mountlocker | 0fa0ad3dbf321d2c7c645aab928176d7a2d21b64d84d720829b67ad6c37381c7

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-02-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af2cac864d51827a760560a2d1df8fe8.exe
Size

56KB
MD5

af2cac864d51827a760560a2d1df8fe8
SHA1

651f6e8aeb91cf84eb809a3d0fdcf67ba80c8339
SHA256

0fa0ad3dbf321d2c7c645aab928176d7a2d21b64d84d720829b67ad6c37381c7
SHA512

dbc929410cf09408086cdff6b5e03e143568296084929c19eefc045e5228676cbd40e6daaf3a39463c69ec87c1ca099f2f50dc92351cb802f3aa1642be205b86
SSDEEP

384:mCBAxTKMjOGhjfUrCXTZZpwBKkt13qCKoNfkjWtvVM45hTLVftkcY0RrKeWJcqgz:mCBWKM6sLUG3KaCKoBKSvGc7VW2qnk

Score

10^/10

mountlocker ransomware

Malware Config

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker

Drops desktop.ini file(s) 5 IoCs

Processes:

af2cac864d51827a760560a2d1df8fe8.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\7GHXBWM1\desktop.ini	af2cac864d51827a760560a2d1df8fe8.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	af2cac864d51827a760560a2d1df8fe8.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GE3X1LT6\desktop.ini	af2cac864d51827a760560a2d1df8fe8.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IXEVUZVE\desktop.ini	af2cac864d51827a760560a2d1df8fe8.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\J171AZTC\desktop.ini	af2cac864d51827a760560a2d1df8fe8.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

af2cac864d51827a760560a2d1df8fe8.exe

description ioc process

File opened (read-only) \??\f: af2cac864d51827a760560a2d1df8fe8.exe

description	ioc	process
File opened (read-only)	\??\f:	af2cac864d51827a760560a2d1df8fe8.exe

Drops file in Program Files directory 3 IoCs

Processes:

af2cac864d51827a760560a2d1df8fe8.exe

description	ioc	process
File created	\??\c:\Program Files (x86)\RecoveryManual.html	af2cac864d51827a760560a2d1df8fe8.exe
File created	\??\c:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RecoveryManual.html	af2cac864d51827a760560a2d1df8fe8.exe
File created	\??\c:\Program Files\RecoveryManual.html	af2cac864d51827a760560a2d1df8fe8.exe

Modifies registry class 5 IoCs

Processes:

af2cac864d51827a760560a2d1df8fe8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\.F30D4911\shell\Open\command	af2cac864d51827a760560a2d1df8fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\.F30D4911	af2cac864d51827a760560a2d1df8fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\.F30D4911\shell	af2cac864d51827a760560a2d1df8fe8.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\.F30D4911\shell\Open	af2cac864d51827a760560a2d1df8fe8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\.F30D4911\shell\Open\command\ = "explorer.exe RecoveryManual.html"	af2cac864d51827a760560a2d1df8fe8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

af2cac864d51827a760560a2d1df8fe8.exe

pid process

2252 af2cac864d51827a760560a2d1df8fe8.exe
2252 af2cac864d51827a760560a2d1df8fe8.exe

pid	process
2252	af2cac864d51827a760560a2d1df8fe8.exe
2252	af2cac864d51827a760560a2d1df8fe8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

af2cac864d51827a760560a2d1df8fe8.exe

description	pid	process
Token: SeRestorePrivilege	2252	af2cac864d51827a760560a2d1df8fe8.exe
Token: SeDebugPrivilege	2252	af2cac864d51827a760560a2d1df8fe8.exe

C:\Users\Admin\AppData\Local\Temp\af2cac864d51827a760560a2d1df8fe8.exe
"C:\Users\Admin\AppData\Local\Temp\af2cac864d51827a760560a2d1df8fe8.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RecoveryManual.html
Filesize
2KB

MD5
9ca324c1523268d17a5b60383692936e

SHA1
97517091a6711303a02a50819f27029c5e85c598

SHA256
e85ec7ac3184f24ce7827060e241e9d45ee81c38e914d8553ab937a9e9573ce4

SHA512
72c9515102591f75cca5dbbcbc3b9d6f4d9a288e2787b577fab041964ee4852d19adffd0193582a73a5ce86996f1b1879e025e765dd142d6e7615598a4e1fd6e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads