{
	"id": "e8dbc062-28ca-45ae-b886-5c8008a9ffae",
	"created_at": "2026-04-06T00:12:00.785733Z",
	"updated_at": "2026-04-10T03:20:07.20009Z",
	"deleted_at": null,
	"sha1_hash": "cc8ec3304b74d80f29e8c574d35b9e25c9a3ee49",
	"title": "MountLocker Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1775051,
	"plain_text": "MountLocker Ransomware\r\nBy Chuong Dong\r\nPublished: 2021-05-23 · Archived: 2026-04-05 17:56:59 UTC\r\nReverse Engineering  · 23 May 2021\r\nOverview\r\nThis is my report for a MountLocker Ransomware v5.0 sample, which is used by XingLocker ransomware\r\ngroup.\r\nThis ransomware uses a hybrid-cryptography scheme of RSA-2048 and ChaCha20 to encrypt files and protect its\r\nkeys. Unlike other ransomware, MountLocker encrypts all of the ChaCha20 keys with a global ChaCha20 key\r\nbefore encrypting this global key with its RSA-2048 public key. The encrypted global key and the corresponding\r\nencrypted ChaCha20 key are appended at the end of each encrypted file.\r\nThis version includes a new worm feature that lets it self-propagate to other PCs on the network using\r\nIDirectorySearch and IWbemServices COM interfaces.\r\nMountLocker has a sophisticated multithreading scheme, but its performance suffers from thread starvation due\r\nto recursive file traversal.\r\nI won’t waste my time explaining why recursive file traversal is terrible anymore cause I have made my points\r\nthrough the last few reports. Please feel free to check out my Darkside analysis if you want to better understand\r\nthe theory behind it!\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 1 of 32\n\nFigure 1: XingLocker Ransomware leak site.\r\nIOCS\r\nThis v5.0 sample is a 64-bit .exe file.\r\nMD5: 3808f21e56dede99bc914d90aeabe47a\r\nSHA256: 4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1\r\nSample:\r\nhttps://bazaar.abuse.ch/sample/4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1/\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 2 of 32\n\nFigure 2: VirusTotal information.\r\nRansom Note\r\nThe ransom note is written in HTML format and is dropped into RecoveryManual.html files on the system.\r\nThe client ID embedded inside the ransom note is generated from the victim’s computer name and a hard-coded\r\nstring in memory.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 3 of 32\n\nFigure 3: MountLocker ransom note.\r\nPerformance\r\nMountLocker has pretty average performance and does not fully utitlize the machine’s processing power.\r\nFigure 4: ANY.RUN sandbox result.\r\nStatic Code Analysis\r\nCommand Line Parameters\r\nMountLocker can be ran with or without command line parameters. The ransomware first checks and parse the\r\ngiven parameters to modify its functionalities accordingly.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 4 of 32\n\nFigure 5: Parsing command line parameters.\r\nBelow is the list of arguments that can be supplied by the operators:\r\nArgument Description\r\n/LOGIN= Network username (for network encryption and worm)\r\n/PASSWORD= Network password (for network encryption and worm)\r\n/CONSOLE Logging through console\r\n/NODEL No self-deletion\r\n/NOKILL No service and process killing\r\n/NOLOG No logging through file (this is hard-coded to be FALSE in this sample)\r\n/SHAREALL Encrypting all shared resources (except ”\\ADMIN$”)\r\n/NETWORK\r\nWorm network type:\r\n- w = Windows Management Instrumentation (WMI)\r\n- s = service (requires ADMIN creds)\r\n- others = unknown or default\r\n/PARAMS= Command line parameters to launch executable with on other PCs (worm)\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 5 of 32\n\nArgument Description\r\n/TARGET=\r\nPath to a file or a directory to be encrypted specifically\r\nThere can be multiple target arguments\r\n/FAST= Buffer size for fast encryption (default: 0x10000000 bytes)\r\n/MIN= Minimum file size to encrypt (default: 0 bytes)\r\n/MAX= Maximum file size to encrypt (default: 0 bytes)\r\n/FULLPD\r\nDoes not avoid encrypting Program Files, Program Files (x86)\r\nProgramData, and SQL\r\n/MARKER= Marker file name to drop in each encrypted drive\r\n/NOLOCK=\r\nAvoid encrypting:\r\n- L: Local\r\n- N: Network\r\n- S: Network shared resources\r\nLogging\r\nThe ransomware has two different ways to log its operations, and each can be enabled through setting the\r\ncommand line arguments /CONSOLE to 1 and /NOLOG to 0.\r\nIn this particular sample, /NOLOG flag’s value is hard-coded to be 0, so it always records and drops a log file on\r\nthe victim’s system.\r\nWhen the /NOLOG flag is 0, MountLocker extracts the current executable’s file path, append .log to the end,\r\nand use that as the log file path.\r\nFigure 6: Creating log file in current directory.\r\nWhen the /CONSOLE flag is 1, MountLocker will also log through console standard output stream. It calls\r\nAllocConsole and GetStdHandle(STD_OUTPUT_HANDLE) to allocate the console and get a handle to the\r\nstandard output stream.\r\nTo write to this console, it calls WriteConsoleW with this handle.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 6 of 32\n\nFigure 7: Creating log file in current directory.\r\nThe beginning of the log tells us the version of the specific MountLocker sample, and in this case, the version is\r\n5.0.\r\nIt also extracts and records information about the victim’s system such as the number of processors, total system\r\nmemory, Windows version, system architecture, …\r\nFigure 8: Logging system information.\r\nAll file and network operations (enumeration, skipping, encrypting, error) are recorded this way.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 7 of 32\n\nFigure 9: MountLocker log file.\r\nTerminating Services\r\nIf the /NETWORK argument is not provided, the malware will run in local mode.\r\nIn this mode, if the /NOKILL argument is 0, it enumerates and kills all services with these strings in their name.\r\n\"SQL\", \"database\", \"msexchange\"\r\nFirst, it calls OpenSCManagerA to obtain a handle to the service control manager and calls\r\nEnumServicesStatusA to enumerate all Win32 services with status SERVICE_ACTIVE.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 8 of 32\n\nFigure 10: Enumerating through all active services.\r\nIf a service contains any of the three strings above, MountLocker will terminate it by calling OpenServiceA to\r\nobtain a service control handle and calling ControlService to send a control stop code. It then continuously loops\r\nuntil the service’s state is SERVICE_CONTROL_STOP to make sure the service is fully terminated.\r\nFigure 11: Sending control stop code to terminate service.\r\nTerminating Processes\r\nIf it’s running in local mode and the /NOKILL argument is 0, MountLocker will enumerate and kill all processes\r\nwith these strings in their name.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 9 of 32\n\n\"msftesql.exe\", \"sqlagent.exe\", \"sqlbrowser.exe\", \"sqlwriter.exe\", \"oracle.exe\", \"ocssd.exe\",\r\n\"dbsnmp.exe\", \"synctime.exe\", \"agntsvc.exe\", \"isqlplussvc.exe\", \"xfssvccon.exe\", \"sqlservr.exe\",\r\n\"mydesktopservice.exe\", \"ocautoupds.exe\", \"encsvc.exe\", \"firefoxconfig.exe\", \"tbirdconfig.exe\",\r\n\"mydesktopqos.exe\", \"ocomm.exe\", \"mysqld.exe\", \"mysqld-nt.exe\", \"mysqld-opt.exe\", \"dbeng50.exe\",\r\n\"sqbcoreservice.exe\", \"excel.exe\", \"infopath.exe\", \"msaccess.exe\", \"mspub.exe\", \"onenote.exe\",\r\n\"outlook.exe\", \"powerpnt.exe\", \"sqlservr.exe\", \"thebat.exe\", \"steam.exe\", \"thebat64.exe\", \"thunderbird.exe\",\r\n\"visio.exe\", \"winword.exe\", \"wordpad.exe\", \"QBW32.exe\", \"QBW64.exe\", \"ipython.exe\", \"wpython.exe\",\r\n\"python.exe\", \"dumpcap.exe\", \"procmon.exe\", \"procmon64.exe\", \"procexp.exe\", \"procexp64.exe\"\r\nThe ransomware first calls ZwQuerySystemInformation with the information class of\r\nSystemProcessInformation to get an array of SYSTEM_PROCESS_INFORMATION structures. It enumerates\r\nthrough each running process, avoids its own process, and starts terminating processes in the kill list.\r\nFigure 12: Enumerating through all active processes.\r\nTo check and kill a process, it loops through the PROCESS_TO_KILL list and compares the process name. If\r\nthe process name is in the list, it calls OpenProcess to get the handle of that process and terminates it using\r\nTerminateProcess.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 10 of 32\n\nFigure 13: Terminating processes that are in the kill list.\r\nGenerating Global ChaCha20 Key\r\nNext, it randomly generates the global ChaCha20 key. The randomization is done through calling the rdtsc\r\ninstruction to get the processor time stamp and xoring its least significant byte to generate each byte in the key.\r\nAfter generating the global key, the ransomware copies the key to another global buffer in memory and encrypts\r\nthis new buffer using the hard-coded RSA-2048 key.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 11 of 32\n\nFigure 14: Randomly generate global ChaCha20 key and encrypt it with RSA-2048.\r\nMountLocker later uses this global ChaCha20 key to encrypt and protect its ChaCha20 keys instead of using\r\nRSA-2048. Since RSA-2048 encryption is only performed once, there is some performance advantage with this\r\nhybrid-cryptography scheme since RSA is quite slow compared to ChaCha20.\r\nEncryption\r\nCreating Encrypting Threads\r\nDespite having different schemes for different drive types and targets, the encryption functionality is pretty much\r\nthe same.\r\nMountLocker has a specific function that takes in a drive/file name to encrypt and a function to enumerate\r\nthrough it as parameters.\r\nThis function first passes the enumerating function and the target name to a custom structure before spawning a\r\nthread to begin the encryption.\r\nThis thread acts as the main thread in the encryption, which recursively enumerates and provides files for children\r\nthreads to encrypt.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 12 of 32\n\nFigure 15: Spawning main thread.\r\nThe main thread function calls CreateEventA to create an event handler for each child thread to later send them\r\nfile information through calling SetEvent.\r\nOnly 2 children worker threads are spawned, and these threads loops and waits to receive files from the main\r\nthread to encrypt. The main thread will begin feeding them files by calling the enumeration function in the custom\r\nstructure above and enumerating through the target folder.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 13 of 32\n\nFigure 16: Main thread spawning children threads and starting file enumeration.\r\nChildren Worker Threads\r\nOnce spawned, each worker thread receives a shared structure with the main thread, and it constantly loops to\r\ncheck for the encrypt signal is 1 in this shared structure.\r\nDue to synchronization through sharing a common structure among threads, the child thread calls\r\n_InterlockedExchange to atomically extract the encrypt signal to check if it’s allowed to encrypt.\r\nAs it finds files to encrypt, the main thread adds the file name to the shared structure and sets the encrypt signal\r\nfor the child thread to process that file.\r\nFigure 17: Child thread waiting for encrypt signal to encrypt files.\r\nAfter receiving the file information, the worker thread creates a structure to store file information such as\r\nfilename, encrypted filename, file handle, file size, …\r\nIt will then checks to see if it has priviledge to open the file and retrieve the file size.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 14 of 32\n\nFigure 18: Checking if file can be opened.\r\nNext, it randomly generates the file’s ChaCha20 key and appends it to the file structure above. The randomization\r\nis done through calling the rdtsc instruction similar to the global ChaCha20 key generation.\r\nFigure 19: Randomly generating ChaCha20 key for each file.\r\nAfter generating the ChaCha20 file key, the worker thread creates a 313-byte buffer that stores the file marker\r\nstring “lock2” in little endian, the fast encryption size, the encrypted ChaCha20 global key, and the encrypted\r\nChaCha20 file key. This buffer is appended at the end of the to-be-encrypted file.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 15 of 32\n\nFigure 20: Generating key buffer and writing it at the end of the file.