Resubmissions

17-05-2024 14:06

240517-reh7esbc83 10

17-05-2024 14:05

240517-rdxnesbb2x 10

17-05-2024 14:04

240517-rdkc4aba91 10

17-05-2024 14:00

240517-raznlsbc33 10

09-01-2022 14:18

220109-rl99gsdee2 10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    09-01-2022 14:18

General

  • Target

    00ed4c347cd62526226363a0aceb851b2ef7e3a4da78433a28f2cd6cbd5f1b99.bin.exe

  • Size

    66KB

  • MD5

    2c26b319e378755596f0ac6d293798c8

  • SHA1

    280a4cfcf5dd87898c3731b680efe061bdb7a9fe

  • SHA256

    00ed4c347cd62526226363a0aceb851b2ef7e3a4da78433a28f2cd6cbd5f1b99

  • SHA512

    0c2b53a3fed1dbbae64e7f1e7c17a89b5dc607ba40caecd5496e18ffd84cdad844e926742d9fc82a715d6e8b01a1c483d97d54f5be1f2d6997107946f2a3fe4b

Score
10/10

Malware Config

Extracted

Path

\??\c:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RecoveryManual.html

Ransom Note
<html> <head> <title>RECOVERY MANUAL</title> </head> <body> <h1>Your ClientId:</h1> <b> <pre> acc47d8e8c2a4ba5c4c325fca35d0ae43795710dddb764d8eb0e40e1d5779858 </pre> </b> <hr/> If you are here, you want to know what happened.<br><br> We infiltrated your network, controlled it for a while, examined your data, downloaded sensitive information and finally encrypted your computers.<br> Your files are safe, but encrypted. Any attempt to decrypt files with third-party software will permanently corrupt content.<br><br> <b>What now?</b><br><br> We advise you to be in touch and start negotiations, otherwise your confidential data will be published on few our news sites and promoted in all possible ways.<br> Data publication and even the fact of this leak for sure will lead to significant losses for your company: <ul> <li>government fines <li>lawsuits and as a result legal claims payments <li>additional expenses on law services <li>data recovery </ul> Also you shouldn't underestimate huge damage for your reputation, which can cause crash of equity prices, clients withdrawal and other negative consequences.<br><br> <b>But don't panic! We are doing business, not war.</b><br><br> We can unlock your data and keep everything in secret. All, what we want is a ransom.<br><br> If we can reach an agreement, you also get: <ul> <li>security report <li>full file tree of compromised data <li>downloaded data unrecoverable deletion <li>support with unlocking and network protection advice. </ul> <b>How can you contact us?</b><br> Visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons.<br> <a href="http://evl425tkt4hkwryyplvqu6bn6slfow3fa4xwgvwe5t4zf6gizs3ewuyd.onion/?cid=acc47d8e8c2a4ba5c4c325fca35d0ae43795710dddb764d8eb0e40e1d5779858">http://evl425tkt4hkwryyplvqu6bn6slfow3fa4xwgvwe5t4zf6gizs3ewuyd.onion/?cid=acc47d8e8c2a4ba5c4c325fca35d0ae43795710dddb764d8eb0e40e1d5779858</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> Follow the instructions to open the link: <ol> <li>Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor Project website. <li>Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. <li>Now you have Tor browser. In the Tor Browser open "http://evl425tkt4hkwryyplvqu6bn6slfow3fa4xwgvwe5t4zf6gizs3ewuyd.onion/?cid=acc47d8e8c2a4ba5c4c325fca35d0ae43795710dddb764d8eb0e40e1d5779858". <li>Start a chat and introduce yourself (Company name and your position). </ol> Password field should be blank for the first login. You can ask an operator to set password later. </body> </html>

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 32 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00ed4c347cd62526226363a0aceb851b2ef7e3a4da78433a28f2cd6cbd5f1b99.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\00ed4c347cd62526226363a0aceb851b2ef7e3a4da78433a28f2cd6cbd5f1b99.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F762829.bat" "C:\Users\Admin\AppData\Local\Temp\00ed4c347cd62526226363a0aceb851b2ef7e3a4da78433a28f2cd6cbd5f1b99.bin.exe""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Windows\system32\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\00ed4c347cd62526226363a0aceb851b2ef7e3a4da78433a28f2cd6cbd5f1b99.bin.exe"
        3⤵
        • Views/modifies file attributes
        PID:860

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads