mountlocker | 03001d8c078671ee3d1b564721dafa2a3a323a079be9de59063ba5821cb45377

General

Target

31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll
Size

77KB
MD5

0aacf2c41ba9b872a52055ffcaeaef15
SHA1

c09b509699aeef71f3e205d53c5f4ff71cb48570
SHA256

31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585
SHA512

d259de51d22d72d27d5947530317661b97ba8fcc36e7a2ad4835e98bc311ef1aa5964f939660733171934f6aefa82d8b76a6f9f04137e1aeca63d592f0fb26ec

Score

10^/10

mountlocker ransomware

Malware Config

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 16 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

regsvr32.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ClearMeasure.tiff => \??\c:\Users\Admin\Pictures\ClearMeasure.tiff.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ClearMeasure.tiff.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\EnterRead.png.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\PublishPush.png => \??\c:\Users\Admin\Pictures\PublishPush.png.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ShowLimit.png => \??\c:\Users\Admin\Pictures\ShowLimit.png.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\SkipGet.crw => \??\c:\Users\Admin\Pictures\SkipGet.crw.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\CompressCheckpoint.tiff => \??\c:\Users\Admin\Pictures\CompressCheckpoint.tiff.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ReceiveConvert.png => \??\c:\Users\Admin\Pictures\ReceiveConvert.png.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ReceiveConvert.png.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\SaveUnblock.tif => \??\c:\Users\Admin\Pictures\SaveUnblock.tif.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\SaveUnblock.tif.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ShowLimit.png.ReadManual.64BD3273	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\EnterRead.png => \??\c:\Users\Admin\Pictures\EnterRead.png.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\PublishPush.png.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\CompressCheckpoint.tiff.ReadManual.64BD3273	regsvr32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\SkipGet.crw.ReadManual.64BD3273	regsvr32.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2088 vssadmin.exe

pid	process
2088	vssadmin.exe

Modifies registry class 5 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.64BD3273\shell\Open\command\ = "explorer.exe RecoveryManual.html"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.64BD3273\shell\Open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.64BD3273	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.64BD3273\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.64BD3273\shell\Open	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

4968 regsvr32.exe
4968 regsvr32.exe

pid	process
4968	regsvr32.exe
4968	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

regsvr32.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4968	regsvr32.exe
Token: SeBackupPrivilege	576	vssvc.exe
Token: SeRestorePrivilege	576	vssvc.exe
Token: SeAuditPrivilege	576	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

regsvr32.exeregsvr32.execmd.exe

description	pid	process	target process
PID 4808 wrote to memory of 4968	4808	regsvr32.exe	regsvr32.exe
PID 4808 wrote to memory of 4968	4808	regsvr32.exe	regsvr32.exe
PID 4808 wrote to memory of 4968	4808	regsvr32.exe	regsvr32.exe
PID 4968 wrote to memory of 2088	4968	regsvr32.exe	vssadmin.exe
PID 4968 wrote to memory of 2088	4968	regsvr32.exe	vssadmin.exe
PID 4968 wrote to memory of 2088	4968	regsvr32.exe	vssadmin.exe
PID 4968 wrote to memory of 4212	4968	regsvr32.exe	cmd.exe
PID 4968 wrote to memory of 4212	4968	regsvr32.exe	cmd.exe
PID 4968 wrote to memory of 4212	4968	regsvr32.exe	cmd.exe
PID 4212 wrote to memory of 2432	4212	cmd.exe	attrib.exe
PID 4212 wrote to memory of 2432	4212	cmd.exe	attrib.exe
PID 4212 wrote to memory of 2432	4212	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2432 attrib.exe

pid	process
2432	attrib.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll
  2⤵
  - Modifies extensions of user files
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\system32\vssadmin.exe delete shadows /all /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0F74F33F.bat" "C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585.dll"
      4⤵
      Views/modifies file attributes
      PID:2432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0F74F33F.bat

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
memory/2088-115-0x0000000000000000-mapping.dmp

Download
memory/2432-118-0x0000000000000000-mapping.dmp

Download
memory/4212-116-0x0000000000000000-mapping.dmp

Download
memory/4968-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads