies
          PID:1120
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F75EACC.bat" "C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe""
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe"
          3⤵
          • Views/modifies file attributes
          PID:1120
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Modifies service
      • Suspicious use of AdjustPrivilegeToken
      PID:952

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1664-3-0x00000000003E0000-0x00000000003EF000-memory.dmp

      Filesize

      60KB

    • memory/1664-31-0x0000000002790000-0x0000000002794000-memory.dmp

      Filesize

      16KB

    • memory/1664-30-0x00000000002C0000-0x00000000002C4000-memory.dmp

      Filesize

      16KB

    • memory/1680-7-0x0000000004830000-0x0000000004831000-memory.dmp

      Filesize

      4KB

    • memory/1680-18-0x00000000056D0000-0x00000000056D1000-memory.dmp

      Filesize

      4KB

    • memory/1680-19-0x0000000006250000-0x0000000006251000-memory.dmp

      Filesize

      4KB

    • memory/1680-26-0x00000000062E0000-0x00000000062E1000-memory.dmp

      Filesize

      4KB

    • memory/1680-27-0x0000000006300000-0x0000000006301000-memory.dmp

      Filesize

      4KB

    • memory/1680-13-0x0000000005620000-0x0000000005621000-memory.dmp

      Filesize

      4KB

    • memory/1680-9-0x0000000005320000-0x0000000005321000-memory.dmp

      Filesize

      4KB

    • memory/1680-8-0x0000000002580000-0x0000000002581000-memory.dmp

      Filesize

      4KB

    • memory/1680-6-0x0000000000D20000-0x0000000000D21000-memory.dmp

      Filesize

      4KB

    • memory/1680-5-0x0000000073A30000-0x000000007411E000-memory.dmp

      Filesize

      6.9MB