Overview

overview

10

Static

static

10

d01048c32a...97.dll

windows7-x64

10

d01048c32a...97.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-03-2024 12:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d01048c32a640bba23ed9dfdadd255f225fa5c68ad690e00221500949333ae97.dll

  • Size

    981KB

  • MD5

    6a72fe78139b79885be94f4bad7edbb8

  • SHA1

    77948ecf0a7114b44d57d51bcea8ecc63263f632

  • SHA256

    d01048c32a640bba23ed9dfdadd255f225fa5c68ad690e00221500949333ae97

  • SHA512

    43e33153ccfcc76815ddecc43c19714d957aac1dedbd192748f25d86bf096a556a3f4a589e0b7f8f3fa3ee34ab6d75cac49539839ec195396f5d0de84b2b357d

  • SSDEEP

    6144:getwmCnyadCadladGadkad6gadlJad0adZjHad/:rtqyacaHaMa+aEgaXJaqaLjHaR

Score
10/10
mountlockerransomware

Malware Config

Extracted

Path

C:\Recovery\WindowsRE\RecoveryManual.html

Ransom Note
<html> <head> <title>RECOVERY MANUAL</title> </head> <body> <h1>Your ClientId:</h1> <b> <pre> 92de476f40844b5ed6b3f2599f604fc16a27997e24dd976c4fbff72b1f81f646 </pre> </b> <hr/> <b>/!\ YOUR NETWORK HAS BEEN HACKED /!\<br> All your important files have been encrypted!</b><br> <hr/> Your files are safe! Only encrypted.<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> You can send us 2-3 files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> Also we gathered highly confidential/personal data from your network. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you won't pay, we will release your data to public or reseller.<br> So you can expect your data to be published or improperly used in the near future.<br> In this case you will face all legal and reputational consequences of the leak.<br> We only desire to get a ransom and we don't aim to damage your reputation or destroy<br> your business.<br><br> <hr/> <b>Contact us to discuss your next step.</b><br><br> <a href="http://54rz3un5etl3wxc4ckffvnlwleg5s3d4fexv4pir6qacedubmgi7knqd.onion/?cid=92de476f40844b5ed6b3f2599f604fc16a27997e24dd976c4fbff72b1f81f646">http://54rz3un5etl3wxc4ckffvnlwleg5s3d4fexv4pir6qacedubmgi7knqd.onion/?cid=92de476f40844b5ed6b3f2599f604fc16a27997e24dd976c4fbff72b1f81f646</a><br> * Password field could be blank <br><br> * Note that this server is only available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "http://54rz3un5etl3wxc4ckffvnlwleg5s3d4fexv4pir6qacedubmgi7knqd.onion/?cid=92de476f40844b5ed6b3f2599f604fc16a27997e24dd976c4fbff72b1f81f646". <br> 4. Start a chat and follow the further instructions. (Password field should be empty for the first login). <br><br> <hr/> Please note, sometimes our support is away from keyboard, but we will reply shortly.<br> Kindly advise you to contact us as soon as possible.<br></b><br> </body> </html>

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    ransomwaremountlocker
  • Drops desktop.ini file(s) 25 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d01048c32a640bba23ed9dfdadd255f225fa5c68ad690e00221500949333ae97.dll
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E574016.bat" "C:\Users\Admin\AppData\Local\Temp\d01048c32a640bba23ed9dfdadd255f225fa5c68ad690e00221500949333ae97.dll""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4696
      • C:\Windows\system32\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\d01048c32a640bba23ed9dfdadd255f225fa5c68ad690e00221500949333ae97.dll"
        3⤵
        • Views/modifies file attributes
        PID:2984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recovery\WindowsRE\RecoveryManual.html
    Filesize

    2KB

    MD5

    f59a532319772a791cbcb0e46334d943

    SHA1

    d86fd73091f3de9647c322bc231a8fcebffe692c

    SHA256

    081771e003a65fe09e6875127b3a19d962205174bbb603c811299cdb76cc7426

    SHA512

    6393dca2e4eee984a67596835f5c03c230a2575a0cf0a4f918e56d7fa8eabc34dc5240aef37f6ead028c4503a5f48e69f810a9e217e5b7962b783d1371c4512c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\0E574016.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit