General
-
Target
221121-antabafb8z
-
Size
2.4MB
-
Sample
240226-r7bm2sgf94
-
MD5
3fcf77ffa0763350a1df45ab3b89f26a
-
SHA1
0431c506fb86f1813621bc0d09ba12389021cc6b
-
SHA256
08b82e2125b63ec97ed8fb9cbf829ca31935b8dfa2f67be4d686353570554281
-
SHA512
07568d02a3cddf5285cf3ea7ab4bc05fb3cc0739b4bd59c75bdf60f0950a52e4ecc2168f53d5f41031271716ecc8babd164e42007c1cdf9ba00e55124232b842
-
SSDEEP
49152:wgwREifu1DBgutBPNbPz0F3SMzx5QPdqGbHpIAxKof9X7PID/n3ZkIe:wgwREvguPPxzsfTe8GbHjkofeD/n2z
Malware Config
Targets
-
-
Target
221121-antabafb8z
-
Size
2.4MB
-
MD5
3fcf77ffa0763350a1df45ab3b89f26a
-
SHA1
0431c506fb86f1813621bc0d09ba12389021cc6b
-
SHA256
08b82e2125b63ec97ed8fb9cbf829ca31935b8dfa2f67be4d686353570554281
-
SHA512
07568d02a3cddf5285cf3ea7ab4bc05fb3cc0739b4bd59c75bdf60f0950a52e4ecc2168f53d5f41031271716ecc8babd164e42007c1cdf9ba00e55124232b842
-
SSDEEP
49152:wgwREifu1DBgutBPNbPz0F3SMzx5QPdqGbHpIAxKof9X7PID/n3ZkIe:wgwREvguPPxzsfTe8GbHjkofeD/n2z
Score10/10-
Detects Mimic ransomware
-
Mimic
Ransomware family was first exploited in the wild in 2022.
-
Modifies security service
-
UAC bypass
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
-
Detects command variations typically used by ransomware
-
Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware
-
Detects executables containing commands for clearing Windows Event Logs
-
Modifies boot configuration data using bcdedit
-
Renames multiple (210) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes System State backups
Uses wbadmin.exe to inhibit system recovery.
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
1File Deletion
1Modify Registry
7