mountlocker | e22b5ecbdbe9443e99e242c63163ba60cf46b67582a2c07999f2f06a450d77f3

General

Target

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Size

200KB
MD5

c2671bf5b5dedbfd3cfe3f0f944fbe01
SHA1

da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1
SHA256

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2
SHA512

256bc8582cc9b53b3cf9307a2882117476648ab9df540d501fc5f46a4030beacab9df2019f2d83b0a63d510803cbf6cbae01dc1325588f93a1a74521a07fe4d9
SSDEEP

1536:ssBoz9GFuIdclwKfVPoawSL20mRbg2DrE1mHkrY0f3r6fR0ZzDWR+3itGSh6ZVvg:ssS3oifBoaXhDWA4G3eeJaeIbmC00

Score

10^/10

mountlocker ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RecoveryManual.html

Ransom Note

<html> <head> <title>RECOVERY MANUAL</title> </head> <body> <h1>Your ClientId:</h1> <pre> aa0a8ea69e22c4a789b451ab4101d8503085a602d1a403c2e00577a9cc00a162 </pre> <hr/> /!\ YOUR NETWORK HAS BEEN HACKED /!\ All your important files have been encrypted! <hr/> Your files are safe! Only encrypted. ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. You can send us 2-3 files and we will decrypt it for free to prove we are able to give your files back. Also we gathered highly confidential/personal data from your network. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you won't pay, we will release your data to public or reseller. So you can expect your data to be published or improperly used in the near future. In this case you will face all legal and reputational consequences of the leak. We only desire to get a ransom and we don't aim to damage your reputation or destroy your business. <hr/> Contact us to discuss your next step. <a href="http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d8503085a602d1a403c2e00577a9cc00a162">http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d8503085a602d1a403c2e00577a9cc00a162</a> * Note that this server is only available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open "http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d8503085a602d1a403c2e00577a9cc00a162". 4. Start a chat and follow the further instructions. (Password field should be empty for the first login). <hr/> If you can`t use the above link, use the email: <a href="mailto:[email protected]">[email protected]</a> Please note, sometimes our support is away from keyboard, but we will reply shortly. Kindly advise you to contact us as soon as possible. </body> </html>

Emails

href="mailto:[email protected]">[email protected]</a>

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1168 cmd.exe

pid	process
1168	cmd.exe

Drops desktop.ini file(s) 36 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	ioc	process
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Solitaire\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Mahjong\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Hearts\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Purble Place\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\FreeCell\desktop.ini	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description ioc process

File opened (read-only) \??\f: 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	ioc	process
File opened (read-only)	\??\f:	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Drops file in Program Files directory 64 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	ioc	process
File created	\??\c:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196110.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21326_.GIF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00494_.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.FR.XML	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN002.XML	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImagesMask.bmp	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_OFF.GIF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\picturePuzzle.js	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\OCEAN_01.MID	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR2F.GIF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\az.txt	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GreenTea.css	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSRETRO.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_OFF.GIF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\Windows Sidebar\en-US\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL108.XML	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\intf\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR26F.GIF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\include\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152600.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251871.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_F_COL.HXK	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImagesMask.bmp	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SUBMIT.JS	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\7-Zip\7-zip.chm	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01170_.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\attention.gif	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusOnline.ico	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File created	\??\c:\Program Files\Microsoft Games\Hearts\ja-JP\RecoveryManual.html	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241037.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18234_.WMF	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\JAVA_01.MID	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2676 vssadmin.exe

pid	process
2676	vssadmin.exe

Modifies registry class 5 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.EF9E23B4\shell	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.EF9E23B4\shell\Open	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.EF9E23B4\shell\Open\command\ = "explorer.exe RecoveryManual.html"	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.EF9E23B4\shell\Open\command	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.EF9E23B4	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2540 powershell.exe

pid	process
2540	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exevssvc.exe226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

description	pid	process
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeBackupPrivilege	2444	vssvc.exe
Token: SeRestorePrivilege	2444	vssvc.exe
Token: SeAuditPrivilege	2444	vssvc.exe
Token: SeTakeOwnershipPrivilege	2024	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
Token: SeRestorePrivilege	2024	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

