Overview

overview

10

Static

static

b07e554eff...le.dll

windows7_x64

10

b07e554eff...le.dll

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    31-03-2021 11:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b07e554eff514d0dd77f3cf52e011fe315c21054053032a64c70699fe5336894.bin.sample.dll

  • Size

    118KB

  • MD5

    2f21dd9d6c0862dad443a5c95420816f

  • SHA1

    ab888a86691db3a013d97e38865cb5f289e30e65

  • SHA256

    b07e554eff514d0dd77f3cf52e011fe315c21054053032a64c70699fe5336894

  • SHA512

    ffce995792446ac40c4f1bc3da86363fb892da7b2a9d673f328b9cf9bb4a7dc9d134a26cdb472aefeeb9d6afcdc2a39107c90c286a30837fb168998c6f9de24b

Score
10/10
mountlockerransomware

Malware Config

Extracted

Path

C:\Users\Public\Desktop\RecoveryManual.html

Ransom Note
Your ClientId: /!\ YOUR NETWORK HAS BEEN HACKED /!\ All your important files have been encrypted! Your files are safe! Only encrypted. ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. You can send us 2-3 files and we will decrypt it for free to prove we are able to give your files back. Also we gathered highly confidential/personal data from your network. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you won't pay, we will release your data to public or reseller. So you can expect your data to be published or improperly used in the near future. In this case you will face all legal and reputational consequences of the leak. We only desire to get a ransom and we don't aim to damage your reputation or destroy your business. Contact us to discuss your next step. http://7bzo3bkpgrm3n4g6ot3jtc45tna7ijw2ibtfcuwnfj44zwfjwfrvszyd.onion/?cid=143ca1749b19662fa0c035df8eb6ae507432c1b80ecc80a211b3e4dd1349bb49 * Password field could be blank * Note that this server is only available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open "http://7bzo3bkpgrm3n4g6ot3jtc45tna7ijw2ibtfcuwnfj44zwfjwfrvszyd.onion/?cid=143ca1749b19662fa0c035df8eb6ae507432c1b80ecc80a211b3e4dd1349bb49". 4. Start a chat and follow the further instructions. (Password field should be empty for the first login). Please note, sometimes our support is away from keyboard, but we will reply shortly. Kindly advise you to contact us as soon as possible.
URLs

http://7bzo3bkpgrm3n4g6ot3jtc45tna7ijw2ibtfcuwnfj44zwfjwfrvszyd.onion/?cid=143ca1749b19662fa0c035df8eb6ae507432c1b80ecc80a211b3e4dd1349bb49

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    ransomwaremountlocker
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 24 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b07e554eff514d0dd77f3cf52e011fe315c21054053032a64c70699fe5336894.bin.sample.dll
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0F745CCB.bat" "C:\Users\Admin\AppData\Local\Temp\b07e554eff514d0dd77f3cf52e011fe315c21054053032a64c70699fe5336894.bin.sample.dll""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:500
      • C:\Windows\system32\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\b07e554eff514d0dd77f3cf52e011fe315c21054053032a64c70699fe5336894.bin.sample.dll"
        3⤵
        • Views/modifies file attributes
        PID:692
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1720
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:2124
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4464
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2376
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4288
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:2788

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4708-2-0x0000000001F90000-0x0000000001FA2000-memory.dmp

    Filesize

    72KB

    Download