Behavioral task
behavioral1
Sample
af2cac864d51827a760560a2d1df8fe8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
af2cac864d51827a760560a2d1df8fe8.exe
Resource
win10v2004-20240226-en
General
-
Target
af2cac864d51827a760560a2d1df8fe8
-
Size
56KB
-
MD5
af2cac864d51827a760560a2d1df8fe8
-
SHA1
651f6e8aeb91cf84eb809a3d0fdcf67ba80c8339
-
SHA256
0fa0ad3dbf321d2c7c645aab928176d7a2d21b64d84d720829b67ad6c37381c7
-
SHA512
dbc929410cf09408086cdff6b5e03e143568296084929c19eefc045e5228676cbd40e6daaf3a39463c69ec87c1ca099f2f50dc92351cb802f3aa1642be205b86
-
SSDEEP
384:mCBAxTKMjOGhjfUrCXTZZpwBKkt13qCKoNfkjWtvVM45hTLVftkcY0RrKeWJcqgz:mCBWKM6sLUG3KaCKoBKSvGc7VW2qnk
Malware Config
Signatures
-
Detected Mount Locker ransomware 1 IoCs
Processes:
resource yara_rule sample RANSOM_mountlocker -
Mountlocker family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource af2cac864d51827a760560a2d1df8fe8
Files
-
af2cac864d51827a760560a2d1df8fe8.exe windows:5 windows x86 arch:x86
e9950ff9278b3c40727057ec247800dd
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
user32
wsprintfW
shlwapi
StrCmpNIW
StrStrIW
StrChrW
StrCmpIW
SHRegSetUSValueW
StrStrIA
oleaut32
SysAllocString
SysFreeString
netapi32
NetGetJoinInformation
NetApiBufferFree
NetShareEnum
NetGetDCName
shell32
CommandLineToArgvW
ord680
msvcrt
fgetws
feof
_vsnwprintf
_getch
_wfopen
fclose
memcpy
memset
activeds
ord9
kernel32
InitializeCriticalSection
AllocConsole
WriteConsoleW
DeleteCriticalSection
SetConsoleCursorPosition
lstrlenW
lstrcatW
HeapAlloc
GetProcessHeap
lstrcpyW
GetVolumeInformationW
FindFirstFileW
HeapFree
FindNextFileW
FindClose
GetLastError
WriteFile
CreateFileW
CloseHandle
SetLastError
HeapReAlloc
GetCurrentProcessId
WideCharToMultiByte
Sleep
GetTickCount
QueryPerformanceFrequency
QueryPerformanceCounter
GetCurrentProcess
ReleaseSemaphore
WaitForSingleObject
GetTickCount64
SetEvent
CreateThread
CreateSemaphoreA
CreateEventA
DeviceIoControl
SetFileAttributesW
lstrcmpiW
TerminateThread
ResetEvent
ReadFile
GetFileSizeEx
TlsSetValue
SetEndOfFile
SetFileInformationByHandle
SetFilePointerEx
LeaveCriticalSection
GetDriveTypeW
GetCommandLineW
ExitProcess
SetErrorMode
lstrlenA
TlsAlloc
GetComputerNameA
TerminateProcess
OpenProcess
lstrcmpiA
GetModuleFileNameW
GetTempPathW
CreateProcessW
GetSystemInfo
GetComputerNameW
GlobalMemoryStatus
DeleteFileW
CopyFileW
GetConsoleScreenBufferInfo
EnterCriticalSection
GetStdHandle
TlsGetValue
advapi32
CryptAcquireContextW
OpenServiceA
CryptImportKey
CryptReleaseContext
StartServiceW
CryptEncrypt
CryptDestroyKey
GetUserNameW
LookupAccountSidW
GetTokenInformation
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
EnumServicesStatusA
CreateServiceW
CloseServiceHandle
OpenSCManagerW
OpenSCManagerA
ControlService
DeleteService
QueryServiceStatusEx
ole32
CoInitializeEx
CoInitializeSecurity
CoCreateInstance
CoSetProxyBlanket
ntdll
RtlGetNativeSystemInformation
ZwQuerySystemInformation
RtlGetVersion
mpr
WNetAddConnection2W
WNetEnumResourceW
WNetCloseEnum
WNetOpenEnumW
WNetCancelConnection2W
Sections
.text Size: 19KB - Virtual size: 18KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
bss Size: - Virtual size: 104B
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rdata Size: 18KB - Virtual size: 17KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 16KB - Virtual size: 17KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 2KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