Analysis

  • max time kernel
    84s
  • max time network
    9s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    22-11-2020 00:17

General

  • Target

    226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

  • Size

    200KB

  • MD5

    c2671bf5b5dedbfd3cfe3f0f944fbe01

  • SHA1

    da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1

  • SHA256

    226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2

  • SHA512

    256bc8582cc9b53b3cf9307a2882117476648ab9df540d501fc5f46a4030beacab9df2019f2d83b0a63d510803cbf6cbae01dc1325588f93a1a74521a07fe4d9

Malware Config

Signatures 14

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

  • Deletes shadow copies ⋅ 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files ⋅ 9 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Deletes itself ⋅ 1 IoCs
  • Drops desktop.ini file(s) ⋅ 29 IoCs
  • Modifies service ⋅ 2 TTPs 4 IoCs
  • Drops file in Program Files directory ⋅ 9149 IoCs
  • Interacts with shadow copies ⋅ 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class ⋅ 5 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 6 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 16 IoCs
  • Views/modifies file attributes ⋅ 1 TTPs 1 IoCs

Processes 6

  • C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
    Modifies extensions of user files
    Drops desktop.ini file(s)
    Drops file in Program Files directory
    Modifies registry class
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden -c $mypid='1204';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259271087.tmp')|iex
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SysWOW64\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet
        Interacts with shadow copies
        PID:332
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F7568A2.bat" "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe""
      Deletes itself
      Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
        Views/modifies file attributes
        PID:316
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Modifies service
    Suspicious use of AdjustPrivilegeToken
    PID:1016

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Discovery

          Execution

            Exfiltration

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\0F7568A2.bat
                      MD5

                      348cae913e496198548854f5ff2f6d1e

                      SHA1

                      a07655b9020205bd47084afd62a8bb22b48c0cdc

                      SHA256

                      c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

                      SHA512

                      799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

                    • C:\Users\Admin\AppData\Local\Temp\~259271087.tmp
                      MD5

                      4e1a1e3e715c291c71950d2fdc79e2be

                      SHA1

                      dc2b3d20a9ec88e0d8d75c5097154687acc42983

                      SHA256

                      acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39

                      SHA512

                      d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80

                    • memory/316-32-0x0000000000000000-mapping.dmp
                    • memory/332-27-0x0000000000000000-mapping.dmp
                    • memory/1204-2-0x00000000025C0000-0x00000000025CF000-memory.dmp
                    • memory/1204-30-0x0000000003120000-0x0000000003124000-memory.dmp
                    • memory/1204-29-0x0000000002610000-0x0000000002614000-memory.dmp
                    • memory/1692-28-0x0000000000000000-mapping.dmp
                    • memory/1788-12-0x0000000005620000-0x0000000005621000-memory.dmp
                    • memory/1788-17-0x00000000056D0000-0x00000000056D1000-memory.dmp
                    • memory/1788-18-0x0000000006210000-0x0000000006211000-memory.dmp
                    • memory/1788-25-0x00000000062A0000-0x00000000062A1000-memory.dmp
                    • memory/1788-26-0x0000000006590000-0x0000000006591000-memory.dmp
                    • memory/1788-8-0x0000000005260000-0x0000000005261000-memory.dmp
                    • memory/1788-7-0x00000000025F0000-0x00000000025F1000-memory.dmp
                    • memory/1788-6-0x00000000047E0000-0x00000000047E1000-memory.dmp
                    • memory/1788-5-0x0000000002310000-0x0000000002311000-memory.dmp
                    • memory/1788-4-0x0000000073E00000-0x00000000744EE000-memory.dmp
                    • memory/1788-3-0x0000000000000000-mapping.dmp