Overview

overview

10

Static

static

226a723ffb...f2.exe

windows7_x64

10

226a723ffb...f2.exe

windows10_x64

10

Analysis

  • max time kernel
    80s
  • max time network
    16s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22-11-2020 00:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

  • Size

    200KB

  • MD5

    c2671bf5b5dedbfd3cfe3f0f944fbe01

  • SHA1

    da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1

  • SHA256

    226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2

  • SHA512

    256bc8582cc9b53b3cf9307a2882117476648ab9df540d501fc5f46a4030beacab9df2019f2d83b0a63d510803cbf6cbae01dc1325588f93a1a74521a07fe4d9

Score
10/10
mountlockerpersistenceransomware

Malware Config

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    ransomwaremountlocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 27 IoCs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Drops file in Program Files directory 8361 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3336
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden -c $mypid='3336';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259291281.tmp')|iex
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3572
      • C:\Windows\SysWOW64\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:3840
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0F75973F.bat" "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3968
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
        3⤵
        • Views/modifies file attributes
        PID:3912
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:3088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\0F75973F.bat
    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\~259291281.tmp
    MD5

    4e1a1e3e715c291c71950d2fdc79e2be

    SHA1

    dc2b3d20a9ec88e0d8d75c5097154687acc42983

    SHA256

    acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39

    SHA512

    d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80

    Download Submit
  • memory/3336-2-0x0000000004300000-0x000000000430F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/3572-12-0x0000000007BB0000-0x0000000007BB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-4-0x00000000737A0000-0x0000000073E8E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3572-7-0x0000000006C10000-0x0000000006C11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-8-0x0000000006E30000-0x0000000006E31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-9-0x00000000076C0000-0x00000000076C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-10-0x0000000007790000-0x0000000007791000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-11-0x0000000006F60000-0x0000000006F61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-5-0x0000000001190000-0x0000000001191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-13-0x0000000007EC0000-0x0000000007EC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-6-0x0000000006F90000-0x0000000006F91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-15-0x00000000095B0000-0x00000000095B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-16-0x0000000008B30000-0x0000000008B31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-3-0x0000000000000000-mapping.dmp
    Download
  • memory/3572-18-0x0000000008F30000-0x0000000008F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-19-0x0000000008C30000-0x0000000008C31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3572-20-0x0000000009C30000-0x0000000009C31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3840-17-0x0000000000000000-mapping.dmp
    Download
  • memory/3912-23-0x0000000000000000-mapping.dmp
    Download
  • memory/3968-21-0x0000000000000000-mapping.dmp
    Download