mountlocker | 2d2d2e39ccae1ff764e6618b5d7636d41ac6e752ce56d69a9acbb9cb1c8183d0

Analysis

max time kernel
42s
max time network
41s
platform
windows10_x64
resource
win10v20210410
submitted
12-05-2021 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d2d2e39ccae1ff764e6618b5d7636d41ac6e752ce56d69a9acbb9cb1c8183d0.bin.dll
Size

46KB
MD5

75d07587e095647ff8f18479e73831b2
SHA1

5da9c3f4b1db7972cf21d1553562660b289a4c59
SHA256

2d2d2e39ccae1ff764e6618b5d7636d41ac6e752ce56d69a9acbb9cb1c8183d0
SHA512

2e7dc10f3730824029359716b12d29d3b23b19f1d1e0bfd058d1ab05a6c469aae39a13d9c48e602cd262e4ed480d5697b4dc831a68a3f6713b333c643116ef65

Score

10^/10

mountlocker ransomware

Malware Config

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RevokeDeny.crw => \??\c:\Users\Admin\Pictures\RevokeDeny.crw.ReadManual.1C592F2A	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\UnblockRestore.tif => \??\c:\Users\Admin\Pictures\UnblockRestore.tif.ReadManual.1C592F2A	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ExpandGroup.tif => \??\c:\Users\Admin\Pictures\ExpandGroup.tif.ReadManual.1C592F2A	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\MountExport.tiff	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\MountExport.tiff => \??\c:\Users\Admin\Pictures\MountExport.tiff.ReadManual.1C592F2A	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\OutCheckpoint.tiff	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\OutCheckpoint.tiff => \??\c:\Users\Admin\Pictures\OutCheckpoint.tiff.ReadManual.1C592F2A	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\RemoveConvertFrom.raw => \??\c:\Users\Admin\Pictures\RemoveConvertFrom.raw.ReadManual.1C592F2A	regsvr32.exe

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\OneDrive\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	regsvr32.exe
File opened for modification	\??\c:\Users\Public\AccountPictures\desktop.ini	regsvr32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\inline-error-1x.png	regsvr32.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\x_2x.png	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\ui-strings.js	regsvr32.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ku-ckb.txt	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms	regsvr32.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\RecoveryManual.html	regsvr32.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\RecoveryManual.html	regsvr32.exe
File created	\??\c:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\RecoveryManual.html	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\ui-strings.js	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\ui-strings.js	regsvr32.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\RecoveryManual.html	regsvr32.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml	regsvr32.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo	regsvr32.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\RecoveryManual.html	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc	regsvr32.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\RecoveryManual.html	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_tw_135x40.svg	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\ui-strings.js	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MSIPC\RecoveryManual.html	regsvr32.exe
File created	\??\c:\Program Files\VideoLAN\VLC\lua\meta\reader\RecoveryManual.html	regsvr32.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\RecoveryManual.html	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_radio_unselected_18.svg	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.png	regsvr32.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar	regsvr32.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\lib\net.properties	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms	regsvr32.exe
File created	\??\c:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\RecoveryManual.html	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\ui-strings.js	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\ui-strings.js	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4	regsvr32.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\RecoveryManual.html	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf	regsvr32.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-ms	regsvr32.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\RecoveryManual.html	regsvr32.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms	regsvr32.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\RecoveryManual.html	regsvr32.exe
File opened for modification	\??\c:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\PSReadline.psd1	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\ui-strings.js	regsvr32.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\lib\security\java.security	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png	regsvr32.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\RecoveryManual.html	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\appstore.png	regsvr32.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder_18.svg	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_signed_out.svg	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\ui-strings.js	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\ui-strings.js	regsvr32.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\RecoveryManual.html	regsvr32.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js	regsvr32.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3908	vssadmin.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.1C592F2A	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.1C592F2A\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.1C592F2A\shell\Open	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.1C592F2A\shell\Open\command\ = "explorer.exe RecoveryManual.html"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.1C592F2A\shell\Open\command	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
604	powershell.exe
604	powershell.exe
604	powershell.exe
604	powershell.exe
604	powershell.exe
604	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	604	powershell.exe
Token: SeBackupPrivilege	2740	vssvc.exe
Token: SeRestorePrivilege	2740	vssvc.exe
Token: SeAuditPrivilege	2740	vssvc.exe
Token: SeTakeOwnershipPrivilege	3896	regsvr32.exe
Token: SeRestorePrivilege	3896	regsvr32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 604	3896	regsvr32.exe	73
PID 3896 wrote to memory of 604	3896	regsvr32.exe	73
PID 604 wrote to memory of 3908	604	powershell.exe	77
PID 604 wrote to memory of 3908	604	powershell.exe	77
PID 3896 wrote to memory of 252	3896	regsvr32.exe	83
PID 3896 wrote to memory of 252	3896	regsvr32.exe	83
PID 252 wrote to memory of 2932	252	cmd.exe	86
PID 252 wrote to memory of 2932	252	cmd.exe	86

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2932	attrib.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2d2d2e39ccae1ff764e6618b5d7636d41ac6e752ce56d69a9acbb9cb1c8183d0.bin.dll
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden -c $mypid='3896';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259269937.tmp')|iex
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0F74BC02.bat" "C:\Users\Admin\AppData\Local\Temp\2d2d2e39ccae1ff764e6618b5d7636d41ac6e752ce56d69a9acbb9cb1c8183d0.bin.dll""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:252
- - C:\Windows\system32\attrib.exe
    attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\2d2d2e39ccae1ff764e6618b5d7636d41ac6e752ce56d69a9acbb9cb1c8183d0.bin.dll"
    3⤵
    - Views/modifies file attributes
    PID:2932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File Deletion

T1107

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/604-119-0x000001D27C980000-0x000001D27C981000-memory.dmp

Filesize
4KB

Download
memory/604-125-0x000001D27D620000-0x000001D27D621000-memory.dmp

Filesize
4KB

Download
memory/604-134-0x000001D27C9F0000-0x000001D27C9F2000-memory.dmp

Filesize
8KB

Download
memory/604-135-0x000001D27C9F3000-0x000001D27C9F5000-memory.dmp

Filesize
8KB

Download
memory/604-140-0x000001D27C9F6000-0x000001D27C9F8000-memory.dmp

Filesize
8KB

Download