Analysis
-
max time kernel
104s -
max time network
76s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
22-02-2023 01:01
General
-
Target
30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83.msi
-
Size
112KB
-
MD5
ce3969ab935f0f5b1301cd70d2e59696
-
SHA1
e70d3341a6e2cc8ae0f140075837ceac4453b947
-
SHA256
30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83
-
SHA512
20998be53a994d7adab2b71bafccec1eeb93e356965582161fa1fccea023fbf62b0145adf5e0621118f00a4ea12a71fbb5de2fdd129d92879502a5a3da019a36
-
SSDEEP
1536:y7WSmywADwaY6FIsr4XSZ32tcOGwpin2NI2F4cdJ0DLx0DL:y7WgpDwd6+srGi32tcOGwpin2NMcd
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RecoveryManual.html
Extracted
C:\Windows\Installer\6c627b.msi
Extracted
C:\Users\Admin\Desktop\RecoveryManual.html
mountlocker
http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b64326c5897ac3a97e1babe00375993d6d53
Signatures
-
Detected Mount Locker ransomware 3 IoCs
-
MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL 1 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 12 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 33 IoCs
-
Modifies data under HKEY_USERS 46 IoCs
-
Modifies registry class 28 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 24C786A70E864342B1A0511B71AD6EBB2⤵
- Modifies extensions of user files
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /Quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\syswow64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\\006CAF44.bat" "C:\Windows\Installer\MSI65C8.tmp""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -r -h "C:\Windows\Installer\MSI65C8.tmp"4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000068" "0000000000000064"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RecoveryManual.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5268713f3b05339a45fd4c2e4c5268e59
SHA1b4f54c141c90ce747cd7d39cc2522e9f04d31359
SHA256c48c73d47e53c7d3d3ec48e2e15f18ca65ccf30b623bf68fffd678a6112e2df3
SHA51280037a9ec2ff91d82d1aacc5f43cc385ec0d7295b57681bff4f3ef7761805a9cba088de649f5d93a2e2bd7fef90b148a6586f4f9a944cb4a497600155a53c7a8
-
Filesize
2KB
MD55e2160caffd8a9833e72bc87fb38192b
SHA152f8f24bfba53a3a2980d32fd54a0bd6255d9e04
SHA256273bec0e34f198fc2bd649b254e071592460d5d141f068250796ba9d5b4ec36d
SHA51200d69723ef3a2df9c90f6910b9cdff47f98dcf8d0cc9661669871740512a86c6fa4e3966d88513187fadac14910c3c607e273acd964c012cf7c70627e4e01c8b
-
Filesize
342B
MD5b0c076c905955e4f375e53cca276c161
SHA1169f21cb68b1cbdef764d14c7e01199321e9a6f0
SHA256b1bb745734e0c2dbcd0623b1aab840294da08429cef33f423e554a8ccf0549a5
SHA51255efc475398dfbf6ef077e7e3de5e9b0d0c447f31263a2efcb00330e0dba011d12378916ef4c73a0ac125389d604c9044a6ff40a1db7e265ddb126302380a5ad
-
Filesize
342B
MD537cf3cc86c094fe104c4bb884b38d52e
SHA1b4e8fd55dd41a794a001adf3468c7899896508c0
SHA256a4b008cd6b9f9a2b7af29ada2d3222e647c787b7974aad68e40f3a56ee53bcac
SHA512569e4682e66a9946e87dcd55b179bea8c565629762668a8bf0778dd92f2f2c68b1818d54a091dc1a47f7d446a08341415fe619275bdd0efdb6ffa27070e5b625
-
Filesize
342B
MD52f530463bd9b31718cc8fdbd7a889e75
