Analysis
-
max time kernel
141s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 18:30
Behavioral task
behavioral1
Sample
af2cac864d51827a760560a2d1df8fe8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
af2cac864d51827a760560a2d1df8fe8.exe
Resource
win10v2004-20240226-en
General
-
Target
af2cac864d51827a760560a2d1df8fe8.exe
-
Size
56KB
-
MD5
af2cac864d51827a760560a2d1df8fe8
-
SHA1
651f6e8aeb91cf84eb809a3d0fdcf67ba80c8339
-
SHA256
0fa0ad3dbf321d2c7c645aab928176d7a2d21b64d84d720829b67ad6c37381c7
-
SHA512
dbc929410cf09408086cdff6b5e03e143568296084929c19eefc045e5228676cbd40e6daaf3a39463c69ec87c1ca099f2f50dc92351cb802f3aa1642be205b86
-
SSDEEP
384:mCBAxTKMjOGhjfUrCXTZZpwBKkt13qCKoNfkjWtvVM45hTLVftkcY0RrKeWJcqgz:mCBWKM6sLUG3KaCKoBKSvGc7VW2qnk
Malware Config
Signatures
-
MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 25 IoCs
Processes:
af2cac864d51827a760560a2d1df8fe8.exedescription ioc process File opened for modification \??\c:\Users\Admin\Music\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\Videos\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Public\AccountPictures\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\3D Objects\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\Documents\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\Searches\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Public\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Public\Documents\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\OneDrive\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Public\Desktop\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Public\Music\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Public\Pictures\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Public\Videos\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Admin\Links\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Public\Downloads\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe File opened for modification \??\c:\Users\Public\Libraries\desktop.ini af2cac864d51827a760560a2d1df8fe8.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
af2cac864d51827a760560a2d1df8fe8.exedescription ioc process File opened (read-only) \??\f: af2cac864d51827a760560a2d1df8fe8.exe -
Drops file in Program Files directory 2 IoCs
Processes:
af2cac864d51827a760560a2d1df8fe8.exedescription ioc process File created \??\c:\Program Files\RecoveryManual.html af2cac864d51827a760560a2d1df8fe8.exe File created \??\c:\Program Files (x86)\RecoveryManual.html af2cac864d51827a760560a2d1df8fe8.exe -
Modifies registry class 5 IoCs
Processes:
af2cac864d51827a760560a2d1df8fe8.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.F30D4911\shell\Open\command af2cac864d51827a760560a2d1df8fe8.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.F30D4911 af2cac864d51827a760560a2d1df8fe8.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.F30D4911\shell af2cac864d51827a760560a2d1df8fe8.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.F30D4911\shell\Open af2cac864d51827a760560a2d1df8fe8.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.F30D4911\shell\Open\command\ = "explorer.exe RecoveryManual.html" af2cac864d51827a760560a2d1df8fe8.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
af2cac864d51827a760560a2d1df8fe8.exepid process 2100 af2cac864d51827a760560a2d1df8fe8.exe 2100 af2cac864d51827a760560a2d1df8fe8.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
af2cac864d51827a760560a2d1df8fe8.exedescription pid process Token: SeRestorePrivilege 2100 af2cac864d51827a760560a2d1df8fe8.exe Token: SeDebugPrivilege 2100 af2cac864d51827a760560a2d1df8fe8.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
af2cac864d51827a760560a2d1df8fe8.execmd.exedescription pid process target process PID 2100 wrote to memory of 3680 2100 af2cac864d51827a760560a2d1df8fe8.exe cmd.exe PID 2100 wrote to memory of 3680 2100 af2cac864d51827a760560a2d1df8fe8.exe cmd.exe PID 2100 wrote to memory of 3680 2100 af2cac864d51827a760560a2d1df8fe8.exe cmd.exe PID 3680 wrote to memory of 2060 3680 cmd.exe attrib.exe PID 3680 wrote to memory of 2060 3680 cmd.exe attrib.exe PID 3680 wrote to memory of 2060 3680 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\af2cac864d51827a760560a2d1df8fe8.exe"C:\Users\Admin\AppData\Local\Temp\af2cac864d51827a760560a2d1df8fe8.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E57D4E4.bat" "C:\Users\Admin\AppData\Local\Temp\af2cac864d51827a760560a2d1df8fe8.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\af2cac864d51827a760560a2d1df8fe8.exe"3⤵
- Views/modifies file attributes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=3136,i,3192284747741020952,1225278682167953346,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\RecoveryManual.htmlFilesize
2KB
MD52e5b40c3b9a32a03a95ac90a486ec3b1
SHA1480cd022a4a1b9cc08abda03818151075c60a61b
SHA2565f3d43c68f2fefdb4bfa3f4cae0aafaedb2f172ed25b18890ed000815fd1ff60
SHA5127d1c187130f476fc39a75848840aeab3e728cf0e4263071713fc4547446bfce01694a03f42aa7c3791e12c778e16cf9f7febd297babefd002bc6ec3229762360
-
C:\Users\Admin\AppData\Local\Temp\0E57D4E4.batFilesize
65B
MD5348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611