mountlocker | 43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00

General

Target

43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exe
Size

4.5MB
MD5

787d10a041bd8d2654b6f14467f123d7
SHA1

0dc98264957990391bd375a3e9ce9f0e047c1075
SHA256

43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00
SHA512

dbb450db73b030531b57fb5809b22b60730e13445ff02a032be5abb3668285122564cc1792fc3f44520a434b48656de7a22e931cc35d762a0704078f7021686f

Score

10^/10

mountlocker ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RecoveryManual.html

Ransom Note

Your ClientId: /!\ YOUR NETWORK HAS BEEN HACKED /!\ All your important files have been encrypted! Your files are safe! Only encrypted. ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. You can send us 2-3 files and we will decrypt it for free to prove we are able to give your files back. Also we gathered highly confidential/personal data from your network. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you won't pay, we will release your data to public or reseller. So you can expect your data to be published or improperly used in the near future. In this case you will face all legal and reputational consequences of the leak. We only desire to get a ransom and we don't aim to damage your reputation or destroy your business. Contact us to discuss your next step. http://lhvqpdydwvtgy2ficsvamluobvonnitji5jgpfvc7c5pj6ci35gurjyd.onion/?cid=c7756a52c92cfb896c41800ac9bbe0c82ec8934d65d09c4b4780f215bbdd154f * Note that this server is only available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open "http://lhvqpdydwvtgy2ficsvamluobvonnitji5jgpfvc7c5pj6ci35gurjyd.onion/?cid=c7756a52c92cfb896c41800ac9bbe0c82ec8934d65d09c4b4780f215bbdd154f". 4. Start a chat and follow the further instructions. (Password field should be empty for the first login). If you can`t use the above link, use the email: MartinMacDonald1996@protonmail.com Please note, sometimes our support is away from keyboard, but we will reply shortly. Kindly advise you to contact us as soon as possible.

Emails

MartinMacDonald1996@protonmail.com

URLs

http://lhvqpdydwvtgy2ficsvamluobvonnitji5jgpfvc7c5pj6ci35gurjyd.onion/?cid=c7756a52c92cfb896c41800ac9bbe0c82ec8934d65d09c4b4780f215bbdd154f

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

file.exe

pid process

1920 file.exe

pid	process
1920	file.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

file.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\UseConvertTo.crw => \??\c:\Users\Admin\Pictures\UseConvertTo.crw.ReadManual.5A595725	file.exe
File renamed	C:\Users\Admin\Pictures\EnableEnter.crw => \??\c:\Users\Admin\Pictures\EnableEnter.crw.ReadManual.5A595725	file.exe
File renamed	C:\Users\Admin\Pictures\MountSync.raw => \??\c:\Users\Admin\Pictures\MountSync.raw.ReadManual.5A595725	file.exe
File renamed	C:\Users\Admin\Pictures\RestartSave.raw => \??\c:\Users\Admin\Pictures\RestartSave.raw.ReadManual.5A595725	file.exe
File renamed	C:\Users\Admin\Pictures\SuspendShow.png => \??\c:\Users\Admin\Pictures\SuspendShow.png.ReadManual.5A595725	file.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromReceive.crw => \??\c:\Users\Admin\Pictures\ConvertFromReceive.crw.ReadManual.5A595725	file.exe
File renamed	C:\Users\Admin\Pictures\HideAdd.tif => \??\c:\Users\Admin\Pictures\HideAdd.tif.ReadManual.5A595725	file.exe
File renamed	C:\Users\Admin\Pictures\PingMeasure.raw => \??\c:\Users\Admin\Pictures\PingMeasure.raw.ReadManual.5A595725	file.exe
File renamed	C:\Users\Admin\Pictures\SaveUpdate.raw => \??\c:\Users\Admin\Pictures\SaveUpdate.raw.ReadManual.5A595725	file.exe

Drops desktop.ini file(s) 29 IoCs

Processes:

file.exe

description	ioc	process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	file.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	file.exe
File opened for modification	\??\c:\Program Files (x86)\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	file.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	file.exe
File opened for modification	\??\c:\Program Files\desktop.ini	file.exe

