mimic

General

Target

96C63C3C423E4B1117E0C82E5796DCD5F1C0D683.7z
Size

2.5MB
Sample

231117-kpfeysgd97
MD5

e4df1ac6eda1916ed36236d4cf51e880
SHA1

e17414118419f507dac84b673fb0992f2f704edd
SHA256

aadf321b2c07b98319937844793afa4d1b5f3501919305ef684911cf131286d5
SHA512

e07e601645ab11612fa726683e8daab707dfdb2b035814930c1a3671928ddb98ab943460ce390893c98da40eaf316fd8ab8885ae53e1a17b7cf48794185f1dd5
SSDEEP

49152:ezRVmRWV7q1PsXrKqt4DBHK0fZBjGxiVusAp5H1XaOnOq1GPi:AqRWVgsbKqto7xBjGxiVJE1POq1G6

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\IMPORTANT_NOTICE.txt

Ransom Note

Greetings, There was a serious security breach in your systems and this was detected during our scans. We encrypt your data that you see important in your system by processing twice. As encryption is done as SHA256 and AES256, we would like to remind you that you can not restore your data with known data recovery methods. If you want to use data recovery companies or programs on your side, please do not worry about your actual files, process and / or make copies of them. Corruption of the original files may cause irretrievable damage to your data. If you wish, you can contact us via the following communication to resolve this issue. YOUR REFERENCE CODE IR4beVNncsM8-Z9mwBnn79YzSumzz2csRQ_Nn7Z80ns*[email protected] [email protected] [email protected]

Emails

IR4beVNncsM8-Z9mwBnn79YzSumzz2csRQ_Nn7Z80ns*[email protected]

[email protected]

Targets

- Target
  
  96C63C3C423E4B1117E0C82E5796DCD5F1C0D683.exe
- Size
  
  2.5MB
- MD5
  
  b4448ceddd85ec0f061f53ab1a977b5e
- SHA1
  
  96c63c3c423e4b1117e0c82e5796dcd5f1c0d683
- SHA256
  
  d7c50dce5f77ae0f144843e8eaf3e29034e14f6ac9293f0dbdf59fd2fc257452
- SHA512
  
  29f1c8f4d1e551e31d453c455bddb1e9fe8d74bca35338757ab9d3b31110c460b69ed06d5b452376b57afa4a82f5d4b2cdab7dfa8e636cb800d0a3fcded4b1f3
- SSDEEP
  
  49152:QgwR+ifu1DBgutBPN2q1dNnzbpz7Mwulf+qV8L77hpe3D04dtaa7P:QgwR+vguPP/7NzRMwulF8L/hpe3YI
Score

10^/10

mimic evasion persistence ransomware trojan
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- Modifies security service
  evasion
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (3697) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (5789) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2