Overview

overview

10

Static

static

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows7_x64

Analysis

  • max time kernel
    996s
  • max time network
    678s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    22-11-2020 06:05

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

  • Size

    200KB

  • MD5

    c2671bf5b5dedbfd3cfe3f0f944fbe01

  • SHA1

    da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1

  • SHA256

    226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2

  • SHA512

    256bc8582cc9b53b3cf9307a2882117476648ab9df540d501fc5f46a4030beacab9df2019f2d83b0a63d510803cbf6cbae01dc1325588f93a1a74521a07fe4d9

Score
10/10
mountlockerpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RecoveryManual.html

Ransom Note
Your ClientId: /!\ YOUR NETWORK HAS BEEN HACKED /!\ All your important files have been encrypted! Your files are safe! Only encrypted. ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. You can send us 2-3 files and we will decrypt it for free to prove we are able to give your files back. Also we gathered highly confidential/personal data from your network. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you won't pay, we will release your data to public or reseller. So you can expect your data to be published or improperly used in the near future. In this case you will face all legal and reputational consequences of the leak. We only desire to get a ransom and we don't aim to damage your reputation or destroy your business. Contact us to discuss your next step. http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d850248bb602c3a203cbe00577a9cc00a13b * Note that this server is only available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open "http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d850248bb602c3a203cbe00577a9cc00a13b". 4. Start a chat and follow the further instructions. (Password field should be empty for the first login). If you can`t use the above link, use the email: SloanAlbert@protonmail.com Please note, sometimes our support is away from keyboard, but we will reply shortly. Kindly advise you to contact us as soon as possible.
Emails

SloanAlbert@protonmail.com

URLs

http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d850248bb602c3a203cbe00577a9cc00a13b

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    ransomwaremountlocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 29 IoCs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Drops file in Program Files directory 9159 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden -c $mypid='1644';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259272600.tmp')|iex
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\SysWOW64\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1460
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F758D23.bat" "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
        3⤵
        • Views/modifies file attributes
        PID:1780
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:580
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1348
  • C:\Windows\explorer.exe
    "explorer.exe" RecoveryManual.html
    1⤵
      PID:864
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RecoveryManual.html
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:560
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:560 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1928
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:964
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x574
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1648
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:1260

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Modify Existing Service

        1
        T1031

        Hidden Files and Directories

        1
        T1158

        Privilege Escalation

        Defense Evasion

        File Deletion

        2
        T1107

        Modify Registry

        2
        T1112

        Hidden Files and Directories

        1
        T1158

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        2
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
          MD5

          6d5ad7eea0b8debacb61b2e1036cd12c

          SHA1

          a599246fef5bc7037b20a9856740c9fd2fedb6bc

          SHA256

          fec0a1a083be86398eb1bbcbc50d2de0ce90b767706b834e6748719a6cb77fcc

          SHA512

          47665c09f93c570e3798e4e7c682e7d5dfb632f645ad5dd525020e7c98f2400a0d54fb07b7e447627d5ef0db39381efbf06d9215fb8ffd8f2428f06f43365b91

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
          MD5

          6d5ad7eea0b8debacb61b2e1036cd12c

          SHA1

          a599246fef5bc7037b20a9856740c9fd2fedb6bc

          SHA256

          fec0a1a083be86398eb1bbcbc50d2de0ce90b767706b834e6748719a6cb77fcc

          SHA512

          47665c09f93c570e3798e4e7c682e7d5dfb632f645ad5dd525020e7c98f2400a0d54fb07b7e447627d5ef0db39381efbf06d9215fb8ffd8f2428f06f43365b91

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\0F758D23.bat
          MD5

          348cae913e496198548854f5ff2f6d1e

          SHA1

          a07655b9020205bd47084afd62a8bb22b48c0cdc

          SHA256

          c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

          SHA512

          799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\~259272600.tmp
          MD5

          4e1a1e3e715c291c71950d2fdc79e2be

          SHA1

          dc2b3d20a9ec88e0d8d75c5097154687acc42983

          SHA256

          acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39

          SHA512

          d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80

          Download Submit
        • C:\Users\Admin\Desktop\RecoveryManual.html
          MD5

          2c8f0d8dffcbc8f460f0660c1d1847ae

          SHA1

          63ccd63824344ff6285041f07bc023c13810ed34

          SHA256

          31a5796e15936084fe86651b882e9f5cb1c97f0f09557bf09b44b97d0381f605

          SHA512

          dbda34d8f8d1aa88d6f8c49c98bb66d8bba468cb8f3c391e70576e66dea061eb9cb86c7bb9adcd1d4c03b807dc0c39aaa569e85f09507b23e3e69375eb6e6dd3

          Download Submit
        • memory/560-35-0x0000000000000000-mapping.dmp
          Download
        • memory/964-53-0x0000000002890000-0x0000000002891000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1460-27-0x0000000000000000-mapping.dmp
          Download
        • memory/1584-28-0x0000000000000000-mapping.dmp
          Download
        • memory/1644-2-0x0000000001EA0000-0x0000000001EAF000-memory.dmp
          Filesize

          60KB

          Download
        • memory/1644-30-0x0000000003370000-0x0000000003374000-memory.dmp
          Filesize

          16KB

          Download
        • memory/1644-29-0x00000000025A0000-0x00000000025A4000-memory.dmp
          Filesize

          16KB

          Download
        • memory/1756-7-0x0000000001250000-0x0000000001251000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1756-4-0x00000000745C0000-0x0000000074CAE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1756-26-0x0000000006300000-0x0000000006301000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1756-25-0x00000000062E0000-0x00000000062E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1756-18-0x0000000006250000-0x0000000006251000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1756-8-0x0000000004970000-0x0000000004971000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1756-17-0x00000000056D0000-0x00000000056D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1756-6-0x0000000004AE0000-0x0000000004AE1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1756-3-0x0000000000000000-mapping.dmp
          Download
        • memory/1756-12-0x0000000005670000-0x0000000005671000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1756-5-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1780-32-0x0000000000000000-mapping.dmp
          Download
        • memory/1928-50-0x0000000009E10000-0x0000000009E8E000-memory.dmp
          Filesize

          504KB

          Download
        • memory/1928-36-0x0000000000000000-mapping.dmp
          Download
        • memory/1928-49-0x0000000009290000-0x0000000009291000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1928-52-0x000000000FA80000-0x000000000FA94000-memory.dmp
          Filesize

          80KB

          Download
        • memory/1928-51-0x0000000005DC0000-0x0000000005DE3000-memory.dmp
          Filesize

          140KB

          Download
        • memory/2004-33-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp
          Filesize

          2.5MB

          Download