mountlocker | 6f9bed90c1d6df1c7b259f832130b5fef5e0d0c9dc6c2564dad53dc0ca30bb0e

General

Target

6f9bed90c1d6df1c7b259f832130b5fef5e0d0c9dc6c2564dad53dc0ca30bb0e_unpacked.dll
Size

68KB
MD5

49d8bd6dcaa501ca742bd686c161e5e0
SHA1

9acdd840615e4f4cd37f50e66b7bb7bb222d4fca
SHA256

6f9bed90c1d6df1c7b259f832130b5fef5e0d0c9dc6c2564dad53dc0ca30bb0e
SHA512

26d480f4480c99093859d3bb697dacc69c7165fc75603c717db6c1d0959463d7d9a33a32d3e1ec5360b0d031db4b77734f0ebcbf2bafb46b7390e1967d8a7b12
SSDEEP

768:PjzkUtPX7y4J6IjDcGopwx2P+9n+PLcHosFBLtuBDUaDO2y:0aXG4HtEPina7AdY3y

Score

10^/10

mountlocker ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RecoveryManual.html

Ransom Note

Your ClientId: If you are here, you want to know what happened. We infiltrated your network, controlled it for a while, examined your data, downloaded sensitive information and finally encrypted your computers. Your files are safe, but encrypted. Any attempt to decrypt files with third-party software will permanently corrupt content. What now? We advise you to be in touch and start negotiations, otherwise your confidential data will be published on few our news sites and promoted in all possible ways. Data publication and even the fact of this leak for sure will lead to significant losses for your company: government fines lawsuits and as a result legal claims payments additional expenses on law services data recovery Also you shouldn't underestimate huge damage for your reputation, which can cause crash of equity prices, clients withdrawal and other negative consequences. But don't panic! We are doing business, not war. We can unlock your data and keep everything in secret. All, what we want is a ransom. If we can reach an agreement, you also get: security report full file tree of compromised data downloaded data unrecoverable deletion support with unlocking and network protection advice. How can you contact us? Visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. http://c6zkofycoumltpmm6zpyfadkuddpmlqk6vyd3orrfjgtq3vrgyifl6yd.onion/?cid=cf27e0d30ec88c4399a1e46b71c4a77b2199b463d99f721caed376aee6097d53 Password field should be blank for the first login. Note that this server is available via Tor browser only. Follow the instructions to open the link: Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor Project website. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. Now you have Tor browser. In the Tor Browser open "http://c6zkofycoumltpmm6zpyfadkuddpmlqk6vyd3orrfjgtq3vrgyifl6yd.onion/?cid=cf27e0d30ec88c4399a1e46b71c4a77b2199b463d99f721caed376aee6097d53". Start a chat and introduce yourself (Company name and your position). Password field should be blank for the first login. You can ask an operator to set password later.

URLs

http://c6zkofycoumltpmm6zpyfadkuddpmlqk6vyd3orrfjgtq3vrgyifl6yd.onion/?cid=cf27e0d30ec88c4399a1e46b71c4a77b2199b463d99f721caed376aee6097d53

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

rundll32.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\EnterOut.tiff	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\InstallSearch.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\MeasureComplete.raw => \??\c:\Users\Admin\Pictures\MeasureComplete.raw.ReadManual.72707D3B	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ResolveWrite.crw => \??\c:\Users\Admin\Pictures\ResolveWrite.crw.ReadManual.72707D3B	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ClearExport.raw => \??\c:\Users\Admin\Pictures\ClearExport.raw.ReadManual.72707D3B	rundll32.exe
File renamed	C:\Users\Admin\Pictures\EnterOut.tiff => \??\c:\Users\Admin\Pictures\EnterOut.tiff.ReadManual.72707D3B	rundll32.exe
File renamed	C:\Users\Admin\Pictures\InstallSearch.tiff => \??\c:\Users\Admin\Pictures\InstallSearch.tiff.ReadManual.72707D3B	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\JoinSwitch.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\JoinSwitch.tiff => \??\c:\Users\Admin\Pictures\JoinSwitch.tiff.ReadManual.72707D3B	rundll32.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1788 cmd.exe

pid	process
1788	cmd.exe

Drops desktop.ini file(s) 32 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\D3FFX6WH\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\KDJSR44L\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\D3BHGYNU\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F9XZZTVM\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	rundll32.exe

