Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

25/03/2025, 15:11

250325-skmbpsxzaw 10

25/03/2025, 15:06

250325-sg1d6a1px2 10

25/03/2025, 15:01

250325-sd5jpsxyct 10

25/03/2025, 14:56

250325-sbdcfaxxgs 10

25/03/2025, 14:50

250325-r7ve6a1nv3 10

25/03/2025, 14:46

250325-r5ab7sxwhx 10

25/03/2025, 14:40

250325-r2c9paxwe1 10

05/02/2025, 10:25

250205-mgcefaslhw 10

05/02/2025, 10:17

250205-mbs51atmbk 10

05/02/2025, 09:15

250205-k785zs1pfn 10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2025, 14:56

General

  • Target

    RansomwareSamples/MountLocker_20_11_2020_200KB.exe

  • Size

    200KB

  • MD5

    c2671bf5b5dedbfd3cfe3f0f944fbe01

  • SHA1

    da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1

  • SHA256

    226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2

  • SHA512

    256bc8582cc9b53b3cf9307a2882117476648ab9df540d501fc5f46a4030beacab9df2019f2d83b0a63d510803cbf6cbae01dc1325588f93a1a74521a07fe4d9

  • SSDEEP

    1536:ssBoz9GFuIdclwKfVPoawSL20mRbg2DrE1mHkrY0f3r6fR0ZzDWR+3itGSh6ZVvg:ssS3oifBoaXhDWA4G3eeJaeIbmC00

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RecoveryManual.html

Ransom Note
<html> <head> <title>RECOVERY MANUAL</title> </head> <body> <h1>Your ClientId:</h1> <b> <pre> aa0a8ea69e22c4a789b451ab4101d8502381aa01c1b61ac2e00577a9cc00a12f </pre> </b> <hr/> <b>/!\ YOUR NETWORK HAS BEEN HACKED /!\<br> All your important files have been encrypted!</b><br> <hr/> Your files are safe! Only encrypted.<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> You can send us 2-3 files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> Also we gathered highly confidential/personal data from your network. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you won't pay, we will release your data to public or reseller.<br> So you can expect your data to be published or improperly used in the near future.<br> In this case you will face all legal and reputational consequences of the leak.<br> We only desire to get a ransom and we don't aim to damage your reputation or destroy<br> your business.<br><br> <hr/> <b>Contact us to discuss your next step.</b><br><br> <a href="http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d8502381aa01c1b61ac2e00577a9cc00a12f">http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d8502381aa01c1b61ac2e00577a9cc00a12f</a><br> * Note that this server is only available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "http://soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd.onion/?cid=aa0a8ea69e22c4a789b451ab4101d8502381aa01c1b61ac2e00577a9cc00a12f". <br> 4. Start a chat and follow the further instructions. (Password field should be empty for the first login). <br><br> <hr/> <b>If you can`t use the above link, use the email:</b><br> <a href="mailto:[email protected]">[email protected]</a><br> Please note, sometimes our support is away from keyboard, but we will reply shortly.<br> Kindly advise you to contact us as soon as possible.<br></b><br> </body> </html>
Emails

href="mailto:[email protected]">[email protected]</a><br>

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

  • Mountlocker family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Drops desktop.ini file(s) 10 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MountLocker_20_11_2020_200KB.exe
    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MountLocker_20_11_2020_200KB.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden -c $mypid='2832';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259472469.tmp')|iex
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2700
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RecoveryManual.html

    Filesize

    2KB

    MD5

    92a1ba1ba1c7e1911e2b08815532e45a

    SHA1

    b764b47ddc5375d00b907a12a1d374be70612694

    SHA256

    de40d4022cf7d9c344fdd90316ed852531b7042f3d8a02237f6b654bb70e65a7

    SHA512

    d0d4354e628345f71e4ce964098210a5bdeedb330110f12a768f28040eac3564ef83fb01fa6249949c8969e2308c7a701210872e4322620d53f226534d379e53

  • C:\Users\Admin\AppData\Local\Temp\~259472469.tmp

    Filesize

    4KB

    MD5

    4e1a1e3e715c291c71950d2fdc79e2be

    SHA1

    dc2b3d20a9ec88e0d8d75c5097154687acc42983

    SHA256

    acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39

    SHA512

    d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80

  • memory/2792-25-0x00000000748C1000-0x00000000748C2000-memory.dmp

    Filesize

    4KB

  • memory/2792-32-0x00000000748C0000-0x0000000074E6B000-memory.dmp

    Filesize

    5.7MB

  • memory/2792-29-0x00000000748C0000-0x0000000074E6B000-memory.dmp

    Filesize

    5.7MB

  • memory/2792-28-0x00000000748C0000-0x0000000074E6B000-memory.dmp

    Filesize

    5.7MB

  • memory/2792-27-0x00000000748C0000-0x0000000074E6B000-memory.dmp

    Filesize

    5.7MB

  • memory/2792-26-0x00000000748C0000-0x0000000074E6B000-memory.dmp

    Filesize

    5.7MB

  • memory/2832-16-0x00000000034C0000-0x00000000034CF000-memory.dmp

    Filesize

    60KB

  • memory/2832-12-0x0000000003020000-0x0000000003022000-memory.dmp

    Filesize

    8KB

  • memory/2832-10-0x0000000003020000-0x0000000003022000-memory.dmp

    Filesize

    8KB

  • memory/2832-8-0x0000000003020000-0x0000000003022000-memory.dmp

    Filesize

    8KB

  • memory/2832-6-0x0000000003020000-0x0000000003022000-memory.dmp

    Filesize

    8KB

  • memory/2832-4-0x0000000003020000-0x0000000003022000-memory.dmp

    Filesize

    8KB

  • memory/2832-3-0x0000000003020000-0x0000000003022000-memory.dmp

    Filesize

    8KB

  • memory/2832-21-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

  • memory/2832-14-0x0000000003020000-0x0000000003022000-memory.dmp

    Filesize

    8KB

  • memory/2832-15-0x0000000003020000-0x0000000003022000-memory.dmp

    Filesize

    8KB

  • memory/2832-11-0x0000000003020000-0x0000000003022000-memory.dmp

    Filesize

    8KB

  • memory/2832-9-0x0000000003020000-0x0000000003022000-memory.dmp

    Filesize

    8KB

  • memory/2832-7-0x0000000003020000-0x0000000003022000-memory.dmp

    Filesize

    8KB

  • memory/2832-30-0x000000000041A000-0x000000000041B000-memory.dmp

    Filesize

    4KB

  • memory/2832-5-0x0000000003020000-0x0000000003022000-memory.dmp

    Filesize

    8KB

  • memory/2832-2-0x000000000041A000-0x000000000041B000-memory.dmp

    Filesize

    4KB

  • memory/2832-35-0x00000000034C0000-0x00000000034CF000-memory.dmp

    Filesize

    60KB

  • memory/2832-34-0x00000000034C0000-0x00000000034CF000-memory.dmp

    Filesize

    60KB

  • memory/2832-33-0x00000000034C0000-0x00000000034CF000-memory.dmp

    Filesize

    60KB

  • memory/2832-13-0x0000000003020000-0x0000000003022000-memory.dmp

    Filesize

    8KB