mimic

General

Target

Muestra R.zip.zip
Size

2.0MB
Sample

231114-fbqljsha73
MD5

1248035968297d6f78182eb0eb08ad75
SHA1

174aa59b015ab9a2a985be7f28c9f7df72c268ea
SHA256

2fad23f72a2bdb4d33ca071d46dc01a3e723c391eef7cfc126bbce275c571f50
SHA512

65d1b1b13cd2cb26f6fc533fe8e08b27baba35c25b868c4722039930a9f21bc02799680e91821690e3adbb01a1266d9ce68fe2cd6aacd3ad349689c4996fe925
SSDEEP

49152:M3LTt0Waq3X6lN7PDxoI6D2BZ/s3VlUrQAcgNTCVoUvhOKmePyXK8:M3LyW7H2Pa2P2YQAFmNZKXv

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Instruction.txt

Ransom Note

Good afternoon. We recommend that you read the entire text carefully. All of your files, documents and databases are encrypted. Restore files without our help is impossible. Encryption keys are only available to us. We have also downloaded your data, the data of your employees, contracts and confidential information. If we are not in agreement with you the data will be auctioned or put in the public domain. In one week we guarantee that the journalists will not find out about the incident. But I think we'll make a deal. Your personal ID: xvi_McnU_uN8pwMkx3nqoBkn-AoH1Q09m5rqwhdjQkA*pa4yg3aq2 ================================================================== In order to transcribe, you need to do 6 simple steps. 1. contact us by email: [email protected] 2. Introduce yourself and your job title and company name. 3. Tell us your personal ID. (it is necessary for us to generate a decryptor) 4. So you can check if we can decrypt it, send us two files up to 2 mb in size. 5. In response we specify the amount and details for payment. 6. After payment you get the program which will decrypt and return the files to their original state. ================================================================== * IMPORTANT! If you want the decryption procedure to be effective, DO NOT delete or change the encrypted files! This will cause big problems with the decryption process. ** WARNING! Any organization or individual claiming to be able to decrypt your data should be avoided! They buy programs from us and sell them for twice the price. P.S. If you have not received an answer within 48 hours. You need to contact us via Backup Contact. Backup email: [email protected]

Emails

[email protected]

Targets

- Target
  
  pa4yg3aq2.exe
- Size
  
  2.0MB
- MD5
  
  e5e0fa7832b6630d54f99da00087ffca
- SHA1
  
  8300201409248528bcc9ec16d54296658fc77a74
- SHA256
  
  bfa636627ea8a5fc3053875e45eee1c0ae08d442c71ccfb9b672457229895548
- SHA512
  
  c6c2532e22ae3a180b29b9d4be63fed41116080d5e135c41c87bf59ef7dddbc8b5e22f2aa098e2b3a1f6ae296aab4172d924c36908dff4c4ad412e201692850f
- SSDEEP
  
  49152:wgwRFifu1DBgutBPNzbLZFFpimjrkrFmaCntQxi7AJVqDsHpm:wgwRFvguPPpbdYsgF1wtQ87ADosg
Score

10^/10

mimic evasion persistence ransomware trojan
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (218) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (90) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2