Overview

overview

10

Static

static

1

0fc52ab540...44.exe

windows7_x64

10

0fc52ab540...44.exe

windows10_x64

8

Analysis

  • max time kernel
    121s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    29-11-2021 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fc52ab540452b524dadb3a7dbcd2a7f1c2d5c553229d77cfbff0d800f8c0f44.exe

  • Size

    3.1MB

  • MD5

    368b0fb9d3ecf41b8d013c4d1fa7c0e5

  • SHA1

    a38c5270ef62704a0b9653f301b75216bcdf527d

  • SHA256

    0fc52ab540452b524dadb3a7dbcd2a7f1c2d5c553229d77cfbff0d800f8c0f44

  • SHA512

    cabb1fd33f67ec77272cad53651f98f6dc6e335e87f10e88d8a0dc4e85b2e2f8e8c8097c02909b6ea22aa9df5a18b3835d93b3c32ebcf468a3533becbe76087a

Score
10/10
mountlockerransomware

Malware Config

Extracted

Path

\??\c:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RecoveryManual.html

Ransom Note
<html> <head> <title>RECOVERY MANUAL</title> </head> <body> <h1>Your ClientId:</h1> <b> <pre> 7d4476319502df7952972775d8cf930672df985a7c38e89a2d625284284e8540 </pre> </b> <hr/> <b>/!\ YOUR NETWORK HAS BEEN HACKED /!\<br> All your important files have been encrypted!</b><br> <hr/> Your files are safe! Only encrypted.<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> You can send us 2-3 files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> Also we gathered highly confidential/personal data from your network. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you won't pay, we will release your data to public or reseller.<br> So you can expect your data to be published or improperly used in the near future.<br> In this case you will face all legal and reputational consequences of the leak.<br> We only desire to get a ransom and we don't aim to damage your reputation or destroy<br> your business.<br><br> <hr/> <b>Contact us to discuss your next step.</b><br><br> <a href="http://u5aift7e2s7h5d6hnl6wqkecfor7g6ltwwljbqciek52anm35n3rqiid.onion/?cid=7d4476319502df7952972775d8cf930672df985a7c38e89a2d625284284e8540">http://u5aift7e2s7h5d6hnl6wqkecfor7g6ltwwljbqciek52anm35n3rqiid.onion/?cid=7d4476319502df7952972775d8cf930672df985a7c38e89a2d625284284e8540</a><br> * Password field could be blank <br><br> * Note that this server is only available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "http://u5aift7e2s7h5d6hnl6wqkecfor7g6ltwwljbqciek52anm35n3rqiid.onion/?cid=7d4476319502df7952972775d8cf930672df985a7c38e89a2d625284284e8540". <br> 4. Start a chat and follow the further instructions. (Password field should be empty for the first login). <br><br> <hr/> Please note, sometimes our support is away from keyboard, but we will reply shortly.<br> Kindly advise you to contact us as soon as possible.<br></b><br> </body> </html>

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    ransomwaremountlocker
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 2 IoCs
  • Drops desktop.ini file(s) 26 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fc52ab540452b524dadb3a7dbcd2a7f1c2d5c553229d77cfbff0d800f8c0f44.exe
    "C:\Users\Admin\AppData\Local\Temp\0fc52ab540452b524dadb3a7dbcd2a7f1c2d5c553229d77cfbff0d800f8c0f44.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Admin\AppData\Local\Programs\MariaDBPerfomanceKit\PerfomanceKit.exe
      C:\Users\Admin\AppData\Local\Programs\MariaDBPerfomanceKit\PerfomanceKit.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Loads dropped DLL
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:760
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F76BE11.bat" "C:\Users\Admin\AppData\Local\Programs\MariaDBPerfomanceKit\PerfomanceKit.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -r -h "C:\Users\Admin\AppData\Local\Programs\MariaDBPerfomanceKit\PerfomanceKit.exe"
          4⤵
          • Views/modifies file attributes
          PID:2040

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1380-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

    Filesize

    8KB

    Download