Analysis
-
max time kernel
66s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 08:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
mimicransomware_enc_infected.exe
Resource
win7-20240419-en
windows7-x64
23 signatures
150 seconds
Behavioral task
behavioral2
Sample
mimicransomware_enc_infected.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
mimicransomware_enc_infected.exe
-
Size
2.4MB
-
MD5
2a613d677cc3e2991dcd954e9413c40c
-
SHA1
26f49090585d31dca8dde83106c0a851f00f2f18
-
SHA256
c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b
-
SHA512
b3edc9f56aa9c1f3685bb7e14d7dad27f23346bb1f21618acb3091c2031c1c5f48f77f375d97763b2da1b4658efd12a1147114bd65190b9f8c772d302d0f7a44
-
SSDEEP
49152:I/oSNzCxuPz3v/EekOEQ5ZlC2WQcyDJFD6BaKAjB8eJMv+8KwXkZx+jau:I/oCCQv/EeJESlC2WbyDukrBDJMGXjG
Score
10/10
Malware Config
Signatures
-
Detects Mimic ransomware 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023bb8-6.dat family_mimic -
Mimic
Ransomware family was first exploited in the wild in 2022.
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" encrypt.exe -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 3176 wevtutil.exe 1600 wevtutil.exe 3172 wevtutil.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4660 bcdedit.exe 3980 bcdedit.exe -
pid Process 2240 wbadmin.exe -
pid Process 1576 wbadmin.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isqlplussvc.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\node.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgr.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbsnmp.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservrs.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdhost.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-opt.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_x64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Creative Cloud.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW32.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon64.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbsnmp.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-nt.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlmangr.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservrs.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\node.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlwriter.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocautoupds.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocautoupds.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_w32.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpython.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdswfsafe.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdswfsafe.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseClient.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbguard.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oracle.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemExplorer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Creative Cloud.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopqos.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlagent.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdlauncher.exe encrypt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation mimicransomware_enc_infected.exe -
Executes dropped EXE 5 IoCs
pid Process 1748 encrypt.exe 5084 encrypt.exe 1136 encrypt.exe 4608 encrypt.exe 4808 encrypt.exe -
Loads dropped DLL 5 IoCs
pid Process 1748 encrypt.exe 5084 encrypt.exe 4608 encrypt.exe 1136 encrypt.exe 4808 encrypt.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\encrypt = "\"C:\\Users\\Admin\\AppData\\Local\\encrypt\\encrypt.exe\" " encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\encrypt.exe = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\HACKLENDINIZ.txt\"" encrypt.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: encrypt.exe File opened (read-only) \??\I: encrypt.exe File opened (read-only) \??\Q: encrypt.exe File opened (read-only) \??\V: encrypt.exe File opened (read-only) \??\W: encrypt.exe File opened (read-only) \??\A: encrypt.exe File opened (read-only) \??\L: encrypt.exe File opened (read-only) \??\O: encrypt.exe File opened (read-only) \??\Z: encrypt.exe File opened (read-only) \??\B: encrypt.exe File opened (read-only) \??\E: encrypt.exe File opened (read-only) \??\J: encrypt.exe File opened (read-only) \??\M: encrypt.exe File opened (read-only) \??\S: encrypt.exe File opened (read-only) \??\X: encrypt.exe File opened (read-only) \??\G: encrypt.exe File opened (read-only) \??\K: encrypt.exe File opened (read-only) \??\N: encrypt.exe File opened (read-only) \??\P: encrypt.exe File opened (read-only) \??\R: encrypt.exe File opened (read-only) \??\T: encrypt.exe File opened (read-only) \??\U: encrypt.exe File opened (read-only) \??\Y: encrypt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 216 notepad.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 4608 encrypt.exe 4608 encrypt.exe 4808 encrypt.exe 4808 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe 5084 encrypt.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1748 encrypt.exe Token: SeSecurityPrivilege 1748 encrypt.exe Token: SeTakeOwnershipPrivilege 1748 encrypt.exe Token: SeLoadDriverPrivilege 1748 encrypt.exe Token: SeSystemProfilePrivilege 1748 encrypt.exe Token: SeSystemtimePrivilege 1748 encrypt.exe Token: SeProfSingleProcessPrivilege 1748 encrypt.exe Token: SeIncBasePriorityPrivilege 1748 encrypt.exe Token: SeCreatePagefilePrivilege 1748 encrypt.exe Token: SeBackupPrivilege 1748 encrypt.exe Token: SeRestorePrivilege 1748 encrypt.exe Token: SeShutdownPrivilege 1748 encrypt.exe Token: SeDebugPrivilege 1748 encrypt.exe Token: SeSystemEnvironmentPrivilege 1748 encrypt.exe Token: SeChangeNotifyPrivilege 1748 encrypt.exe Token: SeRemoteShutdownPrivilege 1748 encrypt.exe Token: SeUndockPrivilege 1748 encrypt.exe Token: SeManageVolumePrivilege 1748 encrypt.exe Token: SeImpersonatePrivilege 1748 encrypt.exe Token: SeCreateGlobalPrivilege 1748 encrypt.exe Token: 33 1748 encrypt.exe Token: 34 1748 encrypt.exe Token: 35 1748 encrypt.exe Token: 36 1748 encrypt.exe Token: SeIncreaseQuotaPrivilege 5084 encrypt.exe Token: SeSecurityPrivilege 5084 encrypt.exe Token: SeTakeOwnershipPrivilege 5084 encrypt.exe Token: SeLoadDriverPrivilege 5084 encrypt.exe Token: SeSystemProfilePrivilege 5084 encrypt.exe Token: SeSystemtimePrivilege 5084 encrypt.exe Token: SeProfSingleProcessPrivilege 5084 encrypt.exe Token: SeIncBasePriorityPrivilege 5084 encrypt.exe Token: SeCreatePagefilePrivilege 5084 encrypt.exe Token: SeBackupPrivilege 5084 encrypt.exe Token: SeRestorePrivilege 5084 encrypt.exe Token: SeShutdownPrivilege 5084 encrypt.exe Token: SeDebugPrivilege 5084 encrypt.exe Token: SeSystemEnvironmentPrivilege 5084 encrypt.exe Token: SeChangeNotifyPrivilege 5084 encrypt.exe Token: SeRemoteShutdownPrivilege 5084 encrypt.exe Token: SeUndockPrivilege 5084 encrypt.exe Token: SeManageVolumePrivilege 5084 encrypt.exe Token: SeImpersonatePrivilege 5084 encrypt.exe Token: SeCreateGlobalPrivilege 5084 encrypt.exe Token: 33 5084 encrypt.exe Token: 34 5084 encrypt.exe Token: 35 5084 encrypt.exe Token: 36 5084 encrypt.exe Token: SeIncreaseQuotaPrivilege 4608 encrypt.exe Token: SeSecurityPrivilege 4608 encrypt.exe Token: SeTakeOwnershipPrivilege 4608 encrypt.exe Token: SeLoadDriverPrivilege 4608 encrypt.exe Token: SeSystemProfilePrivilege 4608 encrypt.exe Token: SeSystemtimePrivilege 4608 encrypt.exe Token: SeProfSingleProcessPrivilege 4608 encrypt.exe Token: SeIncBasePriorityPrivilege 4608 encrypt.exe Token: SeCreatePagefilePrivilege 4608 encrypt.exe Token: SeBackupPrivilege 4608 encrypt.exe Token: SeRestorePrivilege 4608 encrypt.exe Token: SeShutdownPrivilege 4608 encrypt.exe Token: SeDebugPrivilege 4608 encrypt.exe Token: SeSystemEnvironmentPrivilege 4608 encrypt.exe Token: SeChangeNotifyPrivilege 4608 encrypt.exe Token: SeRemoteShutdownPrivilege 4608 encrypt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4756 wrote to memory of 1748 4756 mimicransomware_enc_infected.exe 86 PID 4756 wrote to memory of 1748 4756 mimicransomware_enc_infected.exe 86 PID 4756 wrote to memory of 1748 4756 mimicransomware_enc_infected.exe 86 PID 1748 wrote to memory of 5084 1748 encrypt.exe 90 PID 1748 wrote to memory of 5084 1748 encrypt.exe 90 PID 1748 wrote to memory of 5084 1748 encrypt.exe 90 PID 5084 wrote to memory of 1136 5084 encrypt.exe 91 PID 5084 wrote to memory of 1136 5084 encrypt.exe 91 PID 5084 wrote to memory of 1136 5084 encrypt.exe 91 PID 5084 wrote to memory of 4808 5084 encrypt.exe 92 PID 5084 wrote to memory of 4808 5084 encrypt.exe 92 PID 5084 wrote to memory of 4808 5084 encrypt.exe 92 PID 5084 wrote to memory of 4608 5084 encrypt.exe 93 PID 5084 wrote to memory of 4608 5084 encrypt.exe 93 PID 5084 wrote to memory of 4608 5084 encrypt.exe 93 PID 5084 wrote to memory of 4648 5084 encrypt.exe 106 PID 5084 wrote to memory of 4648 5084 encrypt.exe 106 PID 5084 wrote to memory of 2784 5084 encrypt.exe 107 PID 5084 wrote to memory of 2784 5084 encrypt.exe 107 PID 5084 wrote to memory of 4568 5084 encrypt.exe 108 PID 5084 wrote to memory of 4568 5084 encrypt.exe 108 PID 5084 wrote to memory of 3636 5084 encrypt.exe 109 PID 5084 wrote to memory of 3636 5084 encrypt.exe 109 PID 5084 wrote to memory of 4616 5084 encrypt.exe 111 PID 5084 wrote to memory of 4616 5084 encrypt.exe 111 PID 5084 wrote to memory of 4312 5084 encrypt.exe 112 PID 5084 wrote to memory of 4312 5084 encrypt.exe 112 PID 5084 wrote to memory of 4420 5084 encrypt.exe 113 PID 5084 wrote to memory of 4420 5084 encrypt.exe 113 PID 5084 wrote to memory of 1060 5084 encrypt.exe 114 PID 5084 wrote to memory of 1060 5084 encrypt.exe 114 PID 5084 wrote to memory of 2312 5084 encrypt.exe 115 PID 5084 wrote to memory of 2312 5084 encrypt.exe 115 PID 5084 wrote to memory of 2708 5084 encrypt.exe 116 PID 5084 wrote to memory of 2708 5084 encrypt.exe 116 PID 5084 wrote to memory of 4912 5084 encrypt.exe 117 PID 5084 wrote to memory of 4912 5084 encrypt.exe 117 PID 5084 wrote to memory of 3956 5084 encrypt.exe 118 PID 5084 wrote to memory of 3956 5084 encrypt.exe 118 PID 5084 wrote to memory of 768 5084 encrypt.exe 119 PID 5084 wrote to memory of 768 5084 encrypt.exe 119 PID 5084 wrote to memory of 3420 5084 encrypt.exe 120 PID 5084 wrote to memory of 3420 5084 encrypt.exe 120 PID 5084 wrote to memory of 1508 5084 encrypt.exe 121 PID 5084 wrote to memory of 1508 5084 encrypt.exe 121 PID 5084 wrote to memory of 3980 5084 encrypt.exe 133 PID 5084 wrote to memory of 3980 5084 encrypt.exe 133 PID 5084 wrote to memory of 4660 5084 encrypt.exe 135 PID 5084 wrote to memory of 4660 5084 encrypt.exe 135 PID 5084 wrote to memory of 2240 5084 encrypt.exe 136 PID 5084 wrote to memory of 2240 5084 encrypt.exe 136 PID 5084 wrote to memory of 1576 5084 encrypt.exe 138 PID 5084 wrote to memory of 1576 5084 encrypt.exe 138 PID 5084 wrote to memory of 216 5084 encrypt.exe 139 PID 5084 wrote to memory of 216 5084 encrypt.exe 139 PID 5084 wrote to memory of 216 5084 encrypt.exe 139 PID 5084 wrote to memory of 3172 5084 encrypt.exe 140 PID 5084 wrote to memory of 3172 5084 encrypt.exe 140 PID 5084 wrote to memory of 3172 5084 encrypt.exe 140 PID 5084 wrote to memory of 1600 5084 encrypt.exe 142 PID 5084 wrote to memory of 1600 5084 encrypt.exe 142 PID 5084 wrote to memory of 1600 5084 encrypt.exe 142 PID 5084 wrote to memory of 3176 5084 encrypt.exe 143 PID 5084 wrote to memory of 3176 5084 encrypt.exe 143 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" encrypt.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\mimicransomware_enc_infected.exe"C:\Users\Admin\AppData\Local\Temp\mimicransomware_enc_infected.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\tempcrc\encrypt.exe"C:\tempcrc\encrypt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"3⤵
- Modifies security service
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5084 -
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e watch -pid 5084 -!4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1136
-
-
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e ul14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4808
-
-
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e ul24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -H off4⤵PID:4648
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:2784
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:4568
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:3636
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:4616
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:4312
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:4420
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:1060
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:2312
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:2708
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:4912
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:3956
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:768
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c4⤵PID:3420
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb614⤵PID:1508
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:3980
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4660
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe DELETE SYSTEMSTATEBACKUP4⤵
- Deletes System State backups
PID:2240
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe delete catalog -quiet4⤵
- Deletes backup catalog
PID:1576
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\AppData\Local\HACKLENDINIZ.txt"4⤵
- Opens file in notepad (likely ransom note)
PID:216
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security4⤵
- Clears Windows event logs
PID:3172
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system4⤵
- Clears Windows event logs
PID:1600
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application4⤵
- Clears Windows event logs
PID:3176
-
-
-
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1776
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1204
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4824
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3880
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1228
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3244
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3784
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1696
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2196
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4968
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:4296
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3100
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2584
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3564
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32B
MD5914d2801f7a248aaaa55680738e967c5
SHA146cff3c3b1ad9ec32443944dea4d24628ed5d263
SHA256caf6eceb4014c25ae5d9ff9682516ed4cadd8bfe2f4b00c31a234a7b434164cf
SHA5129dc76fa827cde18bb4c5cef4a4b1285b019ab50fc19db30856e5e2091dfe0aa63531224a746adc73db83af9755d1401dec75dadbe63e55dec1d9507f2653cdcd
-
Filesize
1KB
MD5f21200504a90a180f60dc41ef7d9731f
SHA1b07b7c5b0b24f177bc1cdcdaf4c38a991fbdbb24
SHA25607e731fb594f1a6e5724daa1e0e1733321f9ce35b7857c22d2b3bd72ab0fd7ab
SHA512d579f8f9e9f6d1b908347661aa441672b000ce1ef42e61aaa5693528eb54f021a883d118e37086452a5a6fc61293e5f429c41e31b9a6035ddb6f6f65e9b87b3b
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62
-
Filesize
3.0MB
MD5a48ee000e248741247c24dc70fa2f936
SHA14c814fe7c94e6fb4d1d89cdae7e6e83905c459d7
SHA256bb28adc32ff1b9dcfaac6b7017b4896d2807b48080f9e6720afde3f89d69676c
SHA5128bdd60732bf105b9ade5d4dbc5c722a866119e0a284692afc1bd5b530a4afc3954536a14946a87f72213c92020def2ac7b5c1cbcc51b6e0ad5671b7c58543f34