Resubmissions
17-05-2024 14:06
240517-reh7esbc83 1017-05-2024 14:05
240517-rdxnesbb2x 1017-05-2024 14:04
240517-rdkc4aba91 1017-05-2024 14:00
240517-raznlsbc33 1009-01-2022 14:18
220109-rl99gsdee2 10Analysis
-
max time kernel
5s -
max time network
2s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
17-05-2024 14:04
General
-
Target
00ed4c347cd62526226363a0aceb851b2ef7e3a4da78433a28f2cd6cbd5f1b99.exe
-
Size
66KB
-
MD5
2c26b319e378755596f0ac6d293798c8
-
SHA1
280a4cfcf5dd87898c3731b680efe061bdb7a9fe
-
SHA256
00ed4c347cd62526226363a0aceb851b2ef7e3a4da78433a28f2cd6cbd5f1b99
-
SHA512
0c2b53a3fed1dbbae64e7f1e7c17a89b5dc607ba40caecd5496e18ffd84cdad844e926742d9fc82a715d6e8b01a1c483d97d54f5be1f2d6997107946f2a3fe4b
-
SSDEEP
768:BS5zkUtPX/y4Jp5LmcmItHnlIH9q9Q/048RgauHADO2A:DaXq4xTlIdYrhRcH2A
Malware Config
Signatures
-
MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
-
Deletes itself 1 IoCs
-
Drops desktop.ini file(s) 32 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\00ed4c347cd62526226363a0aceb851b2ef7e3a4da78433a28f2cd6cbd5f1b99.exe"C:\Users\Admin\AppData\Local\Temp\00ed4c347cd62526226363a0aceb851b2ef7e3a4da78433a28f2cd6cbd5f1b99.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F763276.bat" "C:\Users\Admin\AppData\Local\Temp\00ed4c347cd62526226363a0aceb851b2ef7e3a4da78433a28f2cd6cbd5f1b99.exe""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\00ed4c347cd62526226363a0aceb851b2ef7e3a4da78433a28f2cd6cbd5f1b99.exe"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RecoveryManual.htmlFilesize
2KB
MD5c05a2821a9fc97a54568466d95a4ad92
SHA1f74925d9af5d063e61903d9856527c00911571d1
SHA256530af8a0154f6c632ccf0982ee8f22060bd8e3b3c66f38b9a7155a89b7a0e333
SHA5129a35b2cc667444f63491bfc5e69b1178e0137c64247358295c3abf136c0489aaa3480ba8a9afec4f3618ffec6ca20b63c0bd8782905bffe866251640038b1964
-
C:\Users\Admin\AppData\Local\Temp\0F763276.batFilesize
65B
MD5348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611