Drops file in Program Files directory 64 IoCs

Processes:

file.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CUPINST.WMF	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM	file.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml	file.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01630_.WMF	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR31F.GIF	file.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png	file.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png	file.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03451_.WMF	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG.HXS	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RECS.ICO	file.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	file.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\vlc.mo	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106208.WMF	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152878.WMF	file.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Asia\Irkutsk	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18238_.WMF	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp	file.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0324694.WMF	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXK	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGDOTS.DPV	file.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau	file.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar	file.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341499.JPG	file.exe
File created	\??\c:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\RecoveryManual.html	file.exe
File created	\??\c:\Program Files\Java\jre7\lib\zi\America\North_Dakota\RecoveryManual.html	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107026.WMF	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00638_.WMF	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\RecoveryManual.html	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Groove.gif	file.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca	file.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css	file.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-2.png	file.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.rll	file.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qatar	file.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter.png	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\TexturedBlue.css	file.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png	file.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\pt.txt	file.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA	file.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	file.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png	file.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00369_.WMF	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01160_.WMF	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21311_.GIF	file.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png	file.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png	file.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\RecoveryManual.html	file.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\RecoveryManual.html	file.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\meta-index	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL093.XML	file.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\LATIN1.SHP	file.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\RecoveryManual.html	file.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml	file.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml	file.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png	file.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1072 vssadmin.exe

pid	process
1072	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E05D02A1-A231-11EB-9FF3-FE3EDAA4A530} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 5 IoCs

Processes:

file.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.5A595725\shell\Open\command	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.5A595725	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.5A595725\shell	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.5A595725\shell\Open	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.5A595725\shell\Open\command\ = "explorer.exe RecoveryManual.html"	file.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe

pid process

744 powershell.exe
744 powershell.exe
744 powershell.exe
744 powershell.exe
744 powershell.exe

pid	process
744	powershell.exe
744	powershell.exe
744	powershell.exe
744	powershell.exe
744	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exevssvc.exefile.exe

description	pid	process
Token: SeDebugPrivilege	744	powershell.exe
Token: SeBackupPrivilege	808	vssvc.exe
Token: SeRestorePrivilege	808	vssvc.exe
Token: SeAuditPrivilege	808	vssvc.exe
Token: SeTakeOwnershipPrivilege	1920	file.exe
Token: SeRestorePrivilege	1920	file.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

268 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

file.exeiexplore.exeIEXPLORE.EXE

pid process

1920 file.exe
268 iexplore.exe
268 iexplore.exe
912 IEXPLORE.EXE
912 IEXPLORE.EXE
912 IEXPLORE.EXE
912 IEXPLORE.EXE

pid	process
268	iexplore.exe

pid	process
1920	file.exe
268	iexplore.exe
268	iexplore.exe
912	IEXPLORE.EXE
912	IEXPLORE.EXE
912	IEXPLORE.EXE
912	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exefile.exepowershell.execmd.exeiexplore.exe

description	pid	process	target process
PID 1088 wrote to memory of 1920	1088	43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exe	file.exe
PID 1088 wrote to memory of 1920	1088	43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exe	file.exe
PID 1088 wrote to memory of 1920	1088	43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exe	file.exe
PID 1088 wrote to memory of 1920	1088	43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exe	file.exe
PID 1920 wrote to memory of 2004	1920	file.exe	splwow64.exe
PID 1920 wrote to memory of 2004	1920	file.exe	splwow64.exe
PID 1920 wrote to memory of 2004	1920	file.exe	splwow64.exe
PID 1920 wrote to memory of 2004	1920	file.exe	splwow64.exe
PID 1920 wrote to memory of 744	1920	file.exe	powershell.exe
PID 1920 wrote to memory of 744	1920	file.exe	powershell.exe
PID 1920 wrote to memory of 744	1920	file.exe	powershell.exe
PID 1920 wrote to memory of 744	1920	file.exe	powershell.exe
PID 744 wrote to memory of 1072	744	powershell.exe	vssadmin.exe
PID 744 wrote to memory of 1072	744	powershell.exe	vssadmin.exe
PID 744 wrote to memory of 1072	744	powershell.exe	vssadmin.exe
PID 744 wrote to memory of 1072	744	powershell.exe	vssadmin.exe
PID 1920 wrote to memory of 592	1920	file.exe	cmd.exe
PID 1920 wrote to memory of 592	1920	file.exe	cmd.exe
PID 1920 wrote to memory of 592	1920	file.exe	cmd.exe
PID 1920 wrote to memory of 592	1920	file.exe	cmd.exe
PID 592 wrote to memory of 1196	592	cmd.exe	attrib.exe
PID 592 wrote to memory of 1196	592	cmd.exe	attrib.exe
PID 592 wrote to memory of 1196	592	cmd.exe	attrib.exe
PID 592 wrote to memory of 1196	592	cmd.exe	attrib.exe
PID 268 wrote to memory of 912	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 912	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 912	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 912	268	iexplore.exe	IEXPLORE.EXE

