Overview

overview

10

Static

static

10

0aa8099c5a...in.exe

windows7_x64

10

0aa8099c5a...in.exe

windows10_x64

10

Analysis

  • max time kernel
    125s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    12-05-2021 17:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0aa8099c5a65062ba4baec8274e1a0650ff36e757a91312e1755fded50a79d47.bin.exe

  • Size

    94KB

  • MD5

    b63a8bfdf7df9f9dd8c3bedb99b6f8ff

  • SHA1

    9e61b0960ac40452067720e8839b71ef10c05949

  • SHA256

    0aa8099c5a65062ba4baec8274e1a0650ff36e757a91312e1755fded50a79d47

  • SHA512

    8a1ae8c6fde917e6a53f33a13cef8065a90a6b31a84f4b8effbd1527ad1769d4712e37e31e65594aaea35d4bad80a0c0499404e8267c305500f8ed4ce5fa304b

Score
10/10
mountlockerransomwarespywarestealer

Malware Config

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    ransomwaremountlocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 18 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0aa8099c5a65062ba4baec8274e1a0650ff36e757a91312e1755fded50a79d47.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\0aa8099c5a65062ba4baec8274e1a0650ff36e757a91312e1755fded50a79d47.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1536
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F745D2D.bat" "C:\Users\Admin\AppData\Local\Temp\0aa8099c5a65062ba4baec8274e1a0650ff36e757a91312e1755fded50a79d47.bin.exe""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1524
      • C:\Windows\system32\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\0aa8099c5a65062ba4baec8274e1a0650ff36e757a91312e1755fded50a79d47.bin.exe"
        3⤵
        • Views/modifies file attributes
        PID:524
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:472

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads