Overview

overview

10

Static

static

10

xxxx.exe

windows7_x64

10

xxxx.exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    12-05-2021 12:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xxxx.exe

  • Size

    66KB

  • MD5

    3808f21e56dede99bc914d90aeabe47a

  • SHA1

    93cc73149d4bb34830a2cb2a3047e9267b9e3080

  • SHA256

    4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1

  • SHA512

    4ae55145cca3a6f1ed3feff5b2bd38121e37c4cc528e08d5de771bcc4855994560bfc8c22898d73c5b259e37d2dc803615b8f6ec859e53918bd7a1ffee9316b3

Score
10/10
mountlockerransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RecoveryManual.html

Ransom Note
Your ClientId: If you are here, you want to know what happened. We infiltrated your network, controlled it for a while, examined your data, downloaded sensitive information and finally encrypted your computers. Your files are safe, but encrypted. Any attempt to decrypt files with third-party software will permanently corrupt content. What now? We advise you to be in touch and start negotiations, otherwise your confidential data will be published on few our news sites and promoted in all possible ways. Data publication and even the fact of this leak for sure will lead to significant losses for your company: government fines lawsuits and as a result legal claims payments additional expenses on law services data recovery Also you shouldn't underestimate huge damage for your reputation, which can cause crash of equity prices, clients withdrawal and other negative consequences. But don't panic! We are doing business, not war. We can unlock your data and keep everything in secret. All, what we want is a ransom. If we can reach an agreement, you also get: security report full file tree of compromised data downloaded data unrecoverable deletion support with unlocking and network protection advice. How can you contact us? Visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. http://w6ilafwwrgtrmilorzqex6pgpvfsa667fydca2wpoluj6sajka225byd.onion/?cid=879538e20b82e80052dd5f7ef9ad50777f29ea9b401bf59e2f5189fb60588831 Password field should be blank for the first login. Note that this server is available via Tor browser only. Follow the instructions to open the link: Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor Project website. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. Now you have Tor browser. In the Tor Browser open "http://w6ilafwwrgtrmilorzqex6pgpvfsa667fydca2wpoluj6sajka225byd.onion/?cid=879538e20b82e80052dd5f7ef9ad50777f29ea9b401bf59e2f5189fb60588831". Start a chat and introduce yourself (Company name and your position). Password field should be blank for the first login. You can ask an operator to set password later.
URLs

http://w6ilafwwrgtrmilorzqex6pgpvfsa667fydca2wpoluj6sajka225byd.onion/?cid=879538e20b82e80052dd5f7ef9ad50777f29ea9b401bf59e2f5189fb60588831

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    ransomwaremountlocker
  • Modifies extensions of user files 15 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 24 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\xxxx.exe
    "C:\Users\Admin\AppData\Local\Temp\xxxx.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0F74A6F4.bat" "C:\Users\Admin\AppData\Local\Temp\xxxx.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:504
      • C:\Windows\system32\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\xxxx.exe"
        3⤵
        • Views/modifies file attributes
        PID:1736
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3876
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:3692
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2204
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:588
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4200
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4444
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:4472

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\0F74A6F4.bat
      MD5

      348cae913e496198548854f5ff2f6d1e

      SHA1

      a07655b9020205bd47084afd62a8bb22b48c0cdc

      SHA256

      c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

      SHA512

      799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

      Download Submit
    • C:\Users\Admin\Desktop\RecoveryManual.html
      MD5

      bef2cf57f6e2b5763753fa5812634820

      SHA1

      07c460635d5b226bd6a2b557564466d83c5c6f84

      SHA256

      2a3b93d60d030bec34af4de596e014c333033f550c384c5eac3d25bb8c7497b5

      SHA512

      ef43a8c21a23170edc1fdef1c49e49ad1b2e7f31da070a9882faf6a90081128aaf6ee0b004503ea99725b35b9f7369beefc9c415bcdbf2b4c7077ed278787f80

      Download Submit
    • memory/504-114-0x0000000000000000-mapping.dmp
      Download
    • memory/1736-116-0x0000000000000000-mapping.dmp
      Download