Overview

overview

10

Static

static

10

Amigodainapasik.exe

windows7-x64

10

Amigodainapasik.exe

windows10-2004-x64

10

Everything.exe

windows7-x64

6

Everything.exe

windows10-2004-x64

6

Everything32.dll

windows7-x64

10

Everything32.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    virus-files(1).zip

  • Size

    2.2MB

  • Sample

    230814-w6yteagf7w

  • MD5

    bef6535ff903c0a3e7df17e3949c1861

  • SHA1

    786a3ea41bd943b9945849240e98299c778f7809

  • SHA256

    351cfdf1916444b9a975254f900ed2b6c502c2c5cb7b7b5576eedfaa496a986c

  • SHA512

    0d7e61d4449cbce0f355fe3103ee2d57a5e9e6aabfdcc8186c855d4fda47dea8b384cb93c29b7f6b89389a6516b9caca37f33e323fa4fd0ac7c3aa6dad12176f

  • SSDEEP

    49152:yjXc6GuFyXAKgbzptabs89KROwIF2E7n25ZruybP072:eXc6dFyXJgXptEs89dwvKKZyyz072

Score
10/10
mimicevasionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Amigodainapasik_Decryption.txt

Ransom Note
░██████╗░██████╗░███████╗███████╗████████╗██╗███╗░░██╗░██████╗░░██████╗  ███████╗██████╗░░█████╗░███╗░░░███╗ ██╔════╝░██╔══██╗██╔════╝██╔════╝╚══██╔══╝██║████╗░██║██╔════╝░██╔════╝  ██╔════╝██╔══██╗██╔══██╗████╗░████║ ██║░░██╗░██████╔╝█████╗░░█████╗░░░░░██║░░░██║██╔██╗██║██║░░██╗░╚█████╗░  █████╗░░██████╔╝██║░░██║██╔████╔██║ ██║░░╚██╗██╔══██╗██╔══╝░░██╔══╝░░░░░██║░░░██║██║╚████║██║░░╚██╗░╚═══██╗  ██╔══╝░░██╔══██╗██║░░██║██║╚██╔╝██║ ╚██████╔╝██║░░██║███████╗███████╗░░░██║░░░██║██║░╚███║╚██████╔╝██████╔╝  ██║░░░░░██║░░██║╚█████╔╝██║░╚═╝░██║ ░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝░░░╚═╝░░░╚═╝╚═╝░░╚══╝░╚═════╝░╚═════╝░  ╚═╝░░░░░╚═╝░░╚═╝░╚════╝░╚═╝░░░░░╚═╝ ░█████╗░██╗░░░░░██████╗░░█████╗░███╗░░██╗██╗░█████╗░██╗ ██╔══██╗██║░░░░░██╔══██╗██╔══██╗████╗░██║██║██╔══██╗██║ ███████║██║░░░░░██████╦╝███████║██╔██╗██║██║███████║██║ ██╔══██║██║░░░░░██╔══██╗██╔══██║██║╚████║██║██╔══██║╚═╝ ██║░░██║███████╗██████╦╝██║░░██║██║░╚███║██║██║░░██║██╗ ╚═╝░░╚═╝╚══════╝╚═════╝░╚═╝░░╚═╝╚═╝░░╚══╝╚═╝╚═╝░░╚═╝╚═╝ -----------------------------[ Hello, My Dear Friend !!! ]-------------------------- ALL YOUR FILES HAVE BEEN ENCRYPTED DUE TO A SECURITY PROBLEM WITH YOUR PC. If you want to restore them : 1) Send your unique id hty9hx_RhOmlJcG-C2fRdLQ_XXurC7q4UK8olaBU-Fo*an8uxv2w and max 3 files for test decryption OUR CONTACTS: 1.1) TOX messenger (fast and anonymous) https://tox.chat/download.html Install qtox Press sign up Create your own name Press plus Put there our tox ID: E9164A982410EFAEBC451C1D5629A2CBB75DBB6BCDBD6D2BA94F4D0A7B0B616F911496E469FB And add me/write message 1.2) ICQ Messenger ICQ live chat which works 24/7 - @Amigodainapasik Install ICQ software on your PC here https://icq.com/windows/ or on your smartphone search for "ICQ" in Appstore / Google market Write to our ICQ @Amigodainapasik https://icq.im/Amigodainapasik 1.3) Skype Amigodainapasik Decryption 1.4) Mail (write only in critical situations bcs your email may not be delivered or get in spam) * [email protected] In subject line please write your decryption ID: hty9hx_RhOmlJcG-C2fRdLQ_XXurC7q4UK8olaBU-Fo*an8uxv2w You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. FREE DECRYPTION AS A GUARANTEE! Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases, backups, large excel sheets, etc.) How to obtain Bitcoins: https://www.alfa.cash/buy-crypto-with-credit-card (the fastest way) buy.coingate.com https://bitcoin.org/en/buy https://buy.moonpay.io binance.com coinmama.com ATTENTION!!! Do not rename encrypted files! Do not try to decrypt your data using third party software, it may cause permanent data loss! Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you may become a victim of a scam!
URLs

https://tox.chat/download.html

https://icq.com/windows/

https://icq.im/Amigodainapasik

https://www.alfa.cash/buy-crypto-with-credit-card

Extracted

Path

C:\Users\Admin\AppData\Local\Amigodainapasik_Decryption.txt

Ransom Note
░██████╗░██████╗░███████╗███████╗████████╗██╗███╗░░██╗░██████╗░░██████╗  ███████╗██████╗░░█████╗░███╗░░░███╗ ██╔════╝░██╔══██╗██╔════╝██╔════╝╚══██╔══╝██║████╗░██║██╔════╝░██╔════╝  ██╔════╝██╔══██╗██╔══██╗████╗░████║ ██║░░██╗░██████╔╝█████╗░░█████╗░░░░░██║░░░██║██╔██╗██║██║░░██╗░╚█████╗░  █████╗░░██████╔╝██║░░██║██╔████╔██║ ██║░░╚██╗██╔══██╗██╔══╝░░██╔══╝░░░░░██║░░░██║██║╚████║██║░░╚██╗░╚═══██╗  ██╔══╝░░██╔══██╗██║░░██║██║╚██╔╝██║ ╚██████╔╝██║░░██║███████╗███████╗░░░██║░░░██║██║░╚███║╚██████╔╝██████╔╝  ██║░░░░░██║░░██║╚█████╔╝██║░╚═╝░██║ ░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝░░░╚═╝░░░╚═╝╚═╝░░╚══╝░╚═════╝░╚═════╝░  ╚═╝░░░░░╚═╝░░╚═╝░╚════╝░╚═╝░░░░░╚═╝ ░█████╗░██╗░░░░░██████╗░░█████╗░███╗░░██╗██╗░█████╗░██╗ ██╔══██╗██║░░░░░██╔══██╗██╔══██╗████╗░██║██║██╔══██╗██║ ███████║██║░░░░░██████╦╝███████║██╔██╗██║██║███████║██║ ██╔══██║██║░░░░░██╔══██╗██╔══██║██║╚████║██║██╔══██║╚═╝ ██║░░██║███████╗██████╦╝██║░░██║██║░╚███║██║██║░░██║██╗ ╚═╝░░╚═╝╚══════╝╚═════╝░╚═╝░░╚═╝╚═╝░░╚══╝╚═╝╚═╝░░╚═╝╚═╝ -----------------------------[ Hello, My Dear Friend !!! ]-------------------------- ALL YOUR FILES HAVE BEEN ENCRYPTED DUE TO A SECURITY PROBLEM WITH YOUR PC. If you want to restore them : 1) Send your unique id Kq_UBu8xmLkZE_xBBz3Vg1Yys6fsMmPgx2bKWx-gey4*an8uxv2w and max 3 files for test decryption OUR CONTACTS: 1.1) TOX messenger (fast and anonymous) https://tox.chat/download.html Install qtox Press sign up Create your own name Press plus Put there our tox ID: E9164A982410EFAEBC451C1D5629A2CBB75DBB6BCDBD6D2BA94F4D0A7B0B616F911496E469FB And add me/write message 1.2) ICQ Messenger ICQ live chat which works 24/7 - @Amigodainapasik Install ICQ software on your PC here https://icq.com/windows/ or on your smartphone search for "ICQ" in Appstore / Google market Write to our ICQ @Amigodainapasik https://icq.im/Amigodainapasik 1.3) Skype Amigodainapasik Decryption 1.4) Mail (write only in critical situations bcs your email may not be delivered or get in spam) * [email protected] In subject line please write your decryption ID: Kq_UBu8xmLkZE_xBBz3Vg1Yys6fsMmPgx2bKWx-gey4*an8uxv2w You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. FREE DECRYPTION AS A GUARANTEE! Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases, backups, large excel sheets, etc.) How to obtain Bitcoins: https://www.alfa.cash/buy-crypto-with-credit-card (the fastest way) buy.coingate.com https://bitcoin.org/en/buy https://buy.moonpay.io binance.com coinmama.com ATTENTION!!! Do not rename encrypted files! Do not try to decrypt your data using third party software, it may cause permanent data loss! Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you may become a victim of a scam!
URLs

https://tox.chat/download.html

https://icq.com/windows/

https://icq.im/Amigodainapasik

https://www.alfa.cash/buy-crypto-with-credit-card

Targets

    • Target

      Amigodainapasik.exe

    • Size

      2.3MB

    • MD5

      0da0f742cf3bd80919716fbd03299189

    • SHA1

      0ff0f5254e399aa2d487dd7f0dec032a3429f257

    • SHA256

      8f8ce3e99d843a4beb1d3d961a7cab27e75e32490132464e448bdbcd97ddcfd5

    • SHA512

      ce92c93973120a2808b7b33c20324f450b1e33aa1637fd2a66bc3c8f56cd44ec492e71cd8e34eb807c6cbfc5e356332b487144168de531be787ebb75ee3778f3

    • SSDEEP

      49152:ohBJrWt7Yfg1evewmI874ZtPttM/G/jOayrdDKr:ohBJrWF04RIu4Zfa3rdOr

    Score
    10/10
    mimicevasionpersistenceransomwaretrojan

    • Detects Mimic ransomware

    • Mimic

      Ransomware family was first exploited in the wild in 2022.

      ransomwaremimic

    • UAC bypass

      evasiontrojan

    • Clears Windows event logs

      evasionransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (2762) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Renames multiple (5772) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Sets file execution options in registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

    • Target

      Everything.exe

    • Size

      1.7MB

    • MD5

      c44487ce1827ce26ac4699432d15b42a

    • SHA1

      8434080fad778057a50607364fee8b481f0feef8

    • SHA256

      4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

    • SHA512

      a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

    • SSDEEP

      49152:sVzyP4BTkT3EApTLi2CCzMn3jzjAhFEy+eaXr:sVzyABTwEH

    Score
    6/10

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

    • Target

      Everything32.dll

    • Size

      84KB

    • MD5

      3b03324537327811bbbaff4aafa4d75b

    • SHA1

      1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

    • SHA256

      8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

    • SHA512

      ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

    • SSDEEP

      768:r7q2ysU1Jr1SHx6p73TpzkqVVWwupGKcrrbRkzOnORqhJtfwxnZRqFlP+YiXoyIZ:r7q2EJx+OVkqTIZerpnA2tfet7XJIZ

    Score
    10/10
    mimicpersistenceransomware

    • Detects Mimic ransomware

    • Mimic

      Ransomware family was first exploited in the wild in 2022.

      ransomwaremimic

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

3
T1070

File Deletion

2
T1070.004

Modify Registry

5
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3
T1490

Tasks