Resubmissions

21/11/2020, 16:12 UTC

201121-3vsypzcqyx 10

21/11/2020, 15:12 UTC

201121-c152v5zkxx 10

Analysis

  • max time kernel
    111s
  • max time network
    9s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    21/11/2020, 15:12 UTC

General

  • Target

    e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe

  • Size

    532KB

  • MD5

    76f547c793b5478b970c64caf04d01d4

  • SHA1

    f9eb40f6d3d4c83852e3781886db762bef8564e0

  • SHA256

    e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037

  • SHA512

    91e91a8b693cb253f281411260611a221a113b342eaa642a9d6597aaf86c138ee2aa28ade10218a814ae34016e6d70824e36786497476ab704defddf60e33e17

Malware Config

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 29 IoCs
  • Modifies service 2 TTPs 4 IoCs
  • Drops file in Program Files directory 9143 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1168
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -windowstyle hidden -c $mypid='1664';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259281134.tmp')|iex
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Windows\SysWOW64\vssadmin.exe
          "C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet
          3⤵
          • Interacts with shadow copies
          PID:1120
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F75EACC.bat" "C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe""
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin.exe"
          3⤵
          • Views/modifies file attributes
          PID:1120
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Modifies service
      • Suspicious use of AdjustPrivilegeToken
      PID:952

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1664-3-0x00000000003E0000-0x00000000003EF000-memory.dmp

      Filesize

      60KB

    • memory/1664-31-0x0000000002790000-0x0000000002794000-memory.dmp

      Filesize

      16KB

    • memory/1664-30-0x00000000002C0000-0x00000000002C4000-memory.dmp

      Filesize

      16KB

    • memory/1680-7-0x0000000004830000-0x0000000004831000-memory.dmp

      Filesize

      4KB

    • memory/1680-18-0x00000000056D0000-0x00000000056D1000-memory.dmp

      Filesize

      4KB

    • memory/1680-19-0x0000000006250000-0x0000000006251000-memory.dmp

      Filesize

      4KB

    • memory/1680-26-0x00000000062E0000-0x00000000062E1000-memory.dmp

      Filesize

      4KB

    • memory/1680-27-0x0000000006300000-0x0000000006301000-memory.dmp

      Filesize

      4KB

    • memory/1680-13-0x0000000005620000-0x0000000005621000-memory.dmp

      Filesize

      4KB

    • memory/1680-9-0x0000000005320000-0x0000000005321000-memory.dmp

      Filesize

      4KB

    • memory/1680-8-0x0000000002580000-0x0000000002581000-memory.dmp

      Filesize

      4KB

    • memory/1680-6-0x0000000000D20000-0x0000000000D21000-memory.dmp

      Filesize

      4KB

    • memory/1680-5-0x0000000073A30000-0x000000007411E000-memory.dmp

      Filesize

      6.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.