Analysis

  • max time kernel
    11s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    13-05-2021 13:22

General

  • Target

    31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll

  • Size

    77KB

  • MD5

    0aacf2c41ba9b872a52055ffcaeaef15

  • SHA1

    c09b509699aeef71f3e205d53c5f4ff71cb48570

  • SHA256

    31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585

  • SHA512

    d259de51d22d72d27d5947530317661b97ba8fcc36e7a2ad4835e98bc311ef1aa5964f939660733171934f6aefa82d8b76a6f9f04137e1aeca63d592f0fb26ec

Score
10/10

Malware Config

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Deletes itself 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll
      2⤵
      • Modifies extensions of user files
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\vssadmin.exe
        C:\Windows\system32\vssadmin.exe delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:876
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F742BB2.bat" "C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll""
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:432
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll"
          4⤵
          • Views/modifies file attributes
          PID:436
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1544

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\0F742BB2.bat

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

  • memory/432-63-0x0000000000000000-mapping.dmp

  • memory/436-65-0x0000000000000000-mapping.dmp

  • memory/788-59-0x000007FEFBC81000-0x000007FEFBC83000-memory.dmp

    Filesize

    8KB

  • memory/876-62-0x0000000000000000-mapping.dmp

  • memory/2016-60-0x0000000000000000-mapping.dmp

  • memory/2016-61-0x0000000075551000-0x0000000075553000-memory.dmp

    Filesize

    8KB