mountlocker | 8d6ed5c6016d0458ad1e7f089e22aa75537f768dd485ed8c09c37eac2a1a72f0

General

Target

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Size

200KB
MD5

c2671bf5b5dedbfd3cfe3f0f944fbe01
SHA1

da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1
SHA256

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2
SHA512

256bc8582cc9b53b3cf9307a2882117476648ab9df540d501fc5f46a4030beacab9df2019f2d83b0a63d510803cbf6cbae01dc1325588f93a1a74521a07fe4d9

Score

10^/10

mountlocker persistence ransomware

Malware Config

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\DisconnectMeasure.tiff => \??\c:\Users\Admin\Pictures\DisconnectMeasure.tiff.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\ExportGroup.png => \??\c:\Users\Admin\Pictures\ExportGroup.png.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\FindAdd.png => \??\c:\Users\Admin\Pictures\FindAdd.png.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\FormatSend.crw => \??\c:\Users\Admin\Pictures\FormatSend.crw.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\OpenEnter.tif => \??\c:\Users\Admin\Pictures\OpenEnter.tif.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\WatchRename.png => \??\c:\Users\Admin\Pictures\WatchRename.png.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Pictures\DisconnectMeasure.tiff	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\EnterRequest.raw => \??\c:\Users\Admin\Pictures\EnterRequest.raw.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File renamed	C:\Users\Admin\Pictures\RenameConnect.tif => \??\c:\Users\Admin\Pictures\RenameConnect.tif.ReadManual.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1692 cmd.exe

pid	process
1692	cmd.exe

Drops desktop.ini file(s) 29 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe

Drops file in Program Files directory 9149 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_F_COL.HXK	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Distinctive.dotx	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18187_.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48B.GIF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\CALENDAR.GIF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\http\requests\browse.json	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01745_.GIF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\icon.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239967.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18249_.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\ONINTL.REST.IDX_DLL	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\flavormap.properties	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Common Files\System\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00625_.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10255_.GIF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00117_.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\REMINDER.WAV	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03464_.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292020.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\TexturedBlue.css	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01160_.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.APL	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00397_.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert.css	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\WET	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01181_.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186362.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

332 vssadmin.exe

pid	process
332	vssadmin.exe

Modifies registry class 5 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.EF9E23B4\shell	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.EF9E23B4\shell\Open	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.EF9E23B4\shell\Open\command\ = "explorer.exe RecoveryManual.html"	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.EF9E23B4\shell\Open\command	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1788 powershell.exe
1788 powershell.exe

pid	process
1788	powershell.exe
1788	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exevssvc.exe226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	pid	process
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeBackupPrivilege	1016	vssvc.exe
Token: SeRestorePrivilege	1016	vssvc.exe
Token: SeAuditPrivilege	1016	vssvc.exe
Token: SeTakeOwnershipPrivilege	1204	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Token: SeRestorePrivilege	1204	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

pid process

1204 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

pid	process
1204	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exepowershell.execmd.exe

description	pid	process	target process
PID 1204 wrote to memory of 1788	1204	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	powershell.exe
PID 1204 wrote to memory of 1788	1204	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	powershell.exe
PID 1204 wrote to memory of 1788	1204	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	powershell.exe
PID 1204 wrote to memory of 1788	1204	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	powershell.exe
PID 1788 wrote to memory of 332	1788	powershell.exe	vssadmin.exe
PID 1788 wrote to memory of 332	1788	powershell.exe	vssadmin.exe
PID 1788 wrote to memory of 332	1788	powershell.exe	vssadmin.exe
PID 1788 wrote to memory of 332	1788	powershell.exe	vssadmin.exe
PID 1204 wrote to memory of 1692	1204	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	cmd.exe
PID 1204 wrote to memory of 1692	1204	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	cmd.exe
PID 1204 wrote to memory of 1692	1204	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	cmd.exe
PID 1204 wrote to memory of 1692	1204	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	cmd.exe
PID 1692 wrote to memory of 316	1692	cmd.exe	attrib.exe
PID 1692 wrote to memory of 316	1692	cmd.exe	attrib.exe
PID 1692 wrote to memory of 316	1692	cmd.exe	attrib.exe
PID 1692 wrote to memory of 316	1692	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

316 attrib.exe

pid	process
316	attrib.exe

C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
"C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden -c $mypid='1204';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259271087.tmp')|iex
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet
3⤵
- Interacts with shadow copies
PID:332

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F7568A2.bat" "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
3⤵
- Views/modifies file attributes
PID:316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1016

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0F7568A2.bat
MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\~259271087.tmp
MD5
4e1a1e3e715c291c71950d2fdc79e2be

SHA1
dc2b3d20a9ec88e0d8d75c5097154687acc42983

SHA256
acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39

SHA512
d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80

Download Submit
memory/316-32-0x0000000000000000-mapping.dmp

Download
memory/332-27-0x0000000000000000-mapping.dmp

Download
memory/1204-2-0x00000000025C0000-0x00000000025CF000-memory.dmp

Filesize
60KB

Download
memory/1204-30-0x0000000003120000-0x0000000003124000-memory.dmp

Filesize
16KB

Download
memory/1204-29-0x0000000002610000-0x0000000002614000-memory.dmp

Filesize
16KB

Download
memory/1692-28-0x0000000000000000-mapping.dmp

Download
memory/1788-12-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/1788-17-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/1788-18-0x0000000006210000-0x0000000006211000-memory.dmp

Filesize
4KB

Download
memory/1788-25-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/1788-26-0x0000000006590000-0x0000000006591000-memory.dmp

Filesize
4KB

Download
memory/1788-8-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/1788-7-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1788-6-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/1788-5-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/1788-4-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1788-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads