Overview

overview

10

Static

static

10

ed6e716945...18.dll

windows7-x64

10

ed6e716945...18.dll

windows10-2004-x64

10

Resubmissions

30-04-2024 05:29

240430-f6xncade75 10

11-04-2024 13:06

240411-qb4taafb9w 10

11-04-2024 12:33

240411-pq9seaeg2z 10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-04-2024 12:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll

  • Size

    56KB

  • MD5

    ed6e7169456ef1f41f6a45812dda7d98

  • SHA1

    c82733e2d394b272db6cbf49aa8a1207c8d9fb87

  • SHA256

    85b53edb2e3476bdb29f98bd19c56baa0205e6620917e654cbe81c9745d6193d

  • SHA512

    0e7d3dbe68de4301501df68b1eeb36bf68ca3ea61091710352f68f09f8f9b8b96888ccb2419330b2fbd7b592bd98b583aaea818345c87d591b9b0a96845b8d87

  • SSDEEP

    768:65h+QW4yKs5INTjabOSQwrPG12nFb5GnVWs6k:63XWNKQ2jnSQyNnFbgN

Score
10/10
mountlockerransomware

Malware Config

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    ransomwaremountlocker
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 32 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll,#1
      2⤵
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F763FAF.bat" "C:\Users\Admin\AppData\Local\Temp\ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll""
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1188
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll"
          4⤵
          • Views/modifies file attributes
          PID:2028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RecoveryManual.html
    Filesize

    2KB

    MD5

    c05a2821a9fc97a54568466d95a4ad92

    SHA1

    f74925d9af5d063e61903d9856527c00911571d1

    SHA256

    530af8a0154f6c632ccf0982ee8f22060bd8e3b3c66f38b9a7155a89b7a0e333

    SHA512

    9a35b2cc667444f63491bfc5e69b1178e0137c64247358295c3abf136c0489aaa3480ba8a9afec4f3618ffec6ca20b63c0bd8782905bffe866251640038b1964

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\0F763FAF.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit