Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-02-2024 18:30
Behavioral task
behavioral1
Sample
af2cac864d51827a760560a2d1df8fe8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
af2cac864d51827a760560a2d1df8fe8.exe
Resource
win10v2004-20240226-en
General
-
Target
af2cac864d51827a760560a2d1df8fe8.exe
-
Size
56KB
-
MD5
af2cac864d51827a760560a2d1df8fe8
-
SHA1
651f6e8aeb91cf84eb809a3d0fdcf67ba80c8339
-
SHA256
0fa0ad3dbf321d2c7c645aab928176d7a2d21b64d84d720829b67ad6c37381c7
-
SHA512
dbc929410cf09408086cdff6b5e03e143568296084929c19eefc045e5228676cbd40e6daaf3a39463c69ec87c1ca099f2f50dc92351cb802f3aa1642be205b86
-
SSDEEP
384:mCBAxTKMjOGhjfUrCXTZZpwBKkt13qCKoNfkjWtvVM45hTLVftkcY0RrKeWJcqgz:mCBWKM6sLUG3KaCKoBKSvGc7VW2qnk
Malware Config
Signatures
-
MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
-
Drops desktop.ini file(s) 5 IoCs
Processes:
af2cac864d51827a760560a2d1df8fe8.exedescription ioc process File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\7GHXBWM1\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GE3X1LT6\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IXEVUZVE\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\J171AZTC\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
af2cac864d51827a760560a2d1df8fe8.exedescription ioc process File opened (read-only) \??\f: af2cac864d51827a760560a2d1df8fe8.exe -
Drops file in Program Files directory 3 IoCs
Processes:
af2cac864d51827a760560a2d1df8fe8.exedescription ioc process File created \??\c:\Program Files (x86)\RecoveryManual.html af2cac864d51827a760560a2d1df8fe8.exe File created \??\c:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RecoveryManual.html af2cac864d51827a760560a2d1df8fe8.exe File created \??\c:\Program Files\RecoveryManual.html af2cac864d51827a760560a2d1df8fe8.exe -
Modifies registry class 5 IoCs
Processes:
af2cac864d51827a760560a2d1df8fe8.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\.F30D4911\shell\Open\command af2cac864d51827a760560a2d1df8fe8.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\.F30D4911 af2cac864d51827a760560a2d1df8fe8.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\.F30D4911\shell af2cac864d51827a760560a2d1df8fe8.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\.F30D4911\shell\Open af2cac864d51827a760560a2d1df8fe8.exe Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\.F30D4911\shell\Open\command\ = "explorer.exe RecoveryManual.html" af2cac864d51827a760560a2d1df8fe8.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
af2cac864d51827a760560a2d1df8fe8.exepid process 2252 af2cac864d51827a760560a2d1df8fe8.exe 2252 af2cac864d51827a760560a2d1df8fe8.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
af2cac864d51827a760560a2d1df8fe8.exedescription pid process Token: SeRestorePrivilege 2252 af2cac864d51827a760560a2d1df8fe8.exe Token: SeDebugPrivilege 2252 af2cac864d51827a760560a2d1df8fe8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af2cac864d51827a760560a2d1df8fe8.exe"C:\Users\Admin\AppData\Local\Temp\af2cac864d51827a760560a2d1df8fe8.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RecoveryManual.htmlFilesize
2KB
MD59ca324c1523268d17a5b60383692936e
SHA197517091a6711303a02a50819f27029c5e85c598
SHA256e85ec7ac3184f24ce7827060e241e9d45ee81c38e914d8553ab937a9e9573ce4
SHA51272c9515102591f75cca5dbbcbc3b9d6f4d9a288e2787b577fab041964ee4852d19adffd0193582a73a5ce86996f1b1879e025e765dd142d6e7615598a4e1fd6e