pid process

2024 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

pid	process
2024	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exepowershell.execmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 2540	2024	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	powershell.exe
PID 2024 wrote to memory of 2540	2024	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	powershell.exe
PID 2024 wrote to memory of 2540	2024	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	powershell.exe
PID 2024 wrote to memory of 2540	2024	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	powershell.exe
PID 2540 wrote to memory of 2676	2540	powershell.exe	vssadmin.exe
PID 2540 wrote to memory of 2676	2540	powershell.exe	vssadmin.exe
PID 2540 wrote to memory of 2676	2540	powershell.exe	vssadmin.exe
PID 2540 wrote to memory of 2676	2540	powershell.exe	vssadmin.exe
PID 2024 wrote to memory of 1168	2024	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	cmd.exe
PID 2024 wrote to memory of 1168	2024	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	cmd.exe
PID 2024 wrote to memory of 1168	2024	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	cmd.exe
PID 2024 wrote to memory of 1168	2024	226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe	cmd.exe
PID 1168 wrote to memory of 596	1168	cmd.exe	attrib.exe
PID 1168 wrote to memory of 596	1168	cmd.exe	attrib.exe
PID 1168 wrote to memory of 596	1168	cmd.exe	attrib.exe
PID 1168 wrote to memory of 596	1168	cmd.exe	attrib.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

596 attrib.exe

pid	process
596	attrib.exe

C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
"C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden -c $mypid='2024';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259398743.tmp')|iex
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet
3⤵
- Interacts with shadow copies
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F769FD8.bat" "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
3⤵
- Views/modifies file attributes
PID:596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2444

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RecoveryManual.html
Filesize
2KB

MD5
0444b2b0f5b1aaf8a64d2e981aaa8c07

SHA1
44872b32a293899d5a50f8df8d45cfaf24f76ab5

SHA256
69429897e07a4234c2f0c759adaa03a5f9bf15f5a06d59af13c5fa53ea525c9e

SHA512
f8fd4f9b5f5374db936e1170bc94e6dc5008e83227d41cd3c3a8dfa6ff2c511b1a536b9abc9e54175fdd53aa47163ff0fc6aba8cc9b69a7a3705b1245034fd0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0F769FD8.bat
Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\~259398743.tmp
Filesize
4KB

MD5
4e1a1e3e715c291c71950d2fdc79e2be

SHA1
dc2b3d20a9ec88e0d8d75c5097154687acc42983

SHA256
acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39

SHA512
d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80

Download Submit
memory/2024-16-0x00000000038A0000-0x00000000038AF000-memory.dmp

Filesize
60KB

Download
memory/2024-31-0x00000000038A0000-0x00000000038AF000-memory.dmp

Filesize
60KB

Download
memory/2024-15-0x0000000003400000-0x0000000003402000-memory.dmp

Filesize
8KB

Download
memory/2024-14-0x0000000003400000-0x0000000003402000-memory.dmp

Filesize
8KB

Download
memory/2024-13-0x0000000003400000-0x0000000003402000-memory.dmp

Filesize
8KB

Download
memory/2024-12-0x0000000003400000-0x0000000003402000-memory.dmp

Filesize
8KB

Download
memory/2024-11-0x0000000003400000-0x0000000003402000-memory.dmp

Filesize
8KB

Download
memory/2024-10-0x0000000003400000-0x0000000003402000-memory.dmp

Filesize
8KB

Download
memory/2024-9-0x0000000003400000-0x0000000003402000-memory.dmp

Filesize
8KB

Download
memory/2024-8-0x0000000003400000-0x0000000003402000-memory.dmp

Filesize
8KB

Download
memory/2024-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2024-2-0x0000000003400000-0x0000000003402000-memory.dmp

Filesize
8KB

Download
memory/2024-21-0x0000000003400000-0x0000000003402000-memory.dmp

Filesize
8KB

Download
memory/2024-3-0x0000000003400000-0x0000000003402000-memory.dmp

Filesize
8KB

Download
memory/2024-10949-0x00000000038A0000-0x00000000038AF000-memory.dmp

Filesize
60KB

Download
memory/2024-6725-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2024-4-0x0000000003400000-0x0000000003402000-memory.dmp

Filesize
8KB

Download
memory/2024-5-0x0000000003400000-0x0000000003402000-memory.dmp

Filesize
8KB

Download
memory/2024-35-0x00000000038A0000-0x00000000038AF000-memory.dmp

Filesize
60KB

Download
memory/2024-6-0x0000000003400000-0x0000000003402000-memory.dmp

Filesize
8KB

Download
memory/2024-32-0x00000000038A0000-0x00000000038AF000-memory.dmp

Filesize
60KB

Download
memory/2540-30-0x0000000073DC0000-0x000000007436B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-28-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/2540-27-0x0000000073DC0000-0x000000007436B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-26-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/2540-25-0x0000000073DC0000-0x000000007436B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads