mountlocker | 5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0

General

Target

5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
Size

94KB
MD5

0bc638d8c24a8dbd1c17bca989281624
SHA1

ce70c7d8c9c868a675d4002342af8d55e3053363
SHA256

5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0
SHA512

c1c64f60bcc578916469be59b451f13289a3a5e5431de52d335b5824e3b7cb18b2fe9ee6ea1924282974bd1eeb9ad85c1f37c34fc78f9b7a52ba98e454683450

Score

10^/10

mountlocker ransomware spyware stealer

Malware Config

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\WaitBackup.tif.ReadManual.C1747FDE	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
File renamed	C:\Users\Admin\Pictures\ResolveHide.tiff => \??\c:\Users\Admin\Pictures\ResolveHide.tiff.ReadManual.C1747FDE	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ResolveHide.tiff.ReadManual.C1747FDE	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
File opened for modification	\??\c:\Users\Admin\Pictures\StartUninstall.tif.ReadManual.C1747FDE	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
File renamed	C:\Users\Admin\Pictures\TraceExport.tif => \??\c:\Users\Admin\Pictures\TraceExport.tif.ReadManual.C1747FDE	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
File opened for modification	\??\c:\Users\Admin\Pictures\TraceExport.tif.ReadManual.C1747FDE	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
File renamed	C:\Users\Admin\Pictures\WaitBackup.tif => \??\c:\Users\Admin\Pictures\WaitBackup.tif.ReadManual.C1747FDE	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
File renamed	C:\Users\Admin\Pictures\StartUninstall.tif => \??\c:\Users\Admin\Pictures\StartUninstall.tif.ReadManual.C1747FDE	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
File renamed	C:\Users\Admin\Pictures\UpdateComplete.png => \??\c:\Users\Admin\Pictures\UpdateComplete.png.ReadManual.C1747FDE	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
File opened for modification	\??\c:\Users\Admin\Pictures\UpdateComplete.png.ReadManual.C1747FDE	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

652 vssadmin.exe

pid	process
652	vssadmin.exe

Modifies registry class 5 IoCs

Processes:

5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.C1747FDE\shell\Open\command	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.C1747FDE	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.C1747FDE\shell	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.C1747FDE\shell\Open	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.C1747FDE\shell\Open\command\ = "explorer.exe RecoveryManual.html"	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe

pid	process
2264	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
2264	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2264	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
Token: SeTakeOwnershipPrivilege	2264	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
Token: SeRestorePrivilege	2264	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
Token: SeBackupPrivilege	3112	vssvc.exe
Token: SeRestorePrivilege	3112	vssvc.exe
Token: SeAuditPrivilege	3112	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.execmd.exe

description	pid	process	target process
PID 2264 wrote to memory of 652	2264	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe	vssadmin.exe
PID 2264 wrote to memory of 652	2264	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe	vssadmin.exe
PID 2264 wrote to memory of 3748	2264	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe	cmd.exe
PID 2264 wrote to memory of 3748	2264	5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe	cmd.exe
PID 3748 wrote to memory of 936	3748	cmd.exe	attrib.exe
PID 3748 wrote to memory of 936	3748	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

936 attrib.exe

pid	process
936	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe
"C:\Users\Admin\AppData\Local\Temp\5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe"
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe delete shadows /all /Quiet
  2⤵
  - Interacts with shadow copies
  PID:652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0F744730.bat" "C:\Users\Admin\AppData\Local\Temp\5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\system32\attrib.exe
    attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\5eae13527d4e39059025c3e56dad966cf67476fe7830090e40c14d0a4046adf0.bin.exe"
    3⤵
    - Views/modifies file attributes
    PID:936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Hidden Files and Directories

1

T1158

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0F744730.bat

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
memory/652-114-0x0000000000000000-mapping.dmp

Download
memory/936-117-0x0000000000000000-mapping.dmp

Download
memory/3748-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads