Overview

overview

10

Static

static

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.ps1

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.msi

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.ps1

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

8

Ransomware...KB.exe

windows10-2004-x64

10

Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

Analysis

  • max time kernel
    940s
  • max time network
    1217s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2022 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RansomwareSamples/MountLocker_20_11_2020_200KB.exe

  • Size

    200KB

  • MD5

    c2671bf5b5dedbfd3cfe3f0f944fbe01

  • SHA1

    da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1

  • SHA256

    226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2

  • SHA512

    256bc8582cc9b53b3cf9307a2882117476648ab9df540d501fc5f46a4030beacab9df2019f2d83b0a63d510803cbf6cbae01dc1325588f93a1a74521a07fe4d9

  • SSDEEP

    1536:ssBoz9GFuIdclwKfVPoawSL20mRbg2DrE1mHkrY0f3r6fR0ZzDWR+3itGSh6ZVvg:ssS3oifBoaXhDWA4G3eeJaeIbmC00

Score
10/10
mountlockerransomware

Malware Config

Extracted

Path

\??\c:\RecoveryManual.html

Ransom Note
<html> <head> <title>RECOVERY MANUAL</title> </head> <body> <h1>Your ClientId:</h1> <b> <pre> aa0a8ea69e22c4a789b451ab4101d850289bbf06cca919cbe00577a9cc00a158 </pre> </b> <hr/> <b>/!\ YOUR NETWORK HAS BEEN HACKED /!\<br> All your important files have been encrypted!</b><br> <hr/> Your files are safe! Only encrypted.<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> You can send us 2-3 files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> Also we gathered highly confidential/personal data from your network. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you won't pay, we will release your data to public or reseller.<br> So you can expect your data to be published or improperly used in the near future.<br> In this case you will face all legal and reputational consequences of the leak.<br> We only desire to get a ransom and we don't aim to damage your reputation or destroy<br> your business.<br><br> <hr/> <b>Contact us to discuss your next step.</b><br><br> <a href="http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d850289bbf06cca919cbe00577a9cc00a158">http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d850289bbf06cca919cbe00577a9cc00a158</a><br> * Note that this server is only available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d850289bbf06cca919cbe00577a9cc00a158". <br> 4. Start a chat and follow the further instructions. (Password field should be empty for the first login). <br><br> <hr/> <b>If you can`t use the above link, use the email:</b><br> <a href="mailto:[email protected]">[email protected]</a><br> Please note, sometimes our support is away from keyboard, but we will reply shortly.<br> Kindly advise you to contact us as soon as possible.<br></b><br> </body> </html>
Emails

href="mailto:[email protected]">[email protected]</a><br>

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    ransomwaremountlocker
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 28 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MountLocker_20_11_2020_200KB.exe
    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MountLocker_20_11_2020_200KB.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3332
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden -c $mypid='3332';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~240575937.tmp')|iex
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1432
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E58406F.bat" "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MountLocker_20_11_2020_200KB.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MountLocker_20_11_2020_200KB.exe"
        3⤵
        • Views/modifies file attributes
        PID:4656

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\0E58406F.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~240575937.tmp
    Filesize

    4KB

    MD5

    4e1a1e3e715c291c71950d2fdc79e2be

    SHA1

    dc2b3d20a9ec88e0d8d75c5097154687acc42983

    SHA256

    acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39

    SHA512

    d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80

    Download Submit

  • memory/1432-150-0x0000000070890000-0x00000000708DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1432-142-0x00000000050C0000-0x00000000050E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1432-151-0x0000000007160000-0x000000000717E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1432-143-0x0000000005160000-0x00000000051C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1432-144-0x0000000005820000-0x0000000005886000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1432-145-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1432-140-0x0000000002AC0000-0x0000000002AF6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1432-147-0x0000000007810000-0x0000000007E8A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1432-152-0x00000000074E0000-0x00000000074EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1432-149-0x0000000007390000-0x00000000073C2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1432-139-0x0000000000000000-mapping.dmp

    Download

  • memory/1432-141-0x00000000051F0000-0x0000000005818000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1432-148-0x0000000006620000-0x000000000663A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1432-153-0x0000000007700000-0x0000000007796000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1432-154-0x0000000007680000-0x000000000768E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1432-155-0x00000000076E0000-0x00000000076FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1432-156-0x00000000076D0000-0x00000000076D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1432-157-0x00000000077A0000-0x00000000077C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1432-158-0x0000000008440000-0x00000000089E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1492-159-0x0000000000000000-mapping.dmp

    Download

  • memory/3332-134-0x0000000004810000-0x000000000481F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4656-161-0x0000000000000000-mapping.dmp

    Download