mimic

General

Target

B6871CEF458A765D51E3B0A1AE324E60 (1).zip
Size

2.5MB
Sample

231122-b8e4vshf27
MD5

ad5c1319eef2de8a1790f14010641155
SHA1

335112a94108ca2204a90a58ca4900eb013b8ac5
SHA256

c5f1e6a32af790e5ef9acc548723410e3356d429d5f58be828e32beae31430ed
SHA512

06ebad7033a766cd6bc071b043b9a2573d41671ae03cd55723bfd97d2d3f64c8ebe593f14f971146d4315497ebed636464a243f39fdfc1dc4969a9bf74d0a4b8
SSDEEP

49152:U3eLQ+NDSuZzFFpOSb2ccunhXBUjgVOIP2NHGEgl3IYhNE1Wkh:U3xNuxFF0MrhXBUjgZXJpIh

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\IMPORTANT_NOTICE.txt

Ransom Note

Greetings, There was a serious security breach in your systems and this was detected during our scans. We encrypt your data that you see important in your system by processing twice. As encryption is done as SHA256 and AES256, we would like to remind you that you can not restore your data with known data recovery methods. If you want to use data recovery companies or programs on your side, please do not worry about your actual files, process and / or make copies of them. Corruption of the original files may cause irretrievable damage to your data. If you wish, you can contact us via the following communication to resolve this issue. YOUR REFERENCE CODE dSrpj5gFWMP-ll0U7Vt6Joc3PAlyDzpjngpVXxmV0UA*[email protected] [email protected] [email protected]

Emails

dSrpj5gFWMP-ll0U7Vt6Joc3PAlyDzpjngpVXxmV0UA*[email protected]

[email protected]

Targets

- Target
  
  B6871CEF458A765D51E3B0A1AE324E60
- Size
  
  2.5MB
- MD5
  
  b6871cef458a765d51e3b0a1ae324e60
- SHA1
  
  b62dda6efcc41ef4fdf6b3990b64ff54f08f2e56
- SHA256
  
  a5182257daef1abde3a971ed1c3d9c3bee6d74fa3d4b0bcb379e5a9dd57340ea
- SHA512
  
  b11376ecfba8c3b03afc03ac001619769b6e3284518b199413b0f0403a7e71a977337a11d2c5afd0f023141bf609df22b8a7dd3f91f7c198aba91387c4e76d7f
- SSDEEP
  
  49152:QgwRqifu1DBgutBPNeSGIB10SvOGbRrPas8L5pBWBm7dziiM:QgwRqvguPPCbSzris8LfBWBPp
Score

10^/10

mimic evasion persistence ransomware trojan
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- Modifies security service
  evasion
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (3665) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (5399) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2