Overview

overview

10

Static

static

3

locker.exe

windows7-x64

10

locker.exe

windows10-1703-x64

10

locker.exe

windows10-2004-x64

10

locker.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/07/2024, 05:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    locker.exe

  • Size

    96KB

  • MD5

    f2968d0ef2c95f2a2dfb8740b6a2df3f

  • SHA1

    57db6387ab42a51e185bbbf7d54bdfef2541b59c

  • SHA256

    25e41d0a73121a4314df3ce977d182739f592d168999cfa6cd0b8eb69c0e6ebe

  • SHA512

    df35537fc5792cfae0c268c0b8ba49afb62a0672cd83bfe2ab899b85079423b1aa14d2a25b0c72f3b884315e35bbb7b53543780f212bdb67b105a2953a667d09

  • SSDEEP

    768:kCq6+Ae2btbSbEdAp5pAFBkmT2flfuFbMg:HT+ADtbSbeupmymT2flfu9Mg

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Recovery.txt

Ransom Note
Greetings, We regret to inform you that your data has been encrypted by Mesmerised Locker as part of a sophisticated global attack utilizing zero-day exploits. We understand that this situation is stressful and are here to guide you through the recovery process. What Happened: Encryption: Your files have been secured using state-of-the-art encryption algorithms: ChaCha20, AES-256, and RSA-4096. These methods are recognized for their high security and are employed by governments and institutions worldwide. Detailed information on these encryption methods can be found here: - ChaCha20: https://en.wikipedia.org/wiki/Salsa20 - AES-256: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard - RSA-4096: https://en.wikipedia.org/wiki/RSA_(cryptosystem) Data Theft: In addition to encryption, we have exfiltrated sensitive data, including personal messages and confidential information. Our Intentions: Decryption Offer: To demonstrate our capability to restore your data, we are willing to decrypt 2-3 files at no cost. Payment: To obtain the decryption key for your data, we request a payment of $50 or an equivalent item. This fee reflects the scale and complexity of our operation. How to Proceed: 1. Contact Us: To initiate communication, use session ID 050126e07b2964020ad7242a12a63a3476f22a3956877fd8a7f2d3a01bb1140759. Download the Session app from https://getsession.org to contact us securely. 2. Payment: Upon establishing contact, we will provide instructions for making the payment. Once the payment is confirmed, we will supply the decryption key and detailed instructions for data recovery. Consequences of Non-Compliance: Data Exposure: Failure to comply with our demands will result in the dissemination of your sensitive data to your contacts and potentially the public. Data Loss: Attempting to use third-party tools for decryption may result in irreversible data loss. Our advanced encryption methods ensure that recovery is impossible without the correct decryption key. System Integrity: Restoring your PC using a bootable drive or cloud service will be ineffective. Our bootkits are designed to persist on your system. More information on bootkits can be found here: https://en.wikipedia.org/wiki/Bootkit Even if you attempt to reset your PC, the remote access tool (RAT) and rootkit we have installed will enable us to maintain control. For more details on rootkits, visit https://en.wikipedia.org/wiki/Rootkit. Scam Warning: Beware of third-party services that claim they can decrypt your data. Independent research will confirm that decrypting ransomware is infeasible without the correct key. Once we receive your payment, the decryptor will be provided to you immediately. Sincerely, Mesmerised Locker Team
URLs

https://getsession.org

Signatures

  • Renames multiple (101) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\locker.exe
    "C:\Users\Admin\AppData\Local\Temp\locker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Users\Admin\AppData\Local\rundll64.exe
      "C:\Users\Admin\AppData\Local\rundll64.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Sets desktop wallpaper using registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2460

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\rundll64.exe
          Filesize

          96KB

          MD5

          f2968d0ef2c95f2a2dfb8740b6a2df3f

          SHA1

          57db6387ab42a51e185bbbf7d54bdfef2541b59c

          SHA256

          25e41d0a73121a4314df3ce977d182739f592d168999cfa6cd0b8eb69c0e6ebe

          SHA512

          df35537fc5792cfae0c268c0b8ba49afb62a0672cd83bfe2ab899b85079423b1aa14d2a25b0c72f3b884315e35bbb7b53543780f212bdb67b105a2953a667d09

          Download Submit

        • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Recovery.txt
          Filesize

          2KB

          MD5

          33fa7f974c7416c004ecdddd738a4a8f

          SHA1

          91ddb3c29a9c7c4bcd2d9ae5efa9964326cfc4d7

          SHA256

          45697d057cecfb17a19edd6b744ee0797553bba1e94e39cf1a26414a2b034c6d

          SHA512

          37f23c37a9ca21ac7eb7e05d0b5db0d2e4f3302b181fd3bad9fd07d143c86274016e72301b67d58b7a94f906c373d6cec02cf20152d45c9dc4f7863a6a8297c1

          Download Submit

        • memory/2460-60-0x00007FF8820D0000-0x00007FF882B91000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2460-83-0x00007FF8820D0000-0x00007FF882B91000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2460-330-0x00007FF8820D0000-0x00007FF882B91000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2460-331-0x00007FF8820D0000-0x00007FF882B91000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4716-1-0x00007FF8820D3000-0x00007FF8820D5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4716-0-0x00000000000C0000-0x00000000000DE000-memory.dmp

          Filesize

          120KB

          Download