mimic

Sharing

Copy URL

Twitter E-mail

General

Target

4.7z
Size

4.0MB
Sample

231117-r1z23aab25
MD5

dfda7f6db6e19993c685dcb5a69f72bf
SHA1

fa424edb2ed8c94c79f9f54c6329f8b5c1e6bfaf
SHA256

11ca7dde1ceb9acfcb147f100deb4654f2586f1f2af2727e8c40be8f9ca794d9
SHA512

7c666e0c32c94b40eb4804e35fc70395137ac39357af46dcb03b32fa6806d12dd321d897effea97c6fa17d7d6e8bda1acf69eca41eff3950d066ef0b2a77528d
SSDEEP

98304:VuQW6/ukf3zzcLP3ElVmNiyZav0ZYTJfWimxfIyeLrEO84Gm+awwp:VtWOfXcsqiyZel+dhgEO8Rawwp

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\IMPORTANT_NOTICE.txt

Ransom Note

Greetings, There was a serious security breach in your systems and this was detected during our scans. We encrypt your data that you see important in your system by processing twice. As encryption is done as SHA256 and AES256, we would like to remind you that you can not restore your data with known data recovery methods. If you want to use data recovery companies or programs on your side, please do not worry about your actual files, process and / or make copies of them. Corruption of the original files may cause irretrievable damage to your data. If you wish, you can contact us via the following communication to resolve this issue. YOUR REFERENCE CODE dSrpj5gFWMP-ll0U7Vt6Joc3PAlyDzpjngpVXxmV0UA*[email protected] [email protected] [email protected]

Emails

dSrpj5gFWMP-ll0U7Vt6Joc3PAlyDzpjngpVXxmV0UA*[email protected]

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\IMPORTANT_NOTICE.txt

Ransom Note

Greetings, There was a serious security breach in your systems and this was detected during our scans. We encrypt your data that you see important in your system by processing twice. As encryption is done as SHA256 and AES256, we would like to remind you that you can not restore your data with known data recovery methods. If you want to use data recovery companies or programs on your side, please do not worry about your actual files, process and / or make copies of them. Corruption of the original files may cause irretrievable damage to your data. If you wish, you can contact us via the following communication to resolve this issue. YOUR REFERENCE CODE IR4beVNncsM8-Z9mwBnn79YzSumzz2csRQ_Nn7Z80ns*[email protected] [email protected] [email protected]

Emails

IR4beVNncsM8-Z9mwBnn79YzSumzz2csRQ_Nn7Z80ns*[email protected]

[email protected]

Targets

- Target
  
  1.exe
- Size
  
  2.5MB
- MD5
  
  b6871cef458a765d51e3b0a1ae324e60
- SHA1
  
  b62dda6efcc41ef4fdf6b3990b64ff54f08f2e56
- SHA256
  
  a5182257daef1abde3a971ed1c3d9c3bee6d74fa3d4b0bcb379e5a9dd57340ea
- SHA512
  
  b11376ecfba8c3b03afc03ac001619769b6e3284518b199413b0f0403a7e71a977337a11d2c5afd0f023141bf609df22b8a7dd3f91f7c198aba91387c4e76d7f
- SSDEEP
  
  49152:QgwRqifu1DBgutBPNeSGIB10SvOGbRrPas8L5pBWBm7dziiM:QgwRqvguPPCbSzris8LfBWBPp
Score

10^/10

mimic evasion persistence ransomware trojan
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- Modifies security service
  evasion
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (1005) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (1924) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  2.exe
- Size
  
  2.5MB
- MD5
  
  b4448ceddd85ec0f061f53ab1a977b5e
- SHA1
  
  96c63c3c423e4b1117e0c82e5796dcd5f1c0d683
- SHA256
  
  d7c50dce5f77ae0f144843e8eaf3e29034e14f6ac9293f0dbdf59fd2fc257452
- SHA512
  
  29f1c8f4d1e551e31d453c455bddb1e9fe8d74bca35338757ab9d3b31110c460b69ed06d5b452376b57afa4a82f5d4b2cdab7dfa8e636cb800d0a3fcded4b1f3
- SSDEEP
  
  49152:QgwR+ifu1DBgutBPN2q1dNnzbpz7Mwulf+qV8L77hpe3D04dtaa7P:QgwR+vguPP/7NzRMwulF8L/hpe3YI
Score

10^/10

mimic evasion persistence ransomware trojan
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- Modifies security service
  evasion
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (1679) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (2597) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  3.exe
- Size
  
  2.5MB
- MD5
  
  937e0ce2cea3458236b6048250f341da
- SHA1
  
  9f28ec0fbc4254eab70799d62ae297df1bf5e0c7
- SHA256
  
  50080976f722a7c65fedbf8ce187521117714e1728ddbaf1153fbca950bee0fb
- SHA512
  
  afbcf1201bc438f8f572879d67241421d1234f1dd622b9c783d93f800749290a82e7ad53c5127eacef71bf8bdb02056e62b9d0352a9ef636120aa00d60cf0759
- SSDEEP
  
  49152:QgwRqifu1DBgutBPNeSGIB10SvOGbRrPas8L5pBWBm7dziiv:QgwRqvguPPCbSzris8LfBWBPK
Score

10^/10

mimic evasion persistence ransomware trojan
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- Modifies security service
  evasion
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (3704) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (5787) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  4.exe
- Size
  
  2.5MB
- MD5
  
  079610302f0c449bb454fbd348326fa3
- SHA1
  
  35355d776ed07c193243e6eb24d45718a021b835
- SHA256
  
  e4249546f902dfcf2a13540b5e843f33e622937d89b081b9959257642bc9e661
- SHA512
  
  d9b0bf9bae684a18ced71feaa1ae6019eeab2f7af7008b5f040b730ef44d80e1e6d6b4aed03d75129e9f044b0a8e37bbc7861f4352052888e1836c443d5064e2
- SSDEEP
  
  49152:QgwR+ifu1DBgutBPN2q1dNnzbpz7Mwulf+qV8L77hpe3D04dtaa7X:QgwR+vguPP/7NzRMwulF8L/hpe3YM
Score

10^/10

mimic evasion persistence ransomware trojan
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- Modifies security service
  evasion
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (1494) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (1597) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral7 behavioral8