Drops file in Program Files directory 3 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	\??\c:\Program Files\RecoveryManual.html	rundll32.exe
File created	\??\c:\Program Files (x86)\RecoveryManual.html	rundll32.exe
File created	\??\c:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RecoveryManual.html	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7D333FD1-B24D-11ED-B08A-6AEE4B25B7A6} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.72707D3B\shell\Open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.72707D3B	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.72707D3B\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.72707D3B\shell\Open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.72707D3B\shell\Open\command\ = "explorer.exe RecoveryManual.html"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1328 rundll32.exe
1328 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exe

description pid process

Token: SeRestorePrivilege 1328 rundll32.exe
Token: SeDebugPrivilege 1328 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

764 iexplore.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

764 iexplore.exe
764 iexplore.exe
596 IEXPLORE.EXE
596 IEXPLORE.EXE
596 IEXPLORE.EXE
596 IEXPLORE.EXE
596 IEXPLORE.EXE
596 IEXPLORE.EXE
596 IEXPLORE.EXE

pid	process
1328	rundll32.exe
1328	rundll32.exe

description	pid	process
Token: SeRestorePrivilege	1328	rundll32.exe
Token: SeDebugPrivilege	1328	rundll32.exe

pid	process
764	iexplore.exe

pid	process
764	iexplore.exe
764	iexplore.exe
596	IEXPLORE.EXE
596	IEXPLORE.EXE
596	IEXPLORE.EXE
596	IEXPLORE.EXE
596	IEXPLORE.EXE
596	IEXPLORE.EXE
596	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.execmd.exeiexplore.exe

description	pid	process	target process
PID 1328 wrote to memory of 1788	1328	rundll32.exe	cmd.exe
PID 1328 wrote to memory of 1788	1328	rundll32.exe	cmd.exe
PID 1328 wrote to memory of 1788	1328	rundll32.exe	cmd.exe
PID 1788 wrote to memory of 332	1788	cmd.exe	attrib.exe
PID 1788 wrote to memory of 332	1788	cmd.exe	attrib.exe
PID 1788 wrote to memory of 332	1788	cmd.exe	attrib.exe
PID 764 wrote to memory of 596	764	iexplore.exe	IEXPLORE.EXE
PID 764 wrote to memory of 596	764	iexplore.exe	IEXPLORE.EXE
PID 764 wrote to memory of 596	764	iexplore.exe	IEXPLORE.EXE
PID 764 wrote to memory of 596	764	iexplore.exe	IEXPLORE.EXE

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

332 attrib.exe

pid	process
332	attrib.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6f9bed90c1d6df1c7b259f832130b5fef5e0d0c9dc6c2564dad53dc0ca30bb0e_unpacked.dll,#1
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C5523.bat" "C:\Users\Admin\AppData\Local\Temp\6f9bed90c1d6df1c7b259f832130b5fef5e0d0c9dc6c2564dad53dc0ca30bb0e_unpacked.dll""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\system32\attrib.exe
    attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\6f9bed90c1d6df1c7b259f832130b5fef5e0d0c9dc6c2564dad53dc0ca30bb0e_unpacked.dll"
    3⤵
    - Views/modifies file attributes
    PID:332

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RecoveryManual.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RecoveryManual.html

Filesize
2KB

MD5
62fb07b5664c0b82f3d816680a8d07c0

SHA1
6d500c3015dbb05b187bd0a0b6922da164c9e063

SHA256
96406fa90edc00c893a076ec61361b368aae061c259ac7a3db79d2f8f1a4d5c7

SHA512
2d66e66f5981ccf97bbbdcaa04a2dd6ec8606244183e6a156f3a723f5d1eaf5ae08ffcb63b6d74ad838eba35a04fba3d51956ccc747634c90af1b30c95144496

Download Submit
C:\Users\Admin\AppData\Local\Temp\006C5523.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\006C5523.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\Desktop\RecoveryManual.html

Filesize
2KB

MD5
62fb07b5664c0b82f3d816680a8d07c0

SHA1
6d500c3015dbb05b187bd0a0b6922da164c9e063

SHA256
96406fa90edc00c893a076ec61361b368aae061c259ac7a3db79d2f8f1a4d5c7

SHA512
2d66e66f5981ccf97bbbdcaa04a2dd6ec8606244183e6a156f3a723f5d1eaf5ae08ffcb63b6d74ad838eba35a04fba3d51956ccc747634c90af1b30c95144496

Download Submit
memory/596-625-0x0000000002E10000-0x0000000002E12000-memory.dmp

Filesize
8KB

Download
memory/764-624-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads