Malware-Analysis-Reports/MountLocker at master ·
Finch4/Malware-Analysis-Reports
By Finch4
Archived: 2026-04-02 10:53:31 UTC
MountLocker is a Ransomware which appeared first on July 2020, in the sample there are references to a Public
RSA Key and ChaCha20. Lately seems an update added also a worm feature.
Please note, I'm still learning, the analysis is incomplete (and some parts may be wrong), if you want to read
a full analysis read here
Sample
MalwareBazaar:
https://bazaar.abuse.ch/sample/4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1/
Starting from the start
Here is simply passing the the command-line string for the current process to the function I renamed, mw_main
Inside mw_main we find two other calls to mw_check_parameters and mw_core
https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
Page 1 of 14

Diving into mw_check_parameters
The function starts parsing the arguments, the result is then allocated to the variable command_line_args , if
retrieving the arguments is successful the sample will continue otherwise as you can imagine it will return and the
if at mw_main will never be True and the sample will exit.
When entering the if the most interesting functions seems the one which receive as arguments:
command_line_args, pNumArgs, {CUSTOM_STRING}, I renamed this function mw_check_if_contains
mw_check_if_contains
https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
Page 2 of 14

starting from the first two calls to this functions we can see the strings "/LOGIN=" and "/PASSWORD=" stored
inside what seems an array, later you will se that these arguments are used as part of the worm feature,
"/LOGIN=" will contains the lpUserName and as you can image "/PASSWORD=" will contains lpPassword the
others are more features/options of MountLocker, here a list:
commands =
[
 "/LOGIN=",
 "/PASSWORD=",
 "/CONSOLE",
 "/NODEL",
 "/NOKILL",
 "/NOLOG",
 "/SHAREALL",
 "/NETWORK",
 "/PARAMS=",
 "/TARGET=",
 "/FAST=",
 "/MIN=",
 "/MAX=",
 "/FULLPD",
 "/MARKER=",
 "/NOLOCK="
]
Diving into mw_core
https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
Page 3 of 14

The first two calls are for COM objects, since still I'm learning I didn't really understood how you use
them, so for the moment I will ignore the calls related to it.
The first call is easy understandable, is retrieving the admin status of the current user, InitializeCriticalSection acts
as Mutex for threads.
dword_1400137EC is assigned in mw_check_parameters and its value is 0, so a !0 will return True, now we have
two calls to lstrcpyW , &ExistingFileName is assigned in mw_check_parameters
mw_check_parameters
Here is checking if the file for the logs has been created, if yes set isLogFeatureEnabled to True, same if the
command "/CONSOLE" is passed
inside mw_console_log isLogFeatureEnabled is checked if is True, if yes, call another function which will
check if to write to file or console, or both
https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
Page 4 of 14

mw_console_log
sub_140007454
mw_collect_sys_informations
Now the function mw_init_crypto will be called, I renamed this function like that, because seems importing the
RSA Key
mw_init_crypto
https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
Page 5 of 14

Here is the RSA Key:
06 02 00 00 00 A4 00 00 52 53 41 31 00 08 00 00
01 00 01 00 89 9C 9E 71 D9 2B E9 50 B1 75 DA 27
07 AA 43 6D FD D7 EA 21 29 7E 8F 07 03 A7 77 57
E4 7F F2 3D 8F 7C CE 25 51 A9 06 37 79 34 54 C2
D3 6A 18 65 7F 60 21 13 D0 81 A1 46 AE D3 33 44
17 21 98 BC 09 62 06 F5 5D 49 D9 37 7D 1E 06 9B
99 48 2B 7C 75 0B DA DB C4 B6 E3 63 10 E0 FB C6
FF C8 61 B5 B1 CC D9 F4 8E B9 B7 EE D3 1C EA 1C
6B E7 99 95 07 34 F5 C0 FC C3 F0 CB 1A 37 86 F8
D6 61 4D 37 73 BA 9C A7 1A 9D DF 87 B6 B3 76 CD
85 8E A5 DD E8 E4 BB 42 FB 46 1E D6 E6 9E 89 52
5D F8 B2 06 B9 6F 05 1D 5C 5A C4 D9 C3 89 05 98
AD 95 7E FB 46 38 C0 F3 C3 3B 8D 8A 52 DB BD 42
C9 0C E4 87 E9 8D 42 B0 C0 48 7A 7E 62 27 AE 87
C8 00 44 89 E8 78 41 AC 79 EB DC 42 D1 97 9D 75
9E 0D EE 43 33 05 61 F3 5D 65 5C 42 95 69 E8 E5
34 3B 99 30 B7 CB E6 8F 85 F5 BB E8 33 A7 05 5A
B6 A0 BE F1 A0 D8 38 F6 38 37 39 35 33 38 65 32
30 62 38 32 65 38 30 30 35 32 64 64 35 66 37 65
66 39 61 64 35 30 37 37
The CryptEncrypt call seems encrypting the buffer &Src with RSA, curios is the fact that &Src is used in
another function which I renamed mw_wrap_chacha because is a wrapper to a function which uses ChaCha
an help to recognize the ChaCha function is given to CAPA a fantastic tool developed by the FireEye Team
https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
Page 6 of 14

and also if you look carefully to the strings
next we can see some instructions that have something to do with the command "/NETWORK" if you pass this
argument and the executable isn't started as administrator, the function will return
if the "/NETWORK" command isn't passed, we proceed
here we check if the command "/NOKILL" has been passed, if yes we proceed to calling mw_killservices and
mw_kill_processes , from the names you can easily understand what it's doing, these are two lists of which
services and processes will terminate
If the service name contains those strings, close the service
https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
Page 7 of 14

services_to_close =
[
 "SQL",
 "database",
 "msexchange",
]
These are the processes
processes_to_kill =
[
"msftesql.exe",
"sqlagent.exe",
"sqlbrowser.exe",
"sqlwriter.exe",
"oracle.exe",
"ocssd.exe",
"dbsnmp.exe",
"synctime.exe",
"agntsvc.exe",
"isqlplussvc.exe",
"xfssvccon.exe",
"sqlservr.exe",
"mydesktopservice.exe",
"ocautoupds.exe",
"encsvc.exe",
"firefoxconfig.exe",
"tbirdconfig.exe",
"mydesktopqos.exe",
"ocomm.exe",
"mysqld.exe",
"mysqld-nt.exe",
"mysqld-opt.exe",
"dbeng50.exe",
https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
Page 8 of 14

"sqbcoreservice.exe",
"excel.exe",
"infopath.exe",
"msaccess.exe",
"mspub.exe",
"onenote.exe",
"outlook.exe",
"powerpnt.exe",
"sqlservr.exe",
"thebat.exe",
"steam.exe",
"thebat64.exe",
"thunderbird.exe",
"visio.exe",
"winword.exe",
"wordpad.exe",
"QBW32.exe",
"QBW64.exe",
"ipython.exe",
"wpython.exe",
"python.exe",
"dumpcap.exe",
"procmon.exe",
"procmon64.exe",
"procexp.exe",
"procexp64.exe"
]
after killing the processes and the services, the sample checks for the command "/TARGET="
seems to be a command to target specific files, specific drive, specific server
https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
Page 9 of 14

meanwhile this is the default lock
mw_wrap_stats_log
https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
Page 10 of 14

Overview of the worm feature
Seems the worm feature is divided in two categories:
Enum PC into domain
Enum PC into network
Both share the need of
"/LOGIN=" and "/PASSWORD="
After getting access to the computer it will drop the same executable passing the command "/NOLOG" , you can
see also other if statements checking if the servername contains certain strings
After a service called "Update{GetTickCount()}" will be created
https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
Page 11 of 14

with lpBinaryPathName equal to the path where the sample has been dropped
also it seems to create a process with WMI
ROOT\CIMV2
Create - Win32
The function mw_create_worm_service will return GetLastError()
https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
Page 12 of 14

if the return value != 1326 ERROR_LOGON_FAILURE "The user name or password is incorrect."
https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--1300-1699-
it will switch the return value and then write it in the logs
Same for creating a process with the WMI
https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
Page 13 of 14

Conclusion
I spent some time for this analysis, I hope it is correct and useful, please if you notice some errors in the analysis
let me know, I want to improve myself. Seen this is my best analysis right now I would like to add some
informations about myself; I'm Italian and I'm 17 years old, I would like to get a job as Malware Analyst when I
will turn 18, for more information this is my secondary email: blacXkdog1X7of@XgmaiXl.com (remove all
"X")
Thank you for reading my analysis!
Feedbacks
Thanks to:
https://twitter.com/cPeterr [https://chuongdong.com/]
Useful resources
http://pinvoke.net [Sometimes you can find the enums for the symbolic constants]
https://malwareunicorn.org/workshops/idacheatsheet.html
Source: https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
Page 14 of 14