mimic

General

Target

c911cb9a5483344eaddb94774ed9779440f1b7c80c09a379010c8c5695814e26
Size

5.1MB
Sample

231120-hr14bsfa5y
MD5

c0ea265cfb35abba2f76e1dbb80b292e
SHA1

bbb3e44bf4b760aebf52967891b6025b19d2b9bf
SHA256

c911cb9a5483344eaddb94774ed9779440f1b7c80c09a379010c8c5695814e26
SHA512

c2bc2b649d7a1fd1f06163c75fe0187df587d3801026ca50f6926c2317d6dcf1c6f7f7a23d12ef98a36411907edb6ae7f4655070fa59834ed6b3efdffc590766
SSDEEP

98304:0gwRqvguPPCbSzris8LfBWBPlgwR+vguPP/7NzRMwulF8L/hpe3Y7:0gfvsbYiLjBiPlgVvlNzRBnza3m

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\IMPORTANT_NOTICE.txt

Ransom Note

Greetings, There was a serious security breach in your systems and this was detected during our scans. We encrypt your data that you see important in your system by processing twice. As encryption is done as SHA256 and AES256, we would like to remind you that you can not restore your data with known data recovery methods. If you want to use data recovery companies or programs on your side, please do not worry about your actual files, process and / or make copies of them. Corruption of the original files may cause irretrievable damage to your data. If you wish, you can contact us via the following communication to resolve this issue. YOUR REFERENCE CODE dSrpj5gFWMP-ll0U7Vt6Joc3PAlyDzpjngpVXxmV0UA*[email protected] [email protected] [email protected]

Emails

dSrpj5gFWMP-ll0U7Vt6Joc3PAlyDzpjngpVXxmV0UA*[email protected]

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\IMPORTANT_NOTICE.txt

Ransom Note

Greetings, There was a serious security breach in your systems and this was detected during our scans. We encrypt your data that you see important in your system by processing twice. As encryption is done as SHA256 and AES256, we would like to remind you that you can not restore your data with known data recovery methods. If you want to use data recovery companies or programs on your side, please do not worry about your actual files, process and / or make copies of them. Corruption of the original files may cause irretrievable damage to your data. If you wish, you can contact us via the following communication to resolve this issue. YOUR REFERENCE CODE IR4beVNncsM8-Z9mwBnn79YzSumzz2csRQ_Nn7Z80ns*[email protected] [email protected] [email protected]

Emails

IR4beVNncsM8-Z9mwBnn79YzSumzz2csRQ_Nn7Z80ns*[email protected]

[email protected]

Targets

- Target
  
  3.exe
- Size
  
  2.5MB
- MD5
  
  937e0ce2cea3458236b6048250f341da
- SHA1
  
  9f28ec0fbc4254eab70799d62ae297df1bf5e0c7
- SHA256
  
  50080976f722a7c65fedbf8ce187521117714e1728ddbaf1153fbca950bee0fb
- SHA512
  
  afbcf1201bc438f8f572879d67241421d1234f1dd622b9c783d93f800749290a82e7ad53c5127eacef71bf8bdb02056e62b9d0352a9ef636120aa00d60cf0759
- SSDEEP
  
  49152:QgwRqifu1DBgutBPNeSGIB10SvOGbRrPas8L5pBWBm7dziiv:QgwRqvguPPCbSzris8LfBWBPK
Score

10^/10

mimic evasion persistence ransomware trojan
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- Modifies security service
  evasion
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (3689) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (5427) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  4.exe
- Size
  
  2.5MB
- MD5
  
  079610302f0c449bb454fbd348326fa3
- SHA1
  
  35355d776ed07c193243e6eb24d45718a021b835
- SHA256
  
  e4249546f902dfcf2a13540b5e843f33e622937d89b081b9959257642bc9e661
- SHA512
  
  d9b0bf9bae684a18ced71feaa1ae6019eeab2f7af7008b5f040b730ef44d80e1e6d6b4aed03d75129e9f044b0a8e37bbc7861f4352052888e1836c443d5064e2
- SSDEEP
  
  49152:QgwR+ifu1DBgutBPN2q1dNnzbpz7Mwulf+qV8L77hpe3D04dtaa7X:QgwR+vguPP/7NzRMwulF8L/hpe3YM
Score

10^/10

mimic evasion persistence ransomware trojan
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- Modifies security service
  evasion
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (3681) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (4926) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral3 behavioral4