\r\nHere is the layout of the key buffer at the end of an encrypted file.\r\nFigure 21: Key buffer layout.\r\nFile encryption is pretty standard. The worker thread encrypts a 0x100000-byte chunk at a time until it has\r\nencrypted FAST_CRYPT_SIZE bytes or ran out of bytes to encrypt.\r\nIt uses ReadFile to read file content into a buffer, encrypts it using the ChaCha20 file key, and writes it back\r\nusing WriteFile. Because encryption is performed on the same file, SetFilePointerEx is called to adjust the file\r\npointer after reading and writing.\r\nFigure 22: ChaCha20 File Encryption.\r\nI won’t analyze the ChaCha20 function cause MountLocker basically just uses this CRYPTOGAMS library by\r\nOpenSSL.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 16 of 32\n\nMain Thread Enumeration\r\nMountLocker uses the same function for file traversal for network drives, network shares, and local drives.\r\nBefore traversing a drive, the ransomware checks if a marker file name is provided from the /MARKER=\r\ncommand line argument. If it is, MountLocker creates an empty file with this marker file name in the to-be-encrypted drive before enumerating it. This is mainly for marking which drive has been encrypted.\r\nFigure 23: Creating drive marker file.\r\nTo enumerate through folders, MountLocker calls FindFirstFileW and FindNextFileW. When enumerating\r\nthrough network servers, it will use WNetOpenEnumW and WNetEnumResourceW instead.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 17 of 32\n\nFigure 24: Recursive file traversal.\r\nThe ransomware also calls a function to checks if it should encrypt each file/folder that it finds.\r\nWhen processing a folder, the checking function will check for the following things. If any of these is true, the\r\nfolder is skipped.\r\n - If folder name is \".\" or \"..\"\r\n - If folder name is in the FOLDER_TO_AVOID list\r\n - If folder name is \"Program Files\", \"Program Files (x86)\", \"ProgramData\", or \"SQL\"\r\n - If calling CreateFileW on the folder fails.\r\n - If folder's reparse tag is not IO_REPARSE_TAG_MOUNT_POINT (folder is a mount point)\r\n or IO_REPARSE_TAG_SYMLINK (folder is a symbolic link)\\\r\n - If folder name is in a share name format\r\n - If folder is a mount point and is visible\r\nBelow is the FOLDER_TO_AVOID list.\r\n\":\\\\Windows\\\\\", \":\\\\System Volume Information\\\\\", \":\\\\$RECYCLE.BIN\\\\\", \":\\\\SYSTEM.SAV\", \":\\\\WINNT\",\r\n\":\\\\$WINDOWS.~BT\\\\\", \":\\\\Windows.old\\\\\", \":\\\\PerfLog\\\\\", \":\\\\Boot\", \":\\\\ProgramData\\\\Microsoft\\\\\",\r\n\":\\\\ProgramData\\\\Packages\\\\\", \"$\\\\Windows\\\\\", \"$\\\\System Volume Information\\\\\", \"$\\\\$RECYCLE.BIN\\\\\",\r\n\"$\\\\SYSTEM.SAV\", \"$\\\\WINNT\", \"$\\\\$WINDOWS.~BT\\\\\", \"$\\\\Windows.old\\\\\", \"$\\\\PerfLog\\\\\", \"$\\\\Boot\",\r\n\"$\\\\ProgramData\\\\Microsoft\\\\\", \"$\\\\ProgramData\\\\Packages\\\\\", \"\\\\WindowsApps\\\\\", \"\\\\Microsoft\\\\Windows\\\\\",\r\n\"\\\\Local\\\\Packages\\\\\", \"\\\\Windows Defender\", \"\\\\microsoft shared\\\\\", \"\\\\Google\\\\Chrome\\\\\", \"\\\\Mozilla Firefox\\\\\"\r\n\"\\\\Mozilla\\\\Firefox\\\\\", \"\\\\Internet Explorer\\\\\", \"\\\\MicrosoftEdge\\\\\", \"\\\\Tor Browser\\\\\", \"\\\\AppData\\\\Local\\\\Temp\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 18 of 32\n\nIf the folder is valid and there is no ransom note file in the folder yet, MountLocker will drop a ransom note in\r\nthe folder.\r\nFigure 25: Dropping ransom note.\r\nWhen processing a file, the checking function checks for the following things. If any of these is true, the file is\r\nskipped.\r\n - If file size is less than MIN_CRYPT_SIZE (if MIN_CRYPT_SIZE is provided)\r\n or if file size is larger than MAX_CRYPT_SIZE (if MAX_CRYPT_SIZE is provided)\r\n - If file name is \"RecoveryManual.html\", \"bootmgr\", or has the encrypted file extension.\r\n - If file extension is in the EXTENSION_TO_AVOID list\r\nBelow is the EXTENSION_TO_AVOID list.