mimic

General

Target

1.7z
Size

2.0MB
Sample

231112-qvdffagh84
MD5

197d90305f284ea18cc351d4db78b9a3
SHA1

e2ebafdf00812a4dae2fa5ecb5fc2c012f949fc5
SHA256

b88691f30a8387bcad3d54d8872558254fe781f173d22e16c3e45b6651153062
SHA512

21a5dba7197baa8f376205be2683adb74918371ccce91a68fdce4b43e35cccd6e0a034e6343236c9a3a73a5856613633cd0c0dad8390c832b73a325ddb025755
SSDEEP

49152:mNawccb1XoOMpHIoClrQt0oZAVI16tkGX1Iz:mQGFRCHIJlrQt0oZnQtkGX1G

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Instruction.txt

Ransom Note

Good afternoon. We recommend that you read the entire text carefully. All of your files, documents and databases are encrypted. Restore files without our help is impossible. Encryption keys are only available to us. We have also downloaded your data, the data of your employees, contracts and confidential information. If we are not in agreement with you the data will be auctioned or put in the public domain. In one week we guarantee that the journalists will not find out about the incident. But I think we'll make a deal. Your personal ID: xvi_McnU_uN8pwMkx3nqoBkn-AoH1Q09m5rqwhdjQkA*pa4yg3aq2 ================================================================== In order to transcribe, you need to do 6 simple steps. 1. contact us by email: [email protected] 2. Introduce yourself and your job title and company name. 3. Tell us your personal ID. (it is necessary for us to generate a decryptor) 4. So you can check if we can decrypt it, send us two files up to 2 mb in size. 5. In response we specify the amount and details for payment. 6. After payment you get the program which will decrypt and return the files to their original state. ================================================================== * IMPORTANT! If you want the decryption procedure to be effective, DO NOT delete or change the encrypted files! This will cause big problems with the decryption process. ** WARNING! Any organization or individual claiming to be able to decrypt your data should be avoided! They buy programs from us and sell them for twice the price. P.S. If you have not received an answer within 48 hours. You need to contact us via Backup Contact. Backup email: [email protected]

Emails

[email protected]

Targets

- Target
  
  pa4yg3aq2.exe
- Size
  
  2.0MB
- MD5
  
  e5e0fa7832b6630d54f99da00087ffca
- SHA1
  
  8300201409248528bcc9ec16d54296658fc77a74
- SHA256
  
  bfa636627ea8a5fc3053875e45eee1c0ae08d442c71ccfb9b672457229895548
- SHA512
  
  c6c2532e22ae3a180b29b9d4be63fed41116080d5e135c41c87bf59ef7dddbc8b5e22f2aa098e2b3a1f6ae296aab4172d924c36908dff4c4ad412e201692850f
- SSDEEP
  
  49152:wgwRFifu1DBgutBPNzbLZFFpimjrkrFmaCntQxi7AJVqDsHpm:wgwRFvguPPpbdYsgF1wtQ87ADosg
Score

10^/10

mimic evasion persistence ransomware trojan
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (200) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (240) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2