mountlocker | 31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585

General

Target

31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.bin.dll
Size

77KB
MD5

0aacf2c41ba9b872a52055ffcaeaef15
SHA1

c09b509699aeef71f3e205d53c5f4ff71cb48570
SHA256

31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585
SHA512

d259de51d22d72d27d5947530317661b97ba8fcc36e7a2ad4835e98bc311ef1aa5964f939660733171934f6aefa82d8b76a6f9f04137e1aeca63d592f0fb26ec

Score

10^/10

mountlocker ransomware

Malware Config

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

regsvr32.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\PushProtect.tiff.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\UnprotectConvert.png.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\GroupClose.raw => \??\c:\Users\Admin\Pictures\GroupClose.raw.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\InstallLimit.raw.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\MountTrace.crw => \??\c:\Users\Admin\Pictures\MountTrace.crw.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\PushProtect.tiff => \??\c:\Users\Admin\Pictures\PushProtect.tiff.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\GroupClose.raw.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\MergeInitialize.tif.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\MountTrace.crw.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\MeasureUpdate.tif => \??\c:\Users\Admin\Pictures\MeasureUpdate.tif.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\UnprotectConvert.png => \??\c:\Users\Admin\Pictures\UnprotectConvert.png.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\InstallLimit.raw => \??\c:\Users\Admin\Pictures\InstallLimit.raw.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\MeasureUpdate.tif.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\MergeInitialize.tif => \??\c:\Users\Admin\Pictures\MergeInitialize.tif.ReadManual.64BD3273	regsvr32.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1704 cmd.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

848 vssadmin.exe

pid	process
1704	cmd.exe

pid	process
848	vssadmin.exe

Modifies registry class 5 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.64BD3273\shell\Open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.64BD3273	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.64BD3273\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.64BD3273\shell\Open	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.64BD3273\shell\Open\command\ = "explorer.exe RecoveryManual.html"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1416 regsvr32.exe
1416 regsvr32.exe

pid	process
1416	regsvr32.exe
1416	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

regsvr32.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1416	regsvr32.exe
Token: SeBackupPrivilege	808	vssvc.exe
Token: SeRestorePrivilege	808	vssvc.exe
Token: SeAuditPrivilege	808	vssvc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

regsvr32.exeregsvr32.execmd.exe

description	pid	process	target process
PID 1100 wrote to memory of 1416	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1416	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1416	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1416	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1416	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1416	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1416	1100	regsvr32.exe	regsvr32.exe
PID 1416 wrote to memory of 848	1416	regsvr32.exe	vssadmin.exe
PID 1416 wrote to memory of 848	1416	regsvr32.exe	vssadmin.exe
PID 1416 wrote to memory of 848	1416	regsvr32.exe	vssadmin.exe
PID 1416 wrote to memory of 848	1416	regsvr32.exe	vssadmin.exe
PID 1416 wrote to memory of 1704	1416	regsvr32.exe	cmd.exe
PID 1416 wrote to memory of 1704	1416	regsvr32.exe	cmd.exe
PID 1416 wrote to memory of 1704	1416	regsvr32.exe	cmd.exe
PID 1416 wrote to memory of 1704	1416	regsvr32.exe	cmd.exe
PID 1704 wrote to memory of 1588	1704	cmd.exe	attrib.exe
PID 1704 wrote to memory of 1588	1704	cmd.exe	attrib.exe
PID 1704 wrote to memory of 1588	1704	cmd.exe	attrib.exe
PID 1704 wrote to memory of 1588	1704	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1588 attrib.exe

pid	process
1588	attrib.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.bin.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.bin.dll
  2⤵
  - Modifies extensions of user files
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\system32\vssadmin.exe delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F74426D.bat" "C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.bin.dll""
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.bin.dll"
      4⤵
      Views/modifies file attributes
      PID:1588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0F74426D.bat

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
memory/848-63-0x0000000000000000-mapping.dmp

Download
memory/1100-60-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmp

Filesize
8KB

Download
memory/1416-61-0x0000000000000000-mapping.dmp

Download
memory/1416-62-0x0000000076E11000-0x0000000076E13000-memory.dmp

Filesize
8KB

Download
memory/1588-66-0x0000000000000000-mapping.dmp

Download
memory/1704-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads