Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Ransomware...KB.exe
windows10-ltsc_2021-x64
7Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
7Ransomware...KB.exe
windows10-ltsc_2021-x64
7Ransomware...KB.exe
windows11-21h2-x64
7Ransomware...KB.exe
windows10-ltsc_2021-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-ltsc_2021-x64
10Ransomware...KB.exe
windows11-21h2-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-ltsc_2021-x64
10Ransomware...KB.exe
windows11-21h2-x64
10Ransomware...KB.exe
windows10-2004-x64
9Ransomware...KB.exe
windows7-x64
9Ransomware...KB.exe
windows10-2004-x64
9Ransomware...KB.exe
windows10-ltsc_2021-x64
9Ransomware...KB.exe
windows11-21h2-x64
9Ransomware...KB.exe
windows11-21h2-x64
9Ransomware...KB.exe
windows7-x64
9Ransomware...KB.exe
windows10-2004-x64
9Ransomware...KB.exe
windows10-ltsc_2021-x64
9Ransomware...KB.exe
windows11-21h2-x64
9Ransomware...KB.ps1
windows11-21h2-x64
10Ransomware...KB.ps1
windows7-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.ps1
windows10-ltsc_2021-x64
10Ransomware...KB.ps1
windows11-21h2-x64
10Resubmissions
25/03/2025, 15:11
250325-skmbpsxzaw 1025/03/2025, 15:06
250325-sg1d6a1px2 1025/03/2025, 15:01
250325-sd5jpsxyct 1025/03/2025, 14:56
250325-sbdcfaxxgs 1025/03/2025, 14:50
250325-r7ve6a1nv3 1025/03/2025, 14:46
250325-r5ab7sxwhx 1025/03/2025, 14:40
250325-r2c9paxwe1 1005/02/2025, 10:25
250205-mgcefaslhw 1005/02/2025, 10:17
250205-mbs51atmbk 1005/02/2025, 09:15
250205-k785zs1pfn 10Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25/03/2025, 14:56
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral2
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win7-20241010-en
Behavioral task
behavioral3
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral4
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral5
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win11-20250313-en
Behavioral task
behavioral6
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral7
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral10
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win11-20250313-en
Behavioral task
behavioral11
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win7-20250207-en
Behavioral task
behavioral13
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral14
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral15
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win11-20250313-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral20
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win11-20250313-en
Behavioral task
behavioral21
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win11-20250314-en
Behavioral task
behavioral22
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win7-20241023-en
Behavioral task
behavioral23
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral24
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral25
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win11-20250313-en
Behavioral task
behavioral26
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win11-20250313-en
Behavioral task
behavioral27
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral30
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win11-20250313-en
General
-
Target
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
-
Size
200KB
-
MD5
c2671bf5b5dedbfd3cfe3f0f944fbe01
-
SHA1
da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1
-
SHA256
226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2
-
SHA512
256bc8582cc9b53b3cf9307a2882117476648ab9df540d501fc5f46a4030beacab9df2019f2d83b0a63d510803cbf6cbae01dc1325588f93a1a74521a07fe4d9
-
SSDEEP
1536:ssBoz9GFuIdclwKfVPoawSL20mRbg2DrE1mHkrY0f3r6fR0ZzDWR+3itGSh6ZVvg:ssS3oifBoaXhDWA4G3eeJaeIbmC00
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RecoveryManual.html
href="mailto:[email protected]">[email protected]</a><br>
Signatures
-
MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
-
Mountlocker family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2792 powershell.exe -
Drops desktop.ini file(s) 10 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Games\Chess\desktop.ini MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Microsoft Games\Hearts\desktop.ini MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Microsoft Games\Purble Place\desktop.ini MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Microsoft Games\Solitaire\desktop.ini MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\desktop.ini MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\desktop.ini MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Microsoft Games\FreeCell\desktop.ini MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Microsoft Games\Mahjong\desktop.ini MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI MountLocker_20_11_2020_200KB.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\f: MountLocker_20_11_2020_200KB.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\clock.css MountLocker_20_11_2020_200KB.exe File created \??\c:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\RecoveryManual.html MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01905_.WMF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.DLL.IDX_DLL MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Etc\GMT+3 MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00790_.WMF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01291_.WMF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185786.WMF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00737_.WMF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00298_.WMF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15168_.GIF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar MountLocker_20_11_2020_200KB.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\RecoveryManual.html MountLocker_20_11_2020_200KB.exe File created \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\RecoveryManual.html MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107468.WMF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287417.WMF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Java\jre7\COPYRIGHT MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\gadget.xml MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115864.GIF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_OFF.GIF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\America\Nipigon MountLocker_20_11_2020_200KB.exe File created \??\c:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\RecoveryManual.html MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01126_.WMF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Black Tie.thmx MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\Parity.fx MountLocker_20_11_2020_200KB.exe File created \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\RecoveryManual.html MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00165_.GIF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\VelvetRose.css MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME06.CSS MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105588.WMF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304371.WMF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299125.WMF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_ON.GIF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MET MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\America\Argentina\La_Rioja MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\highDpiImageSwap.js MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Composite.thmx MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Thatch.eftx MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.XML MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\America\Yakutat MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Verve.thmx MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey MountLocker_20_11_2020_200KB.exe File created \??\c:\Program Files (x86)\RecoveryManual.html MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43B.GIF MountLocker_20_11_2020_200KB.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp MountLocker_20_11_2020_200KB.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MountLocker_20_11_2020_200KB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2700 vssadmin.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\.EF9E23B4 MountLocker_20_11_2020_200KB.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\.EF9E23B4\shell MountLocker_20_11_2020_200KB.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\.EF9E23B4\shell\Open MountLocker_20_11_2020_200KB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\.EF9E23B4\shell\Open\command\ = "explorer.exe RecoveryManual.html" MountLocker_20_11_2020_200KB.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\.EF9E23B4\shell\Open\command MountLocker_20_11_2020_200KB.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2792 powershell.exe Token: SeBackupPrivilege 1520 vssvc.exe Token: SeRestorePrivilege 1520 vssvc.exe Token: SeAuditPrivilege 1520 vssvc.exe Token: SeTakeOwnershipPrivilege 2832 MountLocker_20_11_2020_200KB.exe Token: SeRestorePrivilege 2832 MountLocker_20_11_2020_200KB.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2832 MountLocker_20_11_2020_200KB.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2832 wrote to memory of 2792 2832 MountLocker_20_11_2020_200KB.exe 30 PID 2832 wrote to memory of 2792 2832 MountLocker_20_11_2020_200KB.exe 30 PID 2832 wrote to memory of 2792 2832 MountLocker_20_11_2020_200KB.exe 30 PID 2832 wrote to memory of 2792 2832 MountLocker_20_11_2020_200KB.exe 30 PID 2792 wrote to memory of 2700 2792 powershell.exe 32 PID 2792 wrote to memory of 2700 2792 powershell.exe 32 PID 2792 wrote to memory of 2700 2792 powershell.exe 32 PID 2792 wrote to memory of 2700 2792 powershell.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MountLocker_20_11_2020_200KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MountLocker_20_11_2020_200KB.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden -c $mypid='2832';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259472469.tmp')|iex2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2700
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD592a1ba1ba1c7e1911e2b08815532e45a
SHA1b764b47ddc5375d00b907a12a1d374be70612694
SHA256de40d4022cf7d9c344fdd90316ed852531b7042f3d8a02237f6b654bb70e65a7
SHA512d0d4354e628345f71e4ce964098210a5bdeedb330110f12a768f28040eac3564ef83fb01fa6249949c8969e2308c7a701210872e4322620d53f226534d379e53
-
Filesize
4KB
MD54e1a1e3e715c291c71950d2fdc79e2be
SHA1dc2b3d20a9ec88e0d8d75c5097154687acc42983
SHA256acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39
SHA512d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80