SHA1058c2cb4bc54af3cc03d32f0b78473b5d469124d
SHA2561b2e8800ac183b45ed1baab7df1d81ba9de2392aef33b60113d5345bce034912
SHA5126417cf359915c764eb1e61c53be5a3e9a5a7d05d3cb1f5e8516062defe805a55e75adf1f023f949ba27fa8f5c115020560de3437d28ac5f5de4f537bf96cb7cb
-
Filesize
342B
MD5d3760a4d6e86b09b2eaf656f33c0b43c
SHA189a3c152f96c47377932a4bbeb31c8ea233e2f9a
SHA25627d6881c0d7faea85a8a0740003daf45051a249900cccee53c157f91aaa66348
SHA512e98284108d103000a2513733ba159ef926fa42c778b106612199847931a9d173186eafd9fc57cbe7f9fc6fe9dc30ac847c62ac69fccc5ac5a502d498f237d7c1
-
Filesize
342B
MD51763fcb43d99a6df3c047ff783efe19b
SHA107cee031ce3633c782944bae37a1a96f1728e33a
SHA25651f348ee1be45a9657622706a3944c6af3add0fa9929fb3ba23d767b6894f963
SHA51246b922408eac7961d579b58416ce6e52c8260cb4b33cdc99d01a7c8cc789e7187dba4676ce42406626ac95f1006fbbd5ee1c2c44b195682bed850ef588829cee
-
Filesize
342B
MD599e21319f5b8136f452f634bc675ba80
SHA1db5de92296a015a7c312b900cff84330a6609788
SHA2562299a7746e3e1235c92b16335f36f7549f33844d5bb09c80efaec84837403faa
SHA512af076dd4f24128e0e6a2ac7e3d284e503767876e39b4979a973490b4aa02a7d3101b99fbce75e6fdf47ffa14fb98f8511558e1a62d6625ca8a347e94d6138bb7
-
Filesize
342B
MD5c55cd1fd1174772fe916007f043a9daa
SHA1fa6fdfe9b76127238d549472fdd0809b7a5a9bf5
SHA256594b6cd2aad1cd20b2a950a23a3c827543770715c5eee3d1040805e99ca4cf08
SHA512df5d1d5400cc7a311967c44b4c5f5d7a1eceed86d2e479d9342507a57d6c2b35bb2d2704ce9a11da70e57c7bba728b4f3049ac8ba82eba901093c7258d2f6ed5
-
Filesize
65B
MD5348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611
-
Filesize
65B
MD5348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
Filesize
161KB
MD573b4b714b42fc9a6aaefd0ae59adb009
SHA1efdaffd5b0ad21913d22001d91bf6c19ecb4ac41
SHA256c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd
SHA51273af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd
-
Filesize
2KB
MD55e2160caffd8a9833e72bc87fb38192b
SHA152f8f24bfba53a3a2980d32fd54a0bd6255d9e04
SHA256273bec0e34f198fc2bd649b254e071592460d5d141f068250796ba9d5b4ec36d
SHA51200d69723ef3a2df9c90f6910b9cdff47f98dcf8d0cc9661669871740512a86c6fa4e3966d88513187fadac14910c3c607e273acd964c012cf7c70627e4e01c8b
-
Filesize
112KB
MD5ce3969ab935f0f5b1301cd70d2e59696
SHA1e70d3341a6e2cc8ae0f140075837ceac4453b947
SHA25630050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83
SHA51220998be53a994d7adab2b71bafccec1eeb93e356965582161fa1fccea023fbf62b0145adf5e0621118f00a4ea12a71fbb5de2fdd129d92879502a5a3da019a36
-
Filesize
77KB
MD50aacf2c41ba9b872a52055ffcaeaef15
SHA1c09b509699aeef71f3e205d53c5f4ff71cb48570
SHA25631630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585
SHA512d259de51d22d72d27d5947530317661b97ba8fcc36e7a2ad4835e98bc311ef1aa5964f939660733171934f6aefa82d8b76a6f9f04137e1aeca63d592f0fb26ec
-
Filesize
77KB
MD50aacf2c41ba9b872a52055ffcaeaef15
SHA1c09b509699aeef71f3e205d53c5f4ff71cb48570
SHA25631630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585
SHA512d259de51d22d72d27d5947530317661b97ba8fcc36e7a2ad4835e98bc311ef1aa5964f939660733171934f6aefa82d8b76a6f9f04137e1aeca63d592f0fb26ec
-
Filesize
8KB
-
Filesize
64KB