Overview

overview

10

Static

static

10

4a5ac3c6f8...c1.exe

windows7-x64

10

4a5ac3c6f8...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    64s
  • max time network
    67s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22-02-2023 00:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe

  • Size

    66KB

  • MD5

    3808f21e56dede99bc914d90aeabe47a

  • SHA1

    93cc73149d4bb34830a2cb2a3047e9267b9e3080

  • SHA256

    4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1

  • SHA512

    4ae55145cca3a6f1ed3feff5b2bd38121e37c4cc528e08d5de771bcc4855994560bfc8c22898d73c5b259e37d2dc803615b8f6ec859e53918bd7a1ffee9316b3

  • SSDEEP

    768:BS5zkUtPX/y4Jp5LmcmItHnlIH9q9Q/048RgauHADOC8:DaXq4xTlIdYrhRcHC8

Score
10/10
mountlockerransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RecoveryManual.html

Ransom Note
Your ClientId: If you are here, you want to know what happened. We infiltrated your network, controlled it for a while, examined your data, downloaded sensitive information and finally encrypted your computers. Your files are safe, but encrypted. Any attempt to decrypt files with third-party software will permanently corrupt content. What now? We advise you to be in touch and start negotiations, otherwise your confidential data will be published on few our news sites and promoted in all possible ways. Data publication and even the fact of this leak for sure will lead to significant losses for your company: government fines lawsuits and as a result legal claims payments additional expenses on law services data recovery Also you shouldn't underestimate huge damage for your reputation, which can cause crash of equity prices, clients withdrawal and other negative consequences. But don't panic! We are doing business, not war. We can unlock your data and keep everything in secret. All, what we want is a ransom. If we can reach an agreement, you also get: security report full file tree of compromised data downloaded data unrecoverable deletion support with unlocking and network protection advice. How can you contact us? Visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. http://w6ilafwwrgtrmilorzqex6pgpvfsa667fydca2wpoluj6sajka225byd.onion/?cid=879538e20b82e80052dd5f7ef9ad50777a3fe78c5e10f49d2f5189fb60588853 Password field should be blank for the first login. Note that this server is available via Tor browser only. Follow the instructions to open the link: Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor Project website. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. Now you have Tor browser. In the Tor Browser open "http://w6ilafwwrgtrmilorzqex6pgpvfsa667fydca2wpoluj6sajka225byd.onion/?cid=879538e20b82e80052dd5f7ef9ad50777a3fe78c5e10f49d2f5189fb60588853". Start a chat and introduce yourself (Company name and your position). Password field should be blank for the first login. You can ask an operator to set password later.
URLs

http://w6ilafwwrgtrmilorzqex6pgpvfsa667fydca2wpoluj6sajka225byd.onion/?cid=879538e20b82e80052dd5f7ef9ad50777a3fe78c5e10f49d2f5189fb60588853

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    ransomwaremountlocker
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 32 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe
    "C:\Users\Admin\AppData\Local\Temp\4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C3FB0.bat" "C:\Users\Admin\AppData\Local\Temp\4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\system32\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1.exe"
        3⤵
        • Views/modifies file attributes
        PID:1592
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RecoveryManual.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1800 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1040

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RecoveryManual.html
    Filesize

    2KB

    MD5

    e419968d62a8a85ac8e6c229eb628ef7

    SHA1

    c215dde47e4dbf8404ba70e1814454fa38a85b3a

    SHA256

    13380e103901e3fcc09a13c61141ce70b2c2825e3132b64e2c96a6415ee2029f

    SHA512

    7e024058e2a50d7c0a983231cf829736c61be00646b12c6a59fedc3e8aaf0bd23570c709722676e891e5fa13c9252ec712754e2c0473667b2c6bea50564c4817

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    252B

    MD5

    5f3141257da78cca40d5d19833ea50de

    SHA1

    897d1518a3528fcfb430391c09498dfb86be551e

    SHA256

    5ecefbc9bee9b2a54eaa6bccfd909516d98ee3df158b890f4ed38587c8bad60f

    SHA512

    fa987fb513ab33d4d79ddbe87f2404d8692612808446fac7dfed4668f96cc690e5575a7e8541297290f93c770f52ed1f1b44bdb573e7b8d57f1d5ab50351a3cf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    69455053062433129fa724005dc2da56

    SHA1

    9193e45fee2f3a7fcf5551d66e01ba6282d7d9d8

    SHA256

    e6b366347f3ed831d333a18cbc0b372f6ea8e76f1b200829644c0882c1dd3c8a

    SHA512

    faba9738edba10422b9f607321525c244a2dbb95ea49a6bee30384588989f2cf5f18ff0fdaebe9a9458c993dc9b6c1b9c6440e1df5235823fbf9e01335c3d18e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    aabcf899262f61a8d6f76fe2c556758d

    SHA1

    ba97b35018d81517ea513da1e6fa55de7555ce07

    SHA256

    437d897e8c966350def9a8346c7eb4ba1a8ccc11861e7991f73e7b4b40ae6ffc

    SHA512

    7d9b43afe5aacd3144944dff834ca8bd8f9e502774898346bbbd62965d26754d3ca79a4ba16ca1f318daa4e9a70fac4fdb7e534607373b342fda2631af4bda29

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    7e0cefad038b25cee3868320577692ad

