Analysis
-
max time kernel
940s -
max time network
1217s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
13-09-2022 17:54
General
-
Target
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
-
Size
200KB
-
MD5
c2671bf5b5dedbfd3cfe3f0f944fbe01
-
SHA1
da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1
-
SHA256
226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2
-
SHA512
256bc8582cc9b53b3cf9307a2882117476648ab9df540d501fc5f46a4030beacab9df2019f2d83b0a63d510803cbf6cbae01dc1325588f93a1a74521a07fe4d9
-
SSDEEP
1536:ssBoz9GFuIdclwKfVPoawSL20mRbg2DrE1mHkrY0f3r6fR0ZzDWR+3itGSh6ZVvg:ssS3oifBoaXhDWA4G3eeJaeIbmC00
Score
10/10
Malware Config
Extracted
Path
\??\c:\RecoveryManual.html
Ransom Note
<html>
<head>
<title>RECOVERY MANUAL</title>
</head>
<body>
<h1>Your ClientId:</h1>
<b>
<pre>
aa0a8ea69e22c4a789b451ab4101d850289bbf06cca919cbe00577a9cc00a158
</pre>
</b>
<hr/>
<b>/!\ YOUR NETWORK HAS BEEN HACKED /!\<br>
All your important files have been encrypted!</b><br>
<hr/>
Your files are safe! Only encrypted.<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
You can send us 2-3 files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
Also we gathered highly confidential/personal data from your network. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you won't pay, we will release your data to public or reseller.<br>
So you can expect your data to be published or improperly used in the near future.<br>
In this case you will face all legal and reputational consequences of the leak.<br>
We only desire to get a ransom and we don't aim to damage your reputation or destroy<br>
your business.<br><br>
<hr/>
<b>Contact us to discuss your next step.</b><br><br>
<a href="http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d850289bbf06cca919cbe00577a9cc00a158">http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d850289bbf06cca919cbe00577a9cc00a158</a><br>
* Note that this server is only available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open "http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d850289bbf06cca919cbe00577a9cc00a158". <br>
4. Start a chat and follow the further instructions. (Password field should be empty for the first login). <br><br>
<hr/>
<b>If you can`t use the above link, use the email:</b><br>
<a href="mailto:SloanAlbert@protonmail.com">SloanAlbert@protonmail.com</a><br>
Please note, sometimes our support is away from keyboard, but we will reply shortly.<br>
Kindly advise you to contact us as soon as possible.<br></b><br>
</body>
</html>
Emails
href="mailto:SloanAlbert@protonmail.com">SloanAlbert@protonmail.com</a><br>
Signatures
-
MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s) 28 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MountLocker_20_11_2020_200KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MountLocker_20_11_2020_200KB.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden -c $mypid='3332';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~240575937.tmp')|iex2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E58406F.bat" "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MountLocker_20_11_2020_200KB.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MountLocker_20_11_2020_200KB.exe"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E58406F.batFilesize
65B
MD5348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611
-
C:\Users\Admin\AppData\Local\Temp\~240575937.tmpFilesize
4KB
MD54e1a1e3e715c291c71950d2fdc79e2be
SHA1dc2b3d20a9ec88e0d8d75c5097154687acc42983
SHA256acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39
SHA512d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80
-
memory/1432-150-0x0000000070890000-0x00000000708DC000-memory.dmpFilesize
304KB
-
memory/1432-142-0x00000000050C0000-0x00000000050E2000-memory.dmpFilesize
136KB
-
memory/1432-151-0x0000000007160000-0x000000000717E000-memory.dmpFilesize
120KB
-
memory/1432-143-0x0000000005160000-0x00000000051C6000-memory.dmpFilesize
408KB
-
memory/1432-144-0x0000000005820000-0x0000000005886000-memory.dmpFilesize
408KB
-
memory/1432-145-0x0000000005FC0000-0x0000000005FDE000-memory.dmpFilesize
120KB
-
memory/1432-140-0x0000000002AC0000-0x0000000002AF6000-memory.dmpFilesize
216KB
-
memory/1432-147-0x0000000007810000-0x0000000007E8A000-memory.dmpFilesize
6.5MB
-
memory/1432-152-0x00000000074E0000-0x00000000074EA000-memory.dmpFilesize
40KB
-
memory/1432-149-0x0000000007390000-0x00000000073C2000-memory.dmpFilesize
200KB
-
memory/1432-139-0x0000000000000000-mapping.dmp
-
memory/1432-141-0x00000000051F0000-0x0000000005818000-memory.dmpFilesize
6.2MB
-
memory/1432-148-0x0000000006620000-0x000000000663A000-memory.dmpFilesize
104KB
-
memory/1432-153-0x0000000007700000-0x0000000007796000-memory.dmpFilesize
600KB
-
memory/1432-154-0x0000000007680000-0x000000000768E000-memory.dmpFilesize
56KB
-
memory/1432-155-0x00000000076E0000-0x00000000076FA000-memory.dmpFilesize
104KB
-
memory/1432-156-0x00000000076D0000-0x00000000076D8000-memory.dmpFilesize
32KB
-
memory/1432-157-0x00000000077A0000-0x00000000077C2000-memory.dmpFilesize
136KB
-
memory/1432-158-0x0000000008440000-0x00000000089E4000-memory.dmpFilesize
5.6MB
-
memory/1492-159-0x0000000000000000-mapping.dmp
-
memory/3332-134-0x0000000004810000-0x000000000481F000-memory.dmpFilesize
60KB
-
memory/4656-161-0x0000000000000000-mapping.dmp