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1196 attrib.exe

pid	process
1196	attrib.exe

C:\Users\Admin\AppData\Local\Temp\43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exe
"C:\Users\Admin\AppData\Local\Temp\43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\file.exe
"file.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:2004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden -c $mypid='1920';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259275564.tmp')|iex
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet
4⤵
- Interacts with shadow copies
PID:1072

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F7584AA.bat" "C:\Users\Admin\AppData\Local\Temp\file.exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\file.exe"
4⤵
- Views/modifies file attributes
PID:1196

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RecoveryManual.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:268

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:268 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:912

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0F7584AA.bat
MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe
MD5
76f547c793b5478b970c64caf04d01d4

SHA1
f9eb40f6d3d4c83852e3781886db762bef8564e0

SHA256
e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037

SHA512
91e91a8b693cb253f281411260611a221a113b342eaa642a9d6597aaf86c138ee2aa28ade10218a814ae34016e6d70824e36786497476ab704defddf60e33e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe
MD5
76f547c793b5478b970c64caf04d01d4

SHA1
f9eb40f6d3d4c83852e3781886db762bef8564e0

SHA256
e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037

SHA512
91e91a8b693cb253f281411260611a221a113b342eaa642a9d6597aaf86c138ee2aa28ade10218a814ae34016e6d70824e36786497476ab704defddf60e33e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\~259275564.tmp
MD5
4e1a1e3e715c291c71950d2fdc79e2be

SHA1
dc2b3d20a9ec88e0d8d75c5097154687acc42983

SHA256
acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39

SHA512
d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80

Download Submit
C:\Users\Admin\Desktop\RecoveryManual.html
MD5
32ae5ebcacf924c82f13a7f61322360c

SHA1
3f95b7a6a368fdfbe5a03ac72b11c526567cdbae

SHA256
9f72c718ef207dc0e99998bc84c02ab8c15ff66ac30bf6426f022d13daa02e05

SHA512
86ce9917667843576e470d6cb662a19a3467f4c91260ce101cfc74438cc0b6ab7ea686f02b889d63770be11cb4c04976ce469a7808f7afcb9ffaf05579abb7c2

Download Submit
memory/268-102-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/592-97-0x0000000000000000-mapping.dmp

Download
memory/744-70-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/744-86-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/744-72-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/744-73-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/744-75-0x0000000000802000-0x0000000000803000-memory.dmp

Filesize
4KB

Download
memory/744-74-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/744-76-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/744-69-0x0000000000000000-mapping.dmp

Download
memory/744-80-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/744-85-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/744-87-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/744-71-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/744-94-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/744-95-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/912-103-0x0000000000000000-mapping.dmp

Download
memory/1072-96-0x0000000000000000-mapping.dmp

Download
memory/1196-99-0x0000000000000000-mapping.dmp

Download
memory/1920-59-0x0000000000000000-mapping.dmp

Download
memory/1920-68-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/1920-65-0x0000000000260000-0x000000000026F000-memory.dmp

Filesize
60KB

Download
memory/2004-64-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/2004-63-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads