Overview

overview

10

Static

static

3

226a723ffb...f2.exe

windows7-x64

10

226a723ffb...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 14:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe

  • Size

    200KB

  • MD5

    c2671bf5b5dedbfd3cfe3f0f944fbe01

  • SHA1

    da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1

  • SHA256

    226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2

  • SHA512

    256bc8582cc9b53b3cf9307a2882117476648ab9df540d501fc5f46a4030beacab9df2019f2d83b0a63d510803cbf6cbae01dc1325588f93a1a74521a07fe4d9

  • SSDEEP

    1536:ssBoz9GFuIdclwKfVPoawSL20mRbg2DrE1mHkrY0f3r6fR0ZzDWR+3itGSh6ZVvg:ssS3oifBoaXhDWA4G3eeJaeIbmC00

Score
10/10
mountlockerransomware

Malware Config

Extracted

Path

C:\Program Files\RecoveryManual.html

Ransom Note
<html> <head> <title>RECOVERY MANUAL</title> </head> <body> <h1>Your ClientId:</h1> <b> <pre> aa0a8ea69e22c4a789b451ab4101d8502596b906dfba03cbe00577a9cc00a154 </pre> </b> <hr/> <b>/!\ YOUR NETWORK HAS BEEN HACKED /!\<br> All your important files have been encrypted!</b><br> <hr/> Your files are safe! Only encrypted.<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> You can send us 2-3 files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> Also we gathered highly confidential/personal data from your network. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you won't pay, we will release your data to public or reseller.<br> So you can expect your data to be published or improperly used in the near future.<br> In this case you will face all legal and reputational consequences of the leak.<br> We only desire to get a ransom and we don't aim to damage your reputation or destroy<br> your business.<br><br> <hr/> <b>Contact us to discuss your next step.</b><br><br> <a href="http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d8502596b906dfba03cbe00577a9cc00a154">http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d8502596b906dfba03cbe00577a9cc00a154</a><br> * Note that this server is only available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d8502596b906dfba03cbe00577a9cc00a154". <br> 4. Start a chat and follow the further instructions. (Password field should be empty for the first login). <br><br> <hr/> <b>If you can`t use the above link, use the email:</b><br> <a href="mailto:SloanAlbert@protonmail.com">SloanAlbert@protonmail.com</a><br> Please note, sometimes our support is away from keyboard, but we will reply shortly.<br> Kindly advise you to contact us as soon as possible.<br></b><br> </body> </html>
Emails

href="mailto:SloanAlbert@protonmail.com">SloanAlbert@protonmail.com</a><br>

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    ransomwaremountlocker
  • Drops desktop.ini file(s) 28 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe
    "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden -c $mypid='3068';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~240613500.tmp')|iex
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1344
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E57DC46.bat" "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.exe"
        3⤵
        • Views/modifies file attributes
        PID:4884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\RecoveryManual.html
    Filesize

    2KB

    MD5

    4e61e622e8f17a1be931d770604e230a

    SHA1

    d9ea68e78c45f6ac74df2cbbb869ab66616e0e70

    SHA256

    a4efa650ebc939fcf98cc3b0680cfe30320f478e08e943b5b9939cf5db2fa1d7

    SHA512

    2eb72845bac600cee0d837094022222eb5a8f47be6224bd359573029d94d10b981fab90107e983cf25644f3685e56e22b0763dc57d4d7502d3e25d6cef0270e0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\0E57DC46.bat
    Filesize

    65B

    MD5

    348cae913e496198548854f5ff2f6d1e

    SHA1

    a07655b9020205bd47084afd62a8bb22b48c0cdc

    SHA256

    c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

    SHA512

    799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_grxkgrvn.mci.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\~240613500.tmp
    Filesize

    4KB

    MD5

    4e1a1e3e715c291c71950d2fdc79e2be

    SHA1

    dc2b3d20a9ec88e0d8d75c5097154687acc42983

    SHA256

    acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39

    SHA512

    d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80

    Download Submit
  • memory/1344-63-0x0000000007560000-0x00000000075F6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1344-65-0x00000000074E0000-0x00000000074EE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1344-45-0x0000000006470000-0x000000000648A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1344-73-0x0000000074DB0000-0x0000000075560000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1344-70-0x0000000008480000-0x0000000008A24000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1344-69-0x0000000007600000-0x0000000007622000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1344-44-0x0000000007850000-0x0000000007ECA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1344-68-0x0000000007530000-0x0000000007538000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1344-67-0x0000000007540000-0x000000000755A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1344-66-0x00000000074F0000-0x0000000007504000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1344-64-0x00000000074C0000-0x00000000074D1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1344-62-0x0000000007340000-0x000000000734A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1344-24-0x0000000074DB0000-0x0000000075560000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1344-23-0x0000000004980000-0x00000000049B6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1344-25-0x0000000004A00000-0x0000000004A10000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1344-26-0x0000000004A00000-0x0000000004A10000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1344-27-0x0000000005040000-0x0000000005668000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1344-28-0x0000000004F50000-0x0000000004F72000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1344-61-0x0000000007240000-0x00000000072E3000-memory.dmp
    Filesize

    652KB

    Download
  • memory/1344-30-0x00000000056E0000-0x0000000005746000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1344-60-0x0000000004A00000-0x0000000004A10000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1344-40-0x00000000059E0000-0x0000000005D34000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/1344-41-0x0000000005F00000-0x0000000005F1E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1344-42-0x0000000005F40000-0x0000000005F8C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1344-29-0x0000000005670000-0x00000000056D6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1344-58-0x0000000007210000-0x000000000722E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1344-59-0x0000000004A00000-0x0000000004A10000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1344-46-0x000000007FB60000-0x000000007FB70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1344-47-0x00000000071D0000-0x0000000007202000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1344-48-0x0000000070C30000-0x0000000070C7C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3068-11-0x0000000000400000-0x0000000000436000-memory.dmp
    Filesize

    216KB

    Download
  • memory/3068-21-0x0000000002CA0000-0x0000000002CA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3068-8559-0x0000000002CB0000-0x0000000002CBF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/3068-10-0x0000000002CA0000-0x0000000002CA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3068-7-0x0000000002CA0000-0x0000000002CA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3068-2-0x0000000002CA0000-0x0000000002CA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3068-16-0x0000000002CB0000-0x0000000002CBF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/3068-13-0x0000000002CA0000-0x0000000002CA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3068-15-0x0000000002CA0000-0x0000000002CA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3068-4-0x0000000002CA0000-0x0000000002CA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3068-6-0x0000000002CA0000-0x0000000002CA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3068-14-0x0000000002CA0000-0x0000000002CA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3068-5-0x0000000002CA0000-0x0000000002CA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3068-9-0x0000000002CA0000-0x0000000002CA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3068-74-0x0000000002CB0000-0x0000000002CBF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/3068-76-0x0000000002CB0000-0x0000000002CBF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/3068-77-0x0000000002CB0000-0x0000000002CBF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/3068-3-0x0000000002CA0000-0x0000000002CA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3068-4598-0x0000000000400000-0x0000000000436000-memory.dmp
    Filesize

    216KB

    Download
  • memory/3068-8-0x0000000002CA0000-0x0000000002CA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3068-12-0x0000000002CA0000-0x0000000002CA2000-memory.dmp
    Filesize

    8KB

    Download