\r\n\"exe\", \"dll\", \"sys\", \"msi\", \"mui\", \"inf\", \"cat\", \"bat\", \"cmd\", \"ps1\", \"vbs\", \"ttf\", \"fon\", \"lnk\"\r\nIf the file is valid, the ransomware’s main thread will populate the shared file structure with the file name for its\r\nworker thread to encrypt.\r\nBecause of synchronization concerns, the main thread also has to call WaitForSingleObject and\r\n_InterlockedExchange to wait until it has access to the shared structure.\r\nAfter populating the file structure, it calls SetEvent to signal the event for worker threads to encrypt.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 19 of 32\n\nFigure 26: Calling SetEvent to signal file encryption.\r\nWorm Property\r\nSimilar to WannaCry and Ryuk, this MountLocker sample is a combination of ransomware and worm with the\r\nability to self-propagate to other hosts in the network.\r\nUnlike WannaCry, this ransomware does not use any fancy 0-day but instead just COM interfaces such as\r\nIDirectorySearch and IWbemServices to spread and execute itself.\r\nMountLocker has this structure that is shared among all worm threads.\r\nstruct WORM_STRUCT\r\n{\r\n _QWORD function; // function to launch ransomware remotely\r\n _QWORD func_param; // function's parameter\r\n HANDLE hEvent; // worm event\r\n HANDLE hSemaphore; // worm semaphore\r\n};\r\nFirst, memory is allocated for this structure, and the event handle and semaphore handle are created. The\r\nransomware launching function and its parameter is originally left to be null initially.\r\nMountLocker creates 8 threads to execute this worm property.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 20 of 32\n\nFigure 27: Populating worm struct and creating worm threads.\r\nEach of these threads waits for the event to be signal by the main thread before calling the worm function to\r\nexecute the ransomware remotely. The main thread will set this worm function accordingly before signalling the\r\nevent.\r\nFigure 28: Worm worker threads.\r\nAfter creating these worker threads, the main thread begins enumerating the Windows domain that the current host\r\nis in.\r\nThis is accomplished through calling NetGetDCName to get the name of the primary domain controller and\r\nappend this name after the string “LDAP://”.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 21 of 32\n\nFigure 29: Building LDAP path.\r\nLightweight Directory Access Protocol (LDAP) is a protocol to communicate and query several different types of\r\ndirectories, and in this case, MountLocker uses it to make Active Directory query requests to the primary domain\r\ncontroller.\r\nIt calls ADsOpenObject with the newly built ADsPath string and provides the credential (username and\r\npassword) from the /LOGIN= and /PASSWORD= arguments. The RIID provided is {109BA8EC-92F0-11D0-\r\nA790-00C04FD8D5A8}, and through this call, the ransomware retrieves the IDirectorySearch interface.\r\nThis trick to query IDirectorySearch is previously used by Trickbot as explained by Vitali here.\r\nFigure 30: Querying IDirectorySearch interface.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 22 of 32\n\nThis interface can be used to execute a search for all domain controllers through its\r\nIDirectorySearch::ExecuteSearch function which return an ADs search handle.\r\nMountLocker calls IDirectorySearch::GetFirstRow and IDirectorySearch::GetNextRow to enumerate\r\nthrough all the searches, passing each search into a function to extract its domain controller information.\r\nFigure 31: Enumerating through ADs searches to extract domain controller information.\r\nFor each of these search handles, MountLocker then calls IDirectorySearch::GetColumn with the column\r\nname “name” to retrieve the corresponding ADS_SEARCH_COLUMN structure at this row.\r\nThis structure contains an array of ADSVALUE structures, and each of these structures contains a DN string of a\r\ndirectory service object in the Active Directory. This Distinguished Name (DN) string is basically a name to\r\nidentify another PC in the network.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 23 of 32\n\nFigure 32: Extracting all DN string of other PCs in the network.\r\nWhen a DN string of a PC is extracted, it’s passed into a function where the ransomware will use it as the function\r\nparameter in the WORM_STRUCT structure. The structure’s function is set to a specific function that drops and\r\nlaunches the sample remotely. SetEvent is called to execute this function after the WORM_STRUCT structure is\r\nfully populated.\r\nFigure 33: Setting up WORM_STRUCT and signal the worm event.\r\nWorm Dropping Function\r\nFirst, the worm thread will try to establish a connection to the remote target PC by calling\r\nWNetAddConnection2W and provice the username and password from the /LOGIN= and /PASSWORD=\r\narguments.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 24 of 32\n\nFigure 34: Establishing connection with remote PC.\r\nNext, memory is allocated for a custom structure. I just call this WORM_REMOTE_STRUCT.\r\nstruct WORM_REMOTE_STRUCT\r\n{\r\n LPCWSTR rem_exe_path; // remote executable path\r\n CHAR *launch_exe_cmd; // command line to launch executable\r\n CHAR *PC_name; // remote PC name\r\n CHAR *elevated_PC_path; // Elevated PC path to launch executable\r\n DWORD API_result; // result value\r\n DWORD last_error; // last error value\r\n CHAR *exe_name; // executable name\r\n};\r\nIt then populates this structure. The executable name is a number retrieved from GetTickCount, and the path on\r\nthe host to drop the ransomware is set to “C:\\ProgramData”.\r\nFigure 35: Populating WORM_REMOTE_STRUCT.\r\nThe drop_ransomware function checks if the DN string contains either of the share names with higher priviledge\r\n”\\ADMIN$“ and ”\\IPC$“. If it does, then MountLocker uses that as the main path in the command to launch the\r\nexecutable. If it doesn’t, then it just uses the normal path.\r\nThe ransomware sample is set to be launched with the /NOLOG parameter and any arguments provided in the\r\noriginal /PARAMS= argument.\r\nFinally, it drops the ransomware on the target PC by calling CopyFileW.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 25 of 32\n\nFigure 36: Dropping the ransomware on the target PC.\r\nNot only does MountLocker drops the ransomware executable on the target PC but it also enumerates through\r\nthe PC’s shared resources in the PC’s network by calling NetShareEnum. After finding the path to each shared\r\nresource, the ransomware calls drop_ransomware to drop the executable in the shared resource’s system.\r\nFigure 37: Dropping the ransomware on the target PC’s shared resources.\r\nWorm Launching Function\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 26 of 32\n\nMountLocker has two different ways to launch the executable on the remote host.\r\nIf the /NETWORK argument provided is s, it launches the executable through a service.\r\nFirst, this full cmd.exe command is built.\r\ncmd.exe /c start \"ransomware_path PARAMS_VALUE /NOLOG\"\r\nThen, the ransomware calls OpenSCManagerW to establish a connection to the service control manager on the\r\ntarget PC. Using this handle, it calls CreateServiceW with the command above as its lpBinaryPathName\r\nparameter to create a service handle and calls StartServiceW to launch it.\r\nFigure 38: Launching ransomware on remote host using Service.\r\nIf the /NETWORK argument provided is w, it launches the executable through Windows Management\r\nInstrumentation (WMI).\r\nFirst, MountLocker retrieves the IWbemServices interface. This is done by calling CoCreateInstance with the\r\nCLSID {4590F811-1D3A-11D0-891F-00AA004B2E24} to retrieve an IWbemLocator object.\r\nUsing this IWbemLocator object, it calls the IWbemLocator::ConnectServer to connect with the PC’s\r\nROOT\\CIMV2 namespace and obtain an IWbemServices object.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 27 of 32\n\nFigure 39: Connecting to ROOT\\CIMV2 namespace through COM objects.\r\nFrom here, MountLocker sets up an appropriate SEC_WINNT_AUTH_IDENTITY_A structure with the given\r\nusername and password. It then calls CoSetProxyBlanket to set the authentication information for this\r\nIWbemServices object.\r\nFigure 40: Setting the authentication information for the IWbemServices object.\r\nUsing this IWbemServices object, the ransomware calls the IWbemServices::GetObjectA function with the\r\n“Win32_Process” path to get IWbemClassObject object corresponding to Windows32 processes.\r\nNext, using this “Win32_Process” object, it then calls the IWbemClassObject::GetMethod function with the\r\n“Create” method name to get an IWbemClassObject object corresponding to the method to create a process.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 28 of 32\n\nWith this method object, it calls the IWbemClassObject::SpawnInstance to create a new instance of the class.\r\nFigure 41: Retrieving the COM object to create a Windows32 process.\r\nSince the Win32_Process::Create requires a valid value for the command line in-parameter to execute properly,\r\nMountLocker calls the IWbemClassObject::Put function to set the value of the command line to the launching\r\ncommand that it has built above.\r\nFigure 42: Setting valid value for command line in-parameter.\r\nFinally, it calls IWbemServices::ExecMethod to create a Win32 process running the “cmd.exe” command\r\nabove. It also checks to see if the new process is created successfully or not by checking if the process’s ID is\r\nchanged through calling IWbemClassObject::Get.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 29 of 32\n\nFigure 43: Launching ransomware remotely using Win32_Process::Create.\r\nIf any of these steps to drop and launch the executable fails, MountLocker just resorts to using\r\nWNetOpenEnumW and WNetEnumResourceW to enumerate through the victim’s network and drops the\r\nransomware in a similar fashion.\r\nSelf-Deletion\r\nIf the /NODEL argument is set to 0, MountLocker will delete its own executable.\r\nFirst, it creates a .bat file in the TEMP folder with a random name from GetTickCount.\r\nIt writes this command into this .bat file, which clears Read-only, System, and Hidden file attribute from the\r\nransomware executable, forces deletes the executable quietly if it exists, and deletes the bat file.\r\nattrib -s -r -h %1\r\n:l\r\ndel /F /Q %1\r\nif exist %1 goto l\r\ndel %0\r\nNext, MountLocker builds the command line string to execute the .bat file with the executable path as the\r\nparameter and finally calls CreateProcessW to delete itself.\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 30 of 32\n\nFigure 44: Self-deletion.\r\nYARA rule\r\nrule MountLocker5_0 {\r\nmeta:\r\ndescription = \"YARA rule for MountLocker v5.0\"\r\nreference = \"http://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\"\r\nauthor = \"@cPeterr\"\r\ntlp = \"white\"\r\nstrings:\r\n$worm_str = \"========== WORM ==========\" wide\r\n$ransom_note_str = \".ReadManual.%0.8X\" wide\r\n$version_str = \"5.0\" wide\r\n$chacha_str = \"ChaCha20 for x86_64, CRYPTOGAMS by \u003cappro@openssl.org\u003e\"\r\n$chacha_const = \"expand 32-byte k\"\r\n$lock_str = \"[OK] locker.file \u003e time=%0.3f size=%0.3f KB speed=%\" wide\r\n$bat_str = \"attrib -s -r -h %1\"\r\n$IDirectorySearch_RIID = { EC A8 9B 10 F0 92 D0 11 A7 90 00 C0 4F D8 D5 A8 }\r\ncondition:\r\nuint16(0) == 0x5a4d and all of them\r\n}\r\nReferences\r\nhttps://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates\r\nhttps://zawadidone.nl/2020/11/26/mount-locker-ransomware-analysis.html\r\nhttps://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 31 of 32\n\nhttps://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker\r\nhttps://github.com/dot-asm/cryptogams/blob/master/x86_64/chacha-x86_64.pl\r\nhttps://www.bleepingcomputer.com/news/security/mountlocker-ransomware-uses-windows-api-to-worm-through-networks/\r\nSource: https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nhttps://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/\r\nPage 32 of 32",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/"
	],
	"report_names": [
		"MountLockerRansomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434320,
	"ts_updated_at": 1775791207,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cc8ec3304b74d80f29e8c574d35b9e25c9a3ee49.pdf",
		"text": "https://archive.orkl.eu/cc8ec3304b74d80f29e8c574d35b9e25c9a3ee49.txt",
		"img": "https://archive.orkl.eu/cc8ec3304b74d80f29e8c574d35b9e25c9a3ee49.jpg"
	}
}