    SHA1

    1d424f97c12d3e406db4c7e190e89df84ea84fea

    SHA256

    2f1d6a2ef169c6e1932595f896dad4f5dc7f3d7971aba7c988e601ee3bdda7e1

    SHA512

    5e41f59d42d87ac2142145642b35a08c24b748e44457055299d36e6f08a88d8dcd069b57ebc3209e8758583d100ba02351ffff676c46ffd728b6e7a3f82f536b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    5fb1adc53c973462e534651291374bbc

    SHA1

    348c6541acd06373187a7ab773f73dab2e16d543

    SHA256

    6ba8baef00541d93b89c9a5f81e67f5be284c0271799cf568d2c954309bb5445

    SHA512

    63a26c342479b0ac649c9900c016d45a29701a0905b9ad2cfbb147ff4d70ca52cca40e5366e5cf3b23afb14d5122f7388400598914989be548844b30edcfe6d0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    aba2880d728e11bca53bf54d37489cc1

    SHA1

    6187a66c65f9d1a72e46f7e0228eaa7c06b7bec6

    SHA256

    eb5b4ad219ae2297ef500cb520aa05d4bf5247524af9ebeb5219e00e0c88341d

    SHA512

    c108f4148c3ae03f6f47998d3d20ab5aefe1ac8a9c35c110ebd9ac6cb616c6cc6a840286d9d5d54524781192a23ceb3e357ac68274e4b8381ab4f7c80c932f2e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    1f51369f2bdec85915d999b428bd4170

    SHA1

    73c3f73d9af54ea0033e65afed36dfed437a50f2

    SHA256

    cdfa61a78bcaf7de1bad77808d774931e69de720bec80400260f8e058b130cee

    SHA512

    d2f46ed82e3998aeaf76f10bfa594a632195e98f733b892b7741ae811b3712ccd2d4b2b065aced6bc153c479066baad63ed64c3b9650bb6ef4e381ac7927869a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    2c5d6b1a9545a7d803b020bdab73da06

    SHA1

    fde5ace8eb760ab60183ef5a65771cf7189ed51c

    SHA256

    92b4a849a1d67363607ccd485de3ac6d7e75a542e532ddaab8be89ebaf1c6961

    SHA512

    094ac0fe7f9e82384dbbb958fb40732e1a17d2e1e5fb7338f86592309e9156a30638482e6456e53deb21713782cde8be43e6804a469345f8bab294be1a7003f2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    0cdfddb1ad377683ca86895d645a1c90

    SHA1

    e17ebb6f4ef3e444c2de12935238c932c0120b5d

    SHA256

    916e6f10fdb1dd46c417c41969c53188e1ae60f88eaf2fdf13203f468f9e8bd7

    SHA512

    46661e43dbb7e47034582cd7c8afb64b86ebd880d81ffde091b709084345b400a94e88c8bb079198a02cc16f3b70597e7ae622c417179fd90810fdf9f858b0a2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    8e196ea955b30866853e40a38d5d9c47

    SHA1

    3861e2c05808c8b13f0ba22df6e80623906a130f

    SHA256

    40f17289209746b735b71b623c4ecd6f57dd9ebde46ce573d40525804dec652e

    SHA512

    982248998fed8b8b320043310d7b6c24ec01ef2f188a2284b8a2a7d386eb2b5bb485ed37b241a61cf5b19fc068383524530033e98e0fbf3a1f8aa3fceea107cd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    1191148802e225ba525f9bea70eb83ea

    SHA1

    f2caf3a2797a586b6c6034f79cd1708b62a7904d

    SHA256

    4696216cfd7d0724c7a6f5f8bcc18687b2a7da6bd880721195b973bd414d7648

    SHA512

    d21dd2078ae5368b2d7b5f63a597612b84a1b5d4a4650323a632b0e3879db4b270405c9d33c6ad3a352ef05fbef51cf0a7ebd5b09fff2a6fbf8616e387d7df09

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    2a7b7c13eaad77ef7ca3cb145692b01f

    SHA1

    ca0234d2f3ef8a94433448fc72aef345e367814e

    SHA256

    65b72bef33f1cd0db267eb2357ea027c10961fce6c5ab666c0a083dc518f8882

    SHA512

    019d98d43f8a7e5df676181cba7d90019d223c2519d1ae547875220dfb9294f2acb67dfc6eb7c95e68ffbd8bd845c6d27fa48f62fd4d4eccadebfcfe4093ca48

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\006C3FB0.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\006C3FB0.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarAB82.tmp
    Filesize

    161KB

    MD5

    73b4b714b42fc9a6aaefd0ae59adb009

    SHA1

    efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

    SHA256

    c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

    SHA512

    73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

    Download Submit

  • C:\Users\Admin\Desktop\RecoveryManual.html
    Filesize

    2KB

    MD5

    e419968d62a8a85ac8e6c229eb628ef7

    SHA1

    c215dde47e4dbf8404ba70e1814454fa38a85b3a

    SHA256

    13380e103901e3fcc09a13c61141ce70b2c2825e3132b64e2c96a6415ee2029f

    SHA512

    7e024058e2a50d7c0a983231cf829736c61be00646b12c6a59fedc3e8aaf0bd23570c709722676e891e5fa13c9252ec712754e2c0473667b2c6bea50564c4817

    Download Submit

  • memory/1040-604-0x0000000000600000-0x0000000000602000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1800-603-0x00000000030A0000-0x00000000030B0000-memory.dmp

    Filesize

    64KB

    Download