Analysis
-
max time kernel
11s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-05-2021 13:22
Static task
static1
Behavioral task
behavioral1
Sample
31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll
Resource
win10v20210408
General
-
Target
31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll
-
Size
77KB
-
MD5
0aacf2c41ba9b872a52055ffcaeaef15
-
SHA1
c09b509699aeef71f3e205d53c5f4ff71cb48570
-
SHA256
31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585
-
SHA512
d259de51d22d72d27d5947530317661b97ba8fcc36e7a2ad4835e98bc311ef1aa5964f939660733171934f6aefa82d8b76a6f9f04137e1aeca63d592f0fb26ec
Malware Config
Signatures
-
MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File opened for modification \??\c:\Users\Admin\Pictures\SelectRead.crw.ReadManual.64BD3273 regsvr32.exe File renamed C:\Users\Admin\Pictures\ConnectSet.crw => \??\c:\Users\Admin\Pictures\ConnectSet.crw.ReadManual.64BD3273 regsvr32.exe File opened for modification \??\c:\Users\Admin\Pictures\ConnectSet.crw.ReadManual.64BD3273 regsvr32.exe File renamed C:\Users\Admin\Pictures\SelectPop.raw => \??\c:\Users\Admin\Pictures\SelectPop.raw.ReadManual.64BD3273 regsvr32.exe File opened for modification \??\c:\Users\Admin\Pictures\MergeProtect.tif.ReadManual.64BD3273 regsvr32.exe File opened for modification \??\c:\Users\Admin\Pictures\SelectPop.raw.ReadManual.64BD3273 regsvr32.exe File renamed C:\Users\Admin\Pictures\SelectRead.crw => \??\c:\Users\Admin\Pictures\SelectRead.crw.ReadManual.64BD3273 regsvr32.exe File renamed C:\Users\Admin\Pictures\DenyRequest.png => \??\c:\Users\Admin\Pictures\DenyRequest.png.ReadManual.64BD3273 regsvr32.exe File opened for modification \??\c:\Users\Admin\Pictures\DenyRequest.png.ReadManual.64BD3273 regsvr32.exe File renamed C:\Users\Admin\Pictures\MergeProtect.tif => \??\c:\Users\Admin\Pictures\MergeProtect.tif.ReadManual.64BD3273 regsvr32.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 876 vssadmin.exe -
Modifies registry class 5 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.64BD3273\shell\Open\command regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.64BD3273 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.64BD3273\shell regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.64BD3273\shell\Open regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.64BD3273\shell\Open\command\ = "explorer.exe RecoveryManual.html" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 2016 regsvr32.exe 2016 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 2016 regsvr32.exe Token: SeBackupPrivilege 1544 vssvc.exe Token: SeRestorePrivilege 1544 vssvc.exe Token: SeAuditPrivilege 1544 vssvc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
regsvr32.exeregsvr32.execmd.exedescription pid process target process PID 788 wrote to memory of 2016 788 regsvr32.exe regsvr32.exe PID 788 wrote to memory of 2016 788 regsvr32.exe regsvr32.exe PID 788 wrote to memory of 2016 788 regsvr32.exe regsvr32.exe PID 788 wrote to memory of 2016 788 regsvr32.exe regsvr32.exe PID 788 wrote to memory of 2016 788 regsvr32.exe regsvr32.exe PID 788 wrote to memory of 2016 788 regsvr32.exe regsvr32.exe PID 788 wrote to memory of 2016 788 regsvr32.exe regsvr32.exe PID 2016 wrote to memory of 876 2016 regsvr32.exe vssadmin.exe PID 2016 wrote to memory of 876 2016 regsvr32.exe vssadmin.exe PID 2016 wrote to memory of 876 2016 regsvr32.exe vssadmin.exe PID 2016 wrote to memory of 876 2016 regsvr32.exe vssadmin.exe PID 2016 wrote to memory of 432 2016 regsvr32.exe cmd.exe PID 2016 wrote to memory of 432 2016 regsvr32.exe cmd.exe PID 2016 wrote to memory of 432 2016 regsvr32.exe cmd.exe PID 2016 wrote to memory of 432 2016 regsvr32.exe cmd.exe PID 432 wrote to memory of 436 432 cmd.exe attrib.exe PID 432 wrote to memory of 436 432 cmd.exe attrib.exe PID 432 wrote to memory of 436 432 cmd.exe attrib.exe PID 432 wrote to memory of 436 432 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll1⤵
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll2⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:876
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F742BB2.bat" "C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll""3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\attrib.exeattrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll"4⤵
- Views/modifies file attributes
PID:436
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611