Analysis
-
max time kernel
19s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-05-2021 17:02
Static task
static1
Behavioral task
behavioral1
Sample
31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.bin.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.bin.dll
Resource
win10v20210410
General
-
Target
31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.bin.dll
-
Size
77KB
-
MD5
0aacf2c41ba9b872a52055ffcaeaef15
-
SHA1
c09b509699aeef71f3e205d53c5f4ff71cb48570
-
SHA256
31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585
-
SHA512
d259de51d22d72d27d5947530317661b97ba8fcc36e7a2ad4835e98bc311ef1aa5964f939660733171934f6aefa82d8b76a6f9f04137e1aeca63d592f0fb26ec
Malware Config
Signatures
-
MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\PingInstall.crw => \??\c:\Users\Admin\Pictures\PingInstall.crw.ReadManual.64BD3273 regsvr32.exe File opened for modification \??\c:\Users\Admin\Pictures\PingInstall.crw.ReadManual.64BD3273 regsvr32.exe File renamed C:\Users\Admin\Pictures\PublishUnpublish.raw => \??\c:\Users\Admin\Pictures\PublishUnpublish.raw.ReadManual.64BD3273 regsvr32.exe File opened for modification \??\c:\Users\Admin\Pictures\PublishUnpublish.raw.ReadManual.64BD3273 regsvr32.exe File renamed C:\Users\Admin\Pictures\UsePing.crw => \??\c:\Users\Admin\Pictures\UsePing.crw.ReadManual.64BD3273 regsvr32.exe File opened for modification \??\c:\Users\Admin\Pictures\UsePing.crw.ReadManual.64BD3273 regsvr32.exe File renamed C:\Users\Admin\Pictures\ConvertFromClear.raw => \??\c:\Users\Admin\Pictures\ConvertFromClear.raw.ReadManual.64BD3273 regsvr32.exe File opened for modification \??\c:\Users\Admin\Pictures\ConvertFromClear.raw.ReadManual.64BD3273 regsvr32.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2736 vssadmin.exe -
Modifies registry class 5 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.64BD3273\shell\Open\command\ = "explorer.exe RecoveryManual.html" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.64BD3273\shell\Open\command regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.64BD3273 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.64BD3273\shell regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.64BD3273\shell\Open regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 1504 regsvr32.exe 1504 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 1504 regsvr32.exe Token: SeBackupPrivilege 1092 vssvc.exe Token: SeRestorePrivilege 1092 vssvc.exe Token: SeAuditPrivilege 1092 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
regsvr32.exeregsvr32.execmd.exedescription pid process target process PID 3276 wrote to memory of 1504 3276 regsvr32.exe regsvr32.exe PID 3276 wrote to memory of 1504 3276 regsvr32.exe regsvr32.exe PID 3276 wrote to memory of 1504 3276 regsvr32.exe regsvr32.exe PID 1504 wrote to memory of 2736 1504 regsvr32.exe vssadmin.exe PID 1504 wrote to memory of 2736 1504 regsvr32.exe vssadmin.exe PID 1504 wrote to memory of 2736 1504 regsvr32.exe vssadmin.exe PID 1504 wrote to memory of 3328 1504 regsvr32.exe cmd.exe PID 1504 wrote to memory of 3328 1504 regsvr32.exe cmd.exe PID 1504 wrote to memory of 3328 1504 regsvr32.exe cmd.exe PID 3328 wrote to memory of 3868 3328 cmd.exe attrib.exe PID 3328 wrote to memory of 3868 3328 cmd.exe attrib.exe PID 3328 wrote to memory of 3868 3328 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.bin.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.bin.dll2⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:2736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0F7441B2.bat" "C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.bin.dll""3⤵
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\attrib.exeattrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.bin.dll"4⤵
- Views/modifies file attributes
PID:3868
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611