W32/MBRlock.BA!tr.ransom

description-logoAnalysis

W32/MBRlock.BA!tr.ransom is a generic detection for a Ransomware MBRlock trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This Ransomware runs the command line operations to perform the following operations:
    • Create a new user and add that user to the administrator group.
    • Forcefully shutdown the infected system without notifying the user by setting the time-out period to 2 seconds.

  • This Ransomware kills the process explorer.exe.

  • This Ransomware overwrites the disk Master Boot Record of the infected system.

  • This Ransomware deletes the follwing registry entries in order to disable Windows Safe Mode:
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}\"(Default)" = "Universal Serial Bus Controllers"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}\"(Default)" = "CD-ROM Drive"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\"(Default)" = "DiskDrive"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}\"(Default)" = "Standard floppy disk controller"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}\"(Default)" = "Hdc"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}\"(Default)" = "keyboard"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}\"(Default)" = " Mouse"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}\"(Default)" = "PCMCIA Adapters"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}\"(Default)" = "SCSIAdapter"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}\"(Default)" = "System"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}\"(Default)" = "floppy disk drive"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\"(Default)" = "Volume"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\"(Default)" = "Human Interface devices"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys\"(Default)" = "Driver"
    • HKLM\ SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filesystem\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys\"(Default)" = "FSFilter System Recovery" =
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\"(Default)" = "Universal Serial Bus Controllers"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\"(Default)" = "CD-ROM Drive"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\"(Default)" = "DiskDrive"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\"(Default)" = "Standard floppy disk controller"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\"(Default)" = "Hdc"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\"(Default)" = "keyboard"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\"(Default)" = " Mouse"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\"(Default)" = "Net"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\"(Default)" = "NetClient"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\"(Default)" = "NetService"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\"(Default)" = "NetTrans"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\"(Default)" = "PCMCIA Adapters"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\"(Default)" = "SCSIAdapter"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\"(Default)" = "System"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\"(Default)" = "Floppy disk drive"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\"(Default)" = "Volume"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\"(Default)" = "Human Interface Devices"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt\"Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Base\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file system\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Browser\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvc\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dhcp\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmadmin\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmserver\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DnsCache\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLog\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\File system\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Filter\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HelpSvc\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LmHosts\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Messenger\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Ndisuio\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOS\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBT\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlogon\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetMan\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Network\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration\(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay\(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter\(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI\(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary disk\(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccess\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\"(Default)" = "FSFilter System Recovery"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SRService\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDI\"(Default)" = "Driver Group"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\"(Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\"Default)" = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmt\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZCSVC\"(Default)" = "Service"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ndisuio\"(Default)" = "Service"

  • This malware may apply any of the following registry modification(s):
    • HKLM\Software\Microsoft\Windows\Currentversion\Run
      • [OriginalMalware].exe = [OriginalMalware]
      The malware configures itself to run every time any user logs on to the infected system.

    • HKCU\Software\Microsoft\Windows\Currentversion\Policies\system
      • DisableTaskmgr = 1
      This registry entry disables the task manager on the infected user's system.


  • Below is an illustration of the malware's Ransom notes:

    • Figure 1: Ransom note.



  • recommended-action-logoRecommended Action

    • Make sure that your FortiGate/FortiClient system is using the latest AV database.
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiGate
    FortiClient
    FortiAPS
    FortiAPU
    FortiMail
    FortiSandbox
    FortiWeb
    Web Application Firewall
    FortiIsolator
    FortiDeceptor
    FortiEDR

    Version Updates

    Date Version Detail
    2023-11-22 91.09040
    2023-03-14 91.01420
    2023-02-16 91.00651
    2023-02-16 91.00640
    2023-02-10 91.00463
    2023-02-10 91.00462
    2023-02-10 91.00456
    2023-01-10 90.09530
    2022-11-07 90.07625
    2022-10-13 90.06845