{
	"id": "3168f176-b2ab-4087-bea7-bff69cadb1c5",
	"created_at": "2026-04-06T00:19:25.837852Z",
	"updated_at": "2026-04-10T03:20:47.747258Z",
	"deleted_at": null,
	"sha1_hash": "71788374729f33b67f6a0443a774aa0e70c6aa15",
	"title": "Malware-Analysis-Reports/MountLocker at master · Finch4/Malware-Analysis-Reports",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1056103,
	"plain_text": "Malware-Analysis-Reports/MountLocker at master ·\r\nFinch4/Malware-Analysis-Reports\r\nBy Finch4\r\nArchived: 2026-04-02 10:53:31 UTC\r\nMountLocker is a Ransomware which appeared first on July 2020, in the sample there are references to a Public\r\nRSA Key and ChaCha20. Lately seems an update added also a worm feature.\r\nPlease note, I'm still learning, the analysis is incomplete (and some parts may be wrong), if you want to read\r\na full analysis read here\r\nSample\r\nMalwareBazaar:\r\nhttps://bazaar.abuse.ch/sample/4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1/\r\nStarting from the start\r\nHere is simply passing the the command-line string for the current process to the function I renamed, mw_main\r\nInside mw_main we find two other calls to mw_check_parameters and mw_core\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker\r\nPage 1 of 14\n\nDiving into mw_check_parameters\r\nThe function starts parsing the arguments, the result is then allocated to the variable command_line_args , if\r\nretrieving the arguments is successful the sample will continue otherwise as you can imagine it will return and the\r\nif at mw_main will never be True and the sample will exit.\r\nWhen entering the if the most interesting functions seems the one which receive as arguments:\r\ncommand_line_args, pNumArgs, {CUSTOM_STRING}, I renamed this function mw_check_if_contains\r\nmw_check_if_contains\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker\r\nPage 2 of 14\n\nstarting from the first two calls to this functions we can see the strings \"/LOGIN=\" and \"/PASSWORD=\" stored\r\ninside what seems an array, later you will se that these arguments are used as part of the worm feature,\r\n\"/LOGIN=\" will contains the lpUserName and as you can image \"/PASSWORD=\" will contains lpPassword the\r\nothers are more features/options of MountLocker, here a list:\r\ncommands =\r\n[\r\n \"/LOGIN=\",\r\n \"/PASSWORD=\",\r\n \"/CONSOLE\",\r\n \"/NODEL\",\r\n \"/NOKILL\",\r\n \"/NOLOG\",\r\n \"/SHAREALL\",\r\n \"/NETWORK\",\r\n \"/PARAMS=\",\r\n \"/TARGET=\",\r\n \"/FAST=\",\r\n \"/MIN=\",\r\n \"/MAX=\",\r\n \"/FULLPD\",\r\n \"/MARKER=\",\r\n \"/NOLOCK=\"\r\n]\r\nDiving into mw_core\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker\r\nPage 3 of 14\n\nThe first two calls are for COM objects, since still I'm learning I didn't really understood how you use\r\nthem, so for the moment I will ignore the calls related to it.\r\nThe first call is easy understandable, is retrieving the admin status of the current user, InitializeCriticalSection acts\r\nas Mutex for threads.\r\ndword_1400137EC is assigned in mw_check_parameters and its value is 0, so a !0 will return True, now we have\r\ntwo calls to lstrcpyW , \u0026ExistingFileName is assigned in mw_check_parameters\r\nmw_check_parameters\r\nHere is checking if the file for the logs has been created, if yes set isLogFeatureEnabled to True, same if the\r\ncommand \"/CONSOLE\" is passed\r\ninside mw_console_log isLogFeatureEnabled is checked if is True, if yes, call another function which will\r\ncheck if to write to file or console, or both\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker\r\nPage 4 of 14\n\nmw_console_log\r\nsub_140007454\r\nmw_collect_sys_informations\r\nNow the function mw_init_crypto will be called, I renamed this function like that, because seems importing the\r\nRSA Key\r\nmw_init_crypto\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker\r\nPage 5 of 14\n\nHere is the RSA Key:\r\n06 02 00 00 00 A4 00 00 52 53 41 31 00 08 00 00\r\n01 00 01 00 89 9C 9E 71 D9 2B E9 50 B1 75 DA 27\r\n07 AA 43 6D FD D7 EA 21 29 7E 8F 07 03 A7 77 57\r\nE4 7F F2 3D 8F 7C CE 25 51 A9 06 37 79 34 54 C2\r\nD3 6A 18 65 7F 60 21 13 D0 81 A1 46 AE D3 33 44\r\n17 21 98 BC 09 62 06 F5 5D 49 D9 37 7D 1E 06 9B\r\n99 48 2B 7C 75 0B DA DB C4 B6 E3 63 10 E0 FB C6\r\nFF C8 61 B5 B1 CC D9 F4 8E B9 B7 EE D3 1C EA 1C\r\n6B E7 99 95 07 34 F5 C0 FC C3 F0 CB 1A 37 86 F8\r\nD6 61 4D 37 73 BA 9C A7 1A 9D DF 87 B6 B3 76 CD\r\n85 8E A5 DD E8 E4 BB 42 FB 46 1E D6 E6 9E 89 52\r\n5D F8 B2 06 B9 6F 05 1D 5C 5A C4 D9 C3 89 05 98\r\nAD 95 7E FB 46 38 C0 F3 C3 3B 8D 8A 52 DB BD 42\r\nC9 0C E4 87 E9 8D 42 B0 C0 48 7A 7E 62 27 AE 87\r\nC8 00 44 89 E8 78 41 AC 79 EB DC 42 D1 97 9D 75\r\n9E 0D EE 43 33 05 61 F3 5D 65 5C 42 95 69 E8 E5\r\n34 3B 99 30 B7 CB E6 8F 85 F5 BB E8 33 A7 05 5A\r\nB6 A0 BE F1 A0 D8 38 F6 38 37 39 35 33 38 65 32\r\n30 62 38 32 65 38 30 30 35 32 64 64 35 66 37 65\r\n66 39 61 64 35 30 37 37\r\nThe CryptEncrypt call seems encrypting the buffer \u0026Src with RSA, curios is the fact that \u0026Src is used in\r\nanother function which I renamed mw_wrap_chacha because is a wrapper to a function which uses ChaCha\r\nan help to recognize the ChaCha function is given to CAPA a fantastic tool developed by the FireEye Team\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker\r\nPage 6 of 14\n\nand also if you look carefully to the strings\r\nnext we can see some instructions that have something to do with the command \"/NETWORK\" if you pass this\r\nargument and the executable isn't started as administrator, the function will return\r\nif the \"/NETWORK\" command isn't passed, we proceed\r\nhere we check if the command \"/NOKILL\" has been passed, if yes we proceed to calling mw_killservices and\r\nmw_kill_processes , from the names you can easily understand what it's doing, these are two lists of which\r\nservices and processes will terminate\r\nIf the service name contains those strings, close the service\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker\r\nPage 7 of 14\n\nservices_to_close =\r\n[\r\n \"SQL\",\r\n \"database\",\r\n \"msexchange\",\r\n]\r\nThese are the processes\r\nprocesses_to_kill =\r\n[\r\n\"msftesql.exe\",\r\n\"sqlagent.exe\",\r\n\"sqlbrowser.exe\",\r\n\"sqlwriter.exe\",\r\n\"oracle.exe\",\r\n\"ocssd.exe\",\r\n\"dbsnmp.exe\",\r\n\"synctime.exe\",\r\n\"agntsvc.exe\",\r\n\"isqlplussvc.exe\",\r\n\"xfssvccon.exe\",\r\n\"sqlservr.exe\",\r\n\"mydesktopservice.exe\",\r\n\"ocautoupds.exe\",\r\n\"encsvc.exe\",\r\n\"firefoxconfig.exe\",\r\n\"tbirdconfig.exe\",\r\n\"mydesktopqos.exe\",\r\n\"ocomm.exe\",\r\n\"mysqld.exe\",\r\n\"mysqld-nt.exe\",\r\n\"mysqld-opt.exe\",\r\n\"dbeng50.exe\",\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker\r\nPage 8 of 14\n\n\"sqbcoreservice.exe\",\r\n\"excel.exe\",\r\n\"infopath.exe\",\r\n\"msaccess.exe\",\r\n\"mspub.exe\",\r\n\"onenote.exe\",\r\n\"outlook.exe\",\r\n\"powerpnt.exe\",\r\n\"sqlservr.exe\",\r\n\"thebat.exe\",\r\n\"steam.exe\",\r\n\"thebat64.exe\",\r\n\"thunderbird.exe\",\r\n\"visio.exe\",\r\n\"winword.exe\",\r\n\"wordpad.exe\",\r\n\"QBW32.exe\",\r\n\"QBW64.exe\",\r\n\"ipython.exe\",\r\n\"wpython.exe\",\r\n\"python.exe\",\r\n\"dumpcap.exe\",\r\n\"procmon.exe\",\r\n\"procmon64.exe\",\r\n\"procexp.exe\",\r\n\"procexp64.exe\"\r\n]\r\nafter killing the processes and the services, the sample checks for the command \"/TARGET=\"\r\nseems to be a command to target specific files, specific drive, specific server\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker\r\nPage 9 of 14\n\nmeanwhile this is the default lock\r\nmw_wrap_stats_log\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker\r\nPage 10 of 14\n\nOverview of the worm feature\r\nSeems the worm feature is divided in two categories:\r\nEnum PC into domain\r\nEnum PC into network\r\nBoth share the need of\r\n\"/LOGIN=\" and \"/PASSWORD=\"\r\nAfter getting access to the computer it will drop the same executable passing the command \"/NOLOG\" , you can\r\nsee also other if statements checking if the servername contains certain strings\r\nAfter a service called \"Update{GetTickCount()}\" will be created\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker\r\nPage 11 of 14\n\nwith lpBinaryPathName equal to the path where the sample has been dropped\r\nalso it seems to create a process with WMI\r\nROOT\\CIMV2\r\nCreate - Win32\r\nThe function mw_create_worm_service will return GetLastError()\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker\r\nPage 12 of 14\n\nif the return value != 1326 ERROR_LOGON_FAILURE \"The user name or password is incorrect.\"\r\nhttps://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--1300-1699-\r\nit will switch the return value and then write it in the logs\r\nSame for creating a process with the WMI\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker\r\nPage 13 of 14\n\nConclusion\r\nI spent some time for this analysis, I hope it is correct and useful, please if you notice some errors in the analysis\r\nlet me know, I want to improve myself. Seen this is my best analysis right now I would like to add some\r\ninformations about myself; I'm Italian and I'm 17 years old, I would like to get a job as Malware Analyst when I\r\nwill turn 18, for more information this is my secondary email: blacXkdog1X7of@XgmaiXl.com (remove all\r\n\"X\")\r\nThank you for reading my analysis!\r\nFeedbacks\r\nThanks to:\r\nhttps://twitter.com/cPeterr [https://chuongdong.com/]\r\nUseful resources\r\nhttp://pinvoke.net [Sometimes you can find the enums for the symbolic constants]\r\nhttps://malwareunicorn.org/workshops/idacheatsheet.html\r\nSource: https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker"
	],
	"report_names": [
		"MountLocker"
	],
	"threat_actors": [],
	"ts_created_at": 1775434765,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/71788374729f33b67f6a0443a774aa0e70c6aa15.pdf",
		"text": "https://archive.orkl.eu/71788374729f33b67f6a0443a774aa0e70c6aa15.txt",
		"img": "https://archive.orkl.eu/71788374729f33b67f6a0443a774aa0e70c6aa15.jpg"
	}
}