MountLocker Ransomware
Tags
attack-pattern: Malware - T1587.001 Malware - T1588.001 Python - T1059.006 Windows Management Instrumentation - T1047
Show in Graph
Common Information
Type Value
UUID 35c811cb-cd77-40c1-ad2a-336673d24f1b
Fingerprint be182853a2b892c9
Analysis status DONE
Considered CTI value 2
Text language
Published May 23, 2021, midnight
Added to db Aug. 31, 2024, 12:50 a.m.
Last updated Nov. 17, 2024, 11:40 p.m.
Headline MountLocker Ransomware
Title MountLocker Ransomware
Detected Hints/Tags/Attributes 69/1/75
Source URLs
Redirection Url
Details Source https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/
Details Redirection https://cdong1012.github.io//reverse%20engineering/2021/05/23/MountLockerRansomware/
Details Source https://chuongdong.com//reverse%20engineering/2021/05/23/MountLockerRansomware/
URL Provider
Details Provider Source level domain
Details chuongdong.com chuongdong.com
Details github.io cdong1012.github.io
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 84 Chuong Dong https://chuongdong.com/feed 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 93 
bazaar.abuse.ch
Details Domain 911 
any.run
Details Domain 14 
chuongdong.com
Details Domain 10 
openssl.org
Details Domain 3 
zawadidone.nl
Details Domain 11 
www.vkremez.com
Details Domain 4128 
github.com
Details Email 1 
appro@openssl.org
Details File 4 
recoverymanual.html
Details File 46 
msftesql.exe
Details File 58 
sqlagent.exe
Details File 62 
sqlbrowser.exe
Details File 66 
sqlwriter.exe
Details File 67 
oracle.exe
Details File 57 
ocssd.exe
Details File 61 
dbsnmp.exe
Details File 57 
synctime.exe
Details File 57 
agntsvc.exe
Details File 54 
isqlplussvc.exe
Details File 56 
xfssvccon.exe
Details File 119 
sqlservr.exe
Details File 60 
mydesktopservice.exe
Details File 57 
ocautoupds.exe
Details File 57 
encsvc.exe
Details File 41 
firefoxconfig.exe
Details File 55 
tbirdconfig.exe
Details File 57 
mydesktopqos.exe
Details File 57 
ocomm.exe
Details File 57 
mysqld.exe
Details File 43 
mysqld-nt.exe
Details File 40 
mysqld-opt.exe
Details File 58 
dbeng50.exe
Details File 55 
sqbcoreservice.exe
Details File 199 
excel.exe
Details File 52 
infopath.exe
Details File 91 
msaccess.exe
Details File 102 
mspub.exe
Details File 74 
onenote.exe
Details File 173 
outlook.exe
Details File 92 
powerpnt.exe
Details File 58 
thebat.exe
Details File 99 
steam.exe
Details File 35 
thebat64.exe
Details File 63 
thunderbird.exe
Details File 86 
visio.exe
Details File 323 
winword.exe
Details File 90 
wordpad.exe
Details File 19 
qbw32.exe
Details File 6 
qbw64.exe
Details File 6 
ipython.exe
Details File 6 
wpython.exe
Details File 65 
python.exe
Details File 30 
dumpcap.exe
Details File 74 
procmon.exe
Details File 27 
procmon64.exe
Details File 64 
procexp.exe
Details File 40 
procexp64.exe
Details File 351 
recycle.bin
Details File 2126 
cmd.exe
Details File 1 
mount-locker-ransomware-analysis.html
Details File 2 
lets-learn-introducing-new-trickbot.html
Details File 1 
chacha-x86_64.pl
Details Github username 1 
finch4
Details Github username 1 
dot-asm
Details md5 1 
3808f21e56dede99bc914d90aeabe47a
Details sha256 2 
4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1
Details Url 2 
https://bazaar.abuse.ch/sample/4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1
Details Url 4 
http://chuongdong.com/reverse
Details Url 1 
https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates
Details Url 1 
https://zawadidone.nl/2020/11/26/mount-locker-ransomware-analysis.html
Details Url 2 
https://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html
Details Url 1 
https://github.com/finch4/malware-analysis-reports/tree/main/mountlocker
Details Url 1 
https://github.com/dot-asm/cryptogams/blob/master/x86_64/chacha-x86_64.pl
Details Url 1 
https://www.bleepingcomputer.com/news/security/mountlocker-ransomware-uses-windows-api-to-worm-through-networks
Details Yara rule 1 
rule MountLocker5_0 {
	meta:
		description = "YARA rule for MountLocker v5.0"
		reference = "http://chuongdong.com/reverse engineering/2021/05/23/MountLockerRansomware/"
		author = "@cPeterr"
		tlp = "white"
	strings:
		$worm_str = "========== WORM ==========" wide
		$ransom_note_str = ".ReadManual.%0.8X" wide
		$version_str = "5.0" wide
		$chacha_str = "ChaCha20 for x86_64, CRYPTOGAMS by <appro@openssl.org>"
		$chacha_const = "expand 32-byte k"
		$lock_str = "[OK] locker.file > time=%0.3f size=%0.3f KB speed=%" wide
		$bat_str = "attrib -s -r -h %1"
		$IDirectorySearch_RIID = { EC A8 9B 10 F0 92 D0 11 A7 90 00 C0 4F D8 D5 A8 }
	condition:
		uint16(0) == 0x5a4d and all of them
}