mountlocker | 1906d011f27492072b8f063e136ccf12b14a7a79b6630953ca3f0b955a07a874

Analysis

max time kernel
14s
max time network
55s
platform
windows7_x64
resource
win7v20210410
submitted
19-07-2021 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
Size

66KB
MD5

3808f21e56dede99bc914d90aeabe47a
SHA1

93cc73149d4bb34830a2cb2a3047e9267b9e3080
SHA256

4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1
SHA512

4ae55145cca3a6f1ed3feff5b2bd38121e37c4cc528e08d5de771bcc4855994560bfc8c22898d73c5b259e37d2dc803615b8f6ec859e53918bd7a1ffee9316b3

Score

10^/10

mountlocker ransomware

Malware Config

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SendRedo.tiff => \??\c:\Users\Admin\Pictures\SendRedo.tiff.ReadManual.F638D8A0	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File renamed	C:\Users\Admin\Pictures\SetSearch.tif => \??\c:\Users\Admin\Pictures\SetSearch.tif.ReadManual.F638D8A0	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\Pictures\UnpublishUnregister.tiff	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File renamed	C:\Users\Admin\Pictures\PublishWrite.tif => \??\c:\Users\Admin\Pictures\PublishWrite.tif.ReadManual.F638D8A0	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File renamed	C:\Users\Admin\Pictures\SearchInitialize.crw => \??\c:\Users\Admin\Pictures\SearchInitialize.crw.ReadManual.F638D8A0	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\Pictures\SendRedo.tiff	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\Pictures\StepPush.tiff	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File renamed	C:\Users\Admin\Pictures\StepPush.tiff => \??\c:\Users\Admin\Pictures\StepPush.tiff.ReadManual.F638D8A0	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File renamed	C:\Users\Admin\Pictures\UnblockWrite.crw => \??\c:\Users\Admin\Pictures\UnblockWrite.crw.ReadManual.F638D8A0	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File renamed	C:\Users\Admin\Pictures\UnpublishUnregister.tiff => \??\c:\Users\Admin\Pictures\UnpublishUnregister.tiff.ReadManual.F638D8A0	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File renamed	C:\Users\Admin\Pictures\DismountDebug.raw => \??\c:\Users\Admin\Pictures\DismountDebug.raw.ReadManual.F638D8A0	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File renamed	C:\Users\Admin\Pictures\HideEdit.tif => \??\c:\Users\Admin\Pictures\HideEdit.tif.ReadManual.F638D8A0	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File renamed	C:\Users\Admin\Pictures\RepairStep.crw => \??\c:\Users\Admin\Pictures\RepairStep.crw.ReadManual.F638D8A0	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe

Deletes itself 1 IoCs

pid	Process
1048	cmd.exe

Drops desktop.ini file(s) 32 IoCs

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MLS6OOW4\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XVLP3GFJ\desktop.ini	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	\??\c:\Program Files\RecoveryManual.html	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File created	\??\c:\Program Files (x86)\RecoveryManual.html	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
File created	\??\c:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RecoveryManual.html	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.F638D8A0\shell\Open\command\ = "explorer.exe RecoveryManual.html"	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.F638D8A0\shell\Open\command	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.F638D8A0	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.F638D8A0\shell	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.F638D8A0\shell\Open	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1776	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
1776	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1776	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
Token: SeDebugPrivilege	1776	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1048	1776	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe	30
PID 1776 wrote to memory of 1048	1776	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe	30
PID 1776 wrote to memory of 1048	1776	4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe	30
PID 1048 wrote to memory of 1404	1048	cmd.exe	32
PID 1048 wrote to memory of 1404	1048	cmd.exe	32
PID 1048 wrote to memory of 1404	1048	cmd.exe	32

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1404	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
"C:\Users\Admin\AppData\Local\Temp\4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F74EF4E.bat" "C:\Users\Admin\AppData\Local\Temp\4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\system32\attrib.exe
    attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe"
    3⤵
    - Views/modifies file attributes
    PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads