mountlocker | b07e554eff514d0dd77f3cf52e011fe315c21054053032a64c70699fe5336894

General

Target

b07e554eff514d0dd77f3cf52e011fe315c21054053032a64c70699fe5336894.bin.sample.dll
Size

118KB
MD5

2f21dd9d6c0862dad443a5c95420816f
SHA1

ab888a86691db3a013d97e38865cb5f289e30e65
SHA256

b07e554eff514d0dd77f3cf52e011fe315c21054053032a64c70699fe5336894
SHA512

ffce995792446ac40c4f1bc3da86363fb892da7b2a9d673f328b9cf9bb4a7dc9d134a26cdb472aefeeb9d6afcdc2a39107c90c286a30837fb168998c6f9de24b

Score

10^/10

mountlocker ransomware

Malware Config

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ExportCopy.crw => \??\c:\Users\Admin\Pictures\ExportCopy.crw.ReadManual.2594E386	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\LimitConvert.crw => \??\c:\Users\Admin\Pictures\LimitConvert.crw.ReadManual.2594E386	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ProtectSuspend.crw => \??\c:\Users\Admin\Pictures\ProtectSuspend.crw.ReadManual.2594E386	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\SendReset.raw => \??\c:\Users\Admin\Pictures\SendReset.raw.ReadManual.2594E386	regsvr32.exe

Deletes itself 1 IoCs

pid	Process
1428	cmd.exe

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	regsvr32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RecoveryManual.html	regsvr32.exe
File created	\??\c:\Program Files\RecoveryManual.html	regsvr32.exe
File created	\??\c:\Program Files (x86)\RecoveryManual.html	regsvr32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.2594E386\shell\Open	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.2594E386\shell\Open\command\ = "explorer.exe RecoveryManual.html"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.2594E386\shell\Open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.2594E386	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.2594E386\shell	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
292	regsvr32.exe
292	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeRestorePrivilege	292	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 292 wrote to memory of 1428	292	regsvr32.exe	30
PID 292 wrote to memory of 1428	292	regsvr32.exe	30
PID 292 wrote to memory of 1428	292	regsvr32.exe	30
PID 1428 wrote to memory of 1656	1428	cmd.exe	32
PID 1428 wrote to memory of 1656	1428	cmd.exe	32
PID 1428 wrote to memory of 1656	1428	cmd.exe	32

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1656	attrib.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b07e554eff514d0dd77f3cf52e011fe315c21054053032a64c70699fe5336894.bin.sample.dll
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F745908.bat" "C:\Users\Admin\AppData\Local\Temp\b07e554eff514d0dd77f3cf52e011fe315c21054053032a64c70699fe5336894.bin.sample.dll""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\system32\attrib.exe
    attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\b07e554eff514d0dd77f3cf52e011fe315c21054053032a64c70699fe5336894.bin.sample.dll"
    3⤵
    - Views/modifies file attributes
    PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/292-2-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/292-3-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads