Overview

overview

10

Static

static

e7c277aae6...37.exe

windows7_x64

10

e7c277aae6...37.exe

windows10_x64

1

Analysis

  • max time kernel
    97s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    22-11-2020 14:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.exe

  • Size

    532KB

  • MD5

    76f547c793b5478b970c64caf04d01d4

  • SHA1

    f9eb40f6d3d4c83852e3781886db762bef8564e0

  • SHA256

    e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037

  • SHA512

    91e91a8b693cb253f281411260611a221a113b342eaa642a9d6597aaf86c138ee2aa28ade10218a814ae34016e6d70824e36786497476ab704defddf60e33e17

Score
10/10
mountlockerpersistenceransomware

Malware Config

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    ransomwaremountlocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 29 IoCs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Drops file in Program Files directory 9143 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.exe
    "C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.exe"
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
        PID:1632
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -windowstyle hidden -c $mypid='2036';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259264208.tmp')|iex
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:740
        • C:\Windows\SysWOW64\vssadmin.exe
          "C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet
          • Interacts with shadow copies
          PID:576
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F757EC1.bat" "C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.exe""
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1020
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.exe"
          • Views/modifies file attributes
          PID:1744
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      • Modifies service
      • Suspicious use of AdjustPrivilegeToken
      PID:1532

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Hidden Files and Directories

    1
    T1158

    Privilege Escalation

    Defense Evasion

    File Deletion

    2
    T1107

    Modify Registry

    1
    T1112

    Hidden Files and Directories

    1
    T1158

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    2
    T1490

    Replay Monitor

    00:00 00:00

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\0F757EC1.bat
      MD5

      348cae913e496198548854f5ff2f6d1e

      SHA1

      a07655b9020205bd47084afd62a8bb22b48c0cdc

      SHA256

      c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

      SHA512

      799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\~259264208.tmp
      MD5

      4e1a1e3e715c291c71950d2fdc79e2be

      SHA1

      dc2b3d20a9ec88e0d8d75c5097154687acc42983

      SHA256

      acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39

      SHA512

      d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80

      Download Submit
    • memory/576-28-0x0000000000000000-mapping.dmp
      Download
    • memory/740-18-0x0000000006150000-0x0000000006151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/740-26-0x00000000062E0000-0x00000000062E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/740-7-0x00000000048B0000-0x00000000048B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/740-8-0x0000000002580000-0x0000000002581000-memory.dmp
      Filesize

      4KB

      Download
    • memory/740-9-0x0000000005260000-0x0000000005261000-memory.dmp
      Filesize

      4KB

      Download
    • memory/740-5-0x0000000074910000-0x0000000074FFE000-memory.dmp
      Filesize

      6MB

      Download
    • memory/740-13-0x00000000056E0000-0x00000000056E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/740-4-0x0000000000000000-mapping.dmp
      Download
    • memory/740-19-0x0000000006190000-0x0000000006191000-memory.dmp
      Filesize

      4KB

      Download
    • memory/740-6-0x0000000002110000-0x0000000002111000-memory.dmp
      Filesize

      4KB

      Download
    • memory/740-27-0x0000000006300000-0x0000000006301000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1020-29-0x0000000000000000-mapping.dmp
      Download
    • memory/1632-2-0x0000000000000000-mapping.dmp
      Download
    • memory/1744-33-0x0000000000000000-mapping.dmp
      Download
    • memory/2036-30-0x0000000000330000-0x0000000000334000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2036-31-0x0000000002780000-0x0000000002784000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2036-3-0x00000000003F0000-0x00000000003FF000-memory.dmp
      Filesize

      60KB

      Download