Overview

overview

10

Static

static

10

4b917b60f4...73.exe

windows7_x64

10

4b917b60f4...73.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294182s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    25-03-2022 17:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b917b60f4df6d6d08e895d179a22dcb7c38c6a6a6f39c96c3ded10368d86273.exe

  • Size

    77KB

  • MD5

    23ba9903c5073f8637cfb4476ccc86b0

  • SHA1

    268248c43bc4d9f803a1eb6a941b0bd5622d5445

  • SHA256

    4b917b60f4df6d6d08e895d179a22dcb7c38c6a6a6f39c96c3ded10368d86273

  • SHA512

    acdf49c35eaf42c37a57b89053ea24cf8935ed0062060be3903e257396063c1c0257df2a58712d9446a7881140c52be5a29d8c1cf9efdfcb8fea8de6288adc53

Score
10/10
mountlockerransomwarespywarestealer

Malware Config

Extracted

Path

\??\c:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RecoveryManual.html

Ransom Note
<html> <head> <title>RECOVERY MANUAL</title> </head> <body> <h1>Your ClientId:</h1> <b> <pre> cb4e8508db9401e69c93177dd1410c052d9db515d591b075b7d91246b6e70c4b </pre> </b> <hr/> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\<br> All your important files have been encrypted!</b><br> <hr/> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <hr/> <b>Contact us for price and get decryption software.</b><br><br> <a href="http://zsa3wxvbb7gv65wnl7lerslee3c7i27ndqghqm6jt2priva2qcdponad.onion/?cid=cb4e8508db9401e69c93177dd1410c052d9db515d591b075b7d91246b6e70c4b">http://zsa3wxvbb7gv65wnl7lerslee3c7i27ndqghqm6jt2priva2qcdponad.onion/?cid=cb4e8508db9401e69c93177dd1410c052d9db515d591b075b7d91246b6e70c4b</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "http://zsa3wxvbb7gv65wnl7lerslee3c7i27ndqghqm6jt2priva2qcdponad.onion/?cid=cb4e8508db9401e69c93177dd1410c052d9db515d591b075b7d91246b6e70c4b". <br> 4. Start a chat and follow the further instructions. <br><br> <hr/> <b>Make contact as soon as possible. Your private key (decryption key) <br> is only stored temporarily.<br><br> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </body> </html>

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    ransomwaremountlocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 16 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b917b60f4df6d6d08e895d179a22dcb7c38c6a6a6f39c96c3ded10368d86273.exe
    "C:\Users\Admin\AppData\Local\Temp\4b917b60f4df6d6d08e895d179a22dcb7c38c6a6a6f39c96c3ded10368d86273.exe"
    1⤵
    • Modifies extensions of user files
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\SysWOW64\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1952
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F775C82.bat" "C:\Users\Admin\AppData\Local\Temp\4b917b60f4df6d6d08e895d179a22dcb7c38c6a6a6f39c96c3ded10368d86273.exe""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\4b917b60f4df6d6d08e895d179a22dcb7c38c6a6a6f39c96c3ded10368d86273.exe"
        3⤵
        • Views/modifies file attributes
        PID:1768
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1532

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads