mimic

General

Target

B6871CEF458A765D51E3B0A1AE324E60.zip
Size

2.5MB
Sample

231121-bq33zaca4z
MD5

34384f1f053425ab5a5519f54ee6fbd6
SHA1

60170b39d31c21e7a66f96aa108f650f69323ffd
SHA256

8d7f545858b73164fcf5fc5d0553aecbe3c4ac81958bb58c3f8ca0ba80516607
SHA512

6b82fd25fb60391bd1fe55ea26adab1cc5a053492ddf6f72eaaca7a7157b7e86e54e5ad955ae8334f578b6df6b2d0f41aea98abf7bb5cbea61615ee27817acca
SSDEEP

49152:TrWTY55MrJsrk6FVwq7KX6TTUiEJsWGQVaOWWEooeQjRiYiR6:8d1+jVh7a6TTUiCs4V3io9Qjyc

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\IMPORTANT_NOTICE.txt

Ransom Note

Greetings, There was a serious security breach in your systems and this was detected during our scans. We encrypt your data that you see important in your system by processing twice. As encryption is done as SHA256 and AES256, we would like to remind you that you can not restore your data with known data recovery methods. If you want to use data recovery companies or programs on your side, please do not worry about your actual files, process and / or make copies of them. Corruption of the original files may cause irretrievable damage to your data. If you wish, you can contact us via the following communication to resolve this issue. YOUR REFERENCE CODE dSrpj5gFWMP-ll0U7Vt6Joc3PAlyDzpjngpVXxmV0UA*[email protected] [email protected] [email protected]

Emails

dSrpj5gFWMP-ll0U7Vt6Joc3PAlyDzpjngpVXxmV0UA*[email protected]

[email protected]

Targets

- Target
  
  B6871CEF458A765D51E3B0A1AE324E60
- Size
  
  2.5MB
- MD5
  
  b6871cef458a765d51e3b0a1ae324e60
- SHA1
  
  b62dda6efcc41ef4fdf6b3990b64ff54f08f2e56
- SHA256
  
  a5182257daef1abde3a971ed1c3d9c3bee6d74fa3d4b0bcb379e5a9dd57340ea
- SHA512
  
  b11376ecfba8c3b03afc03ac001619769b6e3284518b199413b0f0403a7e71a977337a11d2c5afd0f023141bf609df22b8a7dd3f91f7c198aba91387c4e76d7f
- SSDEEP
  
  49152:QgwRqifu1DBgutBPNeSGIB10SvOGbRrPas8L5pBWBm7dziiM:QgwRqvguPPCbSzris8LfBWBPp
Score

10^/10

mimic evasion persistence ransomware trojan
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- Modifies security service
  evasion
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (3689) